ForgeRock’s Eve Maler provides valuable insights into how FIs can harness the power of embedded finance to enhance their security measures and deliver exceptional customer service.
At the European Identity and Cloud Conference 2023 (EIC 2023), I had the privilege of immersing myself in the world of identity access management. The conference brought together experts, pioneers, and thought leaders in this field, offering a wealth of knowledge and insights on technology, standards, regulations, and more.
Among the remarkable attendees was Eve Maler, Chief Technology Officer at ForgeRock, a warm and knowledgeable professional who made our conversation truly delightful. Not only did we delve into technical topics, but we also took the time to discover each other's hobbies and share fun facts. Let's explore some interesting tidbits about Eve: her favourite colours are leaf green and plum, which she believes complement each other beautifully. She grew up in Honolulu, adding a touch of tropical allure to her background. Moreover, Eve's passion for music shines through as she plays instruments and lends her voice to the band ‘ZZ Auth and the Love Tokens’, showcasing the harmonious blend of creativity, music, and technology.
After referencing personal life stuff, our discussion gradually shifted to her professional life. Here is what she told me about herself and how she became passionate about working on topics such as identity and identity management.
I have been involved in shaping the fundamental layers of security, privacy, and identity on the web since around 2000. It has been a journey rooted in understanding the importance of identifying and knowing users in the online realm.
When I began my journey, there was no clear concept or definition associated with digital identity. My background initially revolved around technical documentation, specifically editing software documentation at Digital Equipment Corporation, which no longer exists. This led me to develop an interest in markup* and delve into SGML, an international standard for markup languages. SGML eventually gave rise to XML, the eXtensible Markup Language widely used in machine-to-machine communications for web interactions. As my expertise in software protocol design grew, I became known as an authority in the field. I was approached by an organisation looking to explore the concept of identity, an area I had previously worked on with SAML, the Security Assertion Markup Language.
The objective was to enable users to log into one website and seamlessly access others, improving web navigation efficiency. This was accomplished through the introduction of Single Sign-On (SSO), an authentication method that allows users to authenticate across multiple apps and websites using a single set of credentials. SSO became the widely recognised and secure standard for achieving this goal.
From my perspective, embedded finance serves as an intriguing parallel to the concept I previously described. In embedded finance, users trust external financial institutions or payment mechanisms to handle transactions on their behalf. SSO resembles the scenario where users navigate to another platform to arrange a payment and then return seamlessly. This reliance on external entities for financial transactions has paved the way for passwordless experiences, extending beyond the traditional guest checkout process. The driving force behind these advancements lies in the adoption of standards and APIs, which have proven to be unexpectedly powerful. Recent estimates suggest that implementing embedded finance mechanisms can potentially generate up to five times the revenue from a single customer. This signifies its role as both a facilitator of business growth and an enabler of seamless user experiences.
Interestingly, the realms of identity and finance are intricately intertwined, almost like fraternal twins. Identity verification and payment authentication are crucial components within this framework.
When I mention that embedded finance plays a significant role in enabling these passwordless experiences, specific situations come to mind. For example, retailers often introduce friction and user experience barriers when they try to persuade customers to make a purchase and deepen their relationship by requiring them to register for an account. Customer conversion is a crucial factor, and retailers must prioritise meeting their customers' needs to establish a profitable and fruitful relationship.
If retailers incorporate a user-friendly payment method aligned with the customer's preferences, it effectively mirrors the functionality of single sign-on. This means that users engage with the financial institution in an embedded manner, interacting with them to authorise payments. By doing so, retailers can have confidence that customers will return, while also gaining valuable insights about them in addition to recognising revenue.
Passwordless is currently a popular buzzword but lacks a precise definition. We did a lot of work to sort out the definitions. Chief information security officers tend to approach this term with scepticism because they understand the abundance of secrets and passwords scattered throughout IT systems. Therefore, our goal was to find a clearer and more accurate approach. In the context of passwordless authentication, it is worth noting that some methods may still involve a knowledge-based element, requiring users to know, type, and choose a password, particularly when used as a second factor alongside a username and password. However, the objective is to move away from solely relying on passwords. While multi-factor authentication that involves both a password and a passwordless method can enhance security, it often fails to improve the overall user experience. It is important to consider the user's entire journey when assessing the effectiveness of passwordless authentication. Users do not evaluate the authentication process in fragmented parts, labelling some aspects as passwordless and others as password based. Instead, they expect a seamless and user-friendly experience, while businesses should strive for increased security. This initial step in achieving passwordless authentication represents a positive advancement, especially for organisations that can implement it, but there is still room for improvement.
To ensure easy and secure customer journeys, a significant advancement lies in the concept of complete passwordless authentication. This approach eliminates the need for users to create, type, choose, remember, or risk losing passwords because there never was one in the first place. The power of this passwordless paradigm is particularly evident in the realm of embedded finance, where it not only enables seamless payments but also provides businesses with valuable customer information.
Initially, identity solutions were primarily seen to address risks such as breaches and compliance. Financial institutions, like others, face numerous challenges in this regard. ForgeRock's identity breach report reveals that financial institutions have made progress in reducing breach risk based on last year's data. One theory behind this improvement is that lessons learned from the Open Banking world have positively influenced the security measures implemented by financial institutions. This addresses the risk aspect. On the other hand, enhancing business growth involves removing friction, which directly or indirectly impacts the top line.
To achieve digital transformation goals, financial institutions require seamless processes and agile development of applications. But the individuals responsible for developing these solutions may not be experts in the latest protective techniques or standards that minimise friction. This is where identity solutions excel, as they continually address these challenges. The FIDO2 standard, for instance, can be applied to comply with PSD2 requirements.
In considering the end user's experience, ForgeRock emphasises the importance of orchestration, which they refer to as Trees. This approach involves creating branching paths and using drag-and-drop functionalities to optimise the user experience and mitigate fraud risks. Strong customer authentication is guided not only by technical standards like FIDO2 but also by framework standards that assess the level of familiarity with the user.
Privacy
The concept of privacy is currently at a fascinating stage. Although I'm not a lawyer myself, I have had the opportunity to collaborate with creative legal minds and gain insights into this area. As the founder of the User-Managed Access (UMA) standard, privacy as people think of it today was not our primary focus. Still, UMA has evolved into an invaluable tool for empowering individuals, aligning with ForgeRock's mission to facilitate secure and straightforward access to the connected world. Privacy encompasses more than mere compliance; it embodies a positive vision of control.
For instance, when examining the General Data Protection Regulation (GDPR) in Europe, data protection is employed as a term that represents the essence of privacy. However, privacy goes beyond preventing accidental data exposure; it is about enabling individuals to selectively share their information, which is precisely what UMA facilitates. Transparency is another essential aspect, involving informing individuals about what information is known about them and why it is needed. The final layer involves granting individuals control over their data. Organisations seeking to establish trusted digital relationships must be willing to reciprocate by providing individuals with these elements. GDPR, with its comprehensive requirements around consent, has played a role in pushing for greater transparency and control. Privacy, akin to antitrust and consumer protection, converges with zero trust security, Open Banking, and the notion of granting individuals choice in data and account portability.
Moreover, privacy intersects with ethics in AI, biometrics, and age verification. The regulatory landscape is witnessing an increase in regulations that incorporate privacy without being solely focused on privacy itself, a trend that is poised to continue.
Turning a car into a digital wallet
The concept of transforming a car into a digital wallet is truly intriguing. One fascinating idea we have explored is the integration of an identity and payment wallet within a car. We have conducted proof-of-concept projects to test this concept and assess its potential. It holds significant promise, particularly in addressing the challenge of multiple drivers and ensuring the proper delegation of wallet access. Various financial and identity standards, such as the Financial Grade API (FAPI), have played a crucial role in defining solutions in this area. FAPI exemplifies the high level of security required for financial transactions, and its adoption extends beyond the financial industry, making it a beneficial concept for diverse sectors. The adoption of FAPI and similar standards is growing steadily as their value becomes increasingly recognised.
I had a wonderful time reconnecting with old acquaintances and making new connections. I was part of a surprise panel, and the thing that caught my attention was focused on AI, which is undoubtedly a hot topic now. We delved into how different types of AI can enhance identity and access management, as well as identity governance and administration, in areas where risks often originate and cause issues. The insights shared by others were truly valuable, offering practical suggestions and highlighting potential pitfalls.
At ForgeRock, we have developed AI solutions that ensure that the appropriate access entitlements are granted for sensitive data. We also leverage AI to streamline user journeys and incorporate various risk signals, allowing for seamless authentication experiences that don't compromise security.
A key takeaway from the discussions was the importance of making AI explainable. This involves making the business processes auditable and providing individuals with a level of comfort when they encounter AI-driven conclusions or recommendations. Explainable AI, sometimes referred to as XAI, is an ethical approach that guides our AI practices. While it may limit certain choices, understanding the reasoning behind recommendations and decisions is crucial as we navigate this rapidly evolving landscape.
Our discussion on (generative) AI and identity access management was incredibly enriching, and Eve’s expertise was impressive. Although EIC Day 3 was ending and our recording had to conclude, we both shared the sentiment that reconnecting is necessary. I am excited to fulfill my promise of Romanian chocolate, and I eagerly anticipate experiencing Eve's music through a small sample she promised to reveal.
This interview was recorded during the European Identity and Cloud Conference 2023 (EIC 2013). To delve deeper into the event and gain a comprehensive overview, we invite you to explore our detailed event summary.
* Markup language is a text-encoding system consisting of a set of symbols inserted in a text document to control its structure, formatting, or the relationship between its parts. Markup is often used to control the display of the document or to enrich its content to facilitate automated processing. A markup language is a set of rules governing what markup information may be included in a document and how it is combined with the content of the document in a way to facilitate use by humans and computer programs.
Source Wikipedia
About Eve Maler
Eve Maler is a globally recognized strategist, innovator, and communicator on digital identity, security, privacy, and consent, with a passion for fostering successful ecosystems and individual empowerment. Eve has more than 20 years of experience innovating and leading standards such as SAML and User-Managed Access (UMA), and has also served as a Forrester Research security and risk analyst. She leads the ForgeRock Labs team investigating and prototyping innovative approaches to solving customers’ identity challenges, along with driving ForgeRock’s industry standards leadership.
LinkedIn: https://www.linkedin.com/in/evemaler/
About ForgeRock
ForgeRock® (NYSE: FORG) is a global digital identity leader helping people simply and safely access the connected world. The ForgeRock Identity Platform delivers enterprise-grade identity solutions at scale for customers, employees, and connected devices. More than 1,300 organizations depend on ForgeRock’s comprehensive platform to manage and secure identities with identity orchestration, dynamic access controls, governance, and APIs in any cloud or hybrid environment.
Every day we send out a free e-mail with the most important headlines of the last 24 hours.
Subscribe now