Late last year, Canada’s largest financial institutions teamed up with authentication provider SecureKey to roll out an innovative digital identity network that would solve some of the authentication challenges facing Canadians. Payments Canada had the opportunity to speak to Greg Wolfond, founder of SecureKey and keynote speaker at The SUMMIT, about collaboration as a driving force behind the launch of the product later this year, the state of the digital ID space in Canada and where payments and digital ID collide.
Q: What’s wrong with how we currently do authentication? What’s driving innovation in this space?
Cyber fraud is rising, and the bad guys are getting really good at getting answers to knowledge-based questions that are meant to protect you and your passwords. On the other hand, plastic cards, like driver’s licenses, are easy to clone and copy. Generally, we have a weak system of identity. So, how do we make it easier for customers to prove they are who they say they are - all the while making it harder for the bad guys to duplicate or steal that data?
It takes more than a “digital ID.” Canadians need a frictionless experience whether they are online, talking to a call centre or in person at a branch. To do it, we need layers of identification that work together. These layers include what a customer knows (such as their mother’s maiden name), what they have (e.g. government issued photo ID or their cellphone) and who they are (i.e. biometrics - like a finger print or facial recognition). Reliance on a single layer of identification is where bad guys find weakness. For example, the Samsung Iris Scanner was meant to be impenetrable by hackers, but was bypassed just eight days after its launch.
For a layered system to work, we need participation and cooperation across various organizations that the customer trusts with their data. That includes financial institutions, governments and telco providers.
Q: This collaboration was a huge part of SecureKey’s success to date. Can you tell us a bit more about it?
This is a very ambitious program. In practice, the service will see customers getting alerts on their mobile device when a utility provider, like a cable company, needs to verify certain information – such as the customer’s name, address, and date of birth - via their bank. The customer can approve that request and set a transaction in motion with just a thumbprint scan on their phone. This is a good example of all the “layers” I was referring to earlier and why – given the number of participants in this one transaction - collaboration is so important.
Each of the participants in this initiative is aware that we can’t do this on our own, and we are relying on one another to make the system work. I know the financial institutions are also very motivated to come together to make the banking system a more secure place for the benefit of Canadians. A stronger identity ecosystem will support that.
Q: A question I’m sure you get asked a lot: How are you managing all the data?
This initiative is about taking the friction out of the authentication experience for customers and building trust. We want to make it easier for customers to prove they are who they say they are, while making it harder for criminals to pose as customers.
At the same time, we want to build trust by ensuring customer privacy. Customers don’t want their banks to know too much, such as where they go or what they do. That means having all of the efficiencies of digital ID without sharing too much information. It’s about asking “are you willing to share this information with this party, for this purpose?” And we never see the data – the system tracks it down from various organizations in real-time, but the information itself stays where it is. The use of blockchain supports this as information is distributed across a number of different nodes rather than a single database. There is no longer a single point of failure or “honeypot” of data luring bad guys in.
Q: Where do payments and digital ID converge?
When you think about it, banks are in the business of trust, and the foundation for that is strong authentication. People know that when they go to their bank, the transaction they want to do will get done, and the bank will keep their payment information safe. For banks to deliver on this, they need to know a customer is who they say they are. If they can do proper authentication, it has the potential to open up all kinds of new opportunities for payments that we haven’t dreamt of yet.
Layering and what we call “distributed identification” is also something to think about in regards to Payments Canada’s Modernization program, particularly in regards to faster payments and the idea of a proxy database. The need for security will be paramount.