The headlines keep coming with alarming frequency as are the bank alarms themselves: Earlier this month, HSBC acknowledged that the data of perhaps 14,000 account holders was breached. But the words “data breach” barely scratch the surface of how scary this is for the account holders in question: “The information that may have been accessed includes your full name, mailing address, phone number, email address, date of birth, account numbers, account types, account balances, transaction history, payee account information and statement history where available,” HSBC said in its data breach notification. (At least blood types were not revealed.)
Currently, there are four basic types of identification methods, based on the following:
an object or device a person has
what a person knows
who a person is
what a person does
Access badges, ID documents, smart cards, security tokens and mobile phones are all examples of the first category: what a person has. What a person knows involves authenticating identity through a password, pass-phrase, PIN number, security question, sequence or combination. Physical biometric identification, or who a person is, generally involves fingerprints, facial images, iris scans, vein images or voice authentication to verify identity. And what a person does enters into the world of behavioral biometrics: confirming identity through keystroke activity, device usage and channel behavior.
Understanding the three digital identity types
Beyond the four basic types of ID authentication, there are three main types of digital identity, each with their own strengths.
Traditional, “siloed” identity is the simplest of the three models. An organization issues the digital credential to individuals or allows them to create it for themselves. Trust between the individual and the issuer is typically established through the use of shared secrets: usually in the form of a username and password and sometimes additional information such as a PIN or security questions. Occasionally shared secrets are augmented with additional factors such as physical tokens or biometrics.
The federated or IDP relationship model adds a third-party company or consortium. This third party acts as an “identity provider” (IDP) between the individual and the issuer or service the individual tries to access. The IDP issues the digital credential, providing a single sign-on experience with the IDP that they can seamlessly use elsewhere—reducing the number of separate credentials a consumer needs to maintain. A common example of the IDP model is “social login” on the web using a Facebook, Google or other social IDs to access a third-party service.With social login, one of these tech giants serves as the IDP, but this option is acceptable only in lower-trust environments (such as e-commerce) and not in a high-trust one such as banking.
Self-sovereign identity (SSI) is a two-party relationship model, with no third party coming between the individual and the issuer. SSI begins with a digital “wallet” that contains digital credentials. It acts like a physical wallet where a consumer carries credentials issued by others, such as a passport or driver’s license.
Financial institutions’ role in authentication
In clearly indicating that cybersecurity is a top priority, financial institutions should actively look into authentication methods to protect consumers. Banks and credit unions have a few factors that make research into authentication a natural fit for the industry: namely their experience with authentication, consumer trust and regulatory compliance. Many financial institutions have already designed secure processes to verify consumers’ identities and can offer these services when onboarding individuals, assets and institutions onto digital systems.
Unfortunately, offering this on a large scale to other industries would only be possible for the largest banks, or a conglomerate of smaller institutions. Further, banks and credit unions are the most reliable private sector providers that are extensively familiar with rigorous compliance standards. Because of credit unions’ strong reputation for consumer trust and the collaborative nature of the industry, these institutions stand as uniquely positioned to develop authentication methods that can improve cybersecurity.
Enter self-sovereign identity and distributed ledger technology
Authentication as a cybersecurity initiative also has a practical application in operations, since it marks the first step of any transaction with a customer or member. Distributed ledger technology (DLT)—commonly known as blockchain—can verify identity via digital channels with a self-sovereign digital identity through the consumer’s financial institution. This gives individual consumers control over their personal identifiable information and can create a truly secure, private flow of information.
A primary advantage of a distributed ledger is that information or transactions conducted through a ledger cannot be changed. The ledger acts as a database spread across nodes or computing devices; each replicates and saves an identical copy of the ledger that is updated independently. To corrupt a ledger, hackers would have to corrupt more than half of its nodes at the same time—a herculean task unattractive to fraudsters. Banks and credit unions should look into private ledgers since their secure networks suit sensitive transactions. They’re a valuable technology for financial institutions to use as they develop digital identity solutions.
Putting it all together: Identity theft’s identified deterrent
Financial institutions have a unique opportunity to fight back against the identity theft crisis and contribute to a viable solution to the industry’s cybersecurity needs. Using distributed ledger technology, financial institutions can build a digital identity solution that’s more secure than physical, knowledge-based or biometric forms of authentication. Banks and credit unions can offer consumers their experience, consumer trust and compliance expertise through a self-sovereign digital identity solution that relies on it—while success in keeping the bad guys at bay truly puts the “block” in blockchain.
John Ainsworth is president and CEO of CULedger, a credit union service organization that enables credit unions to enhance their digital strategy by bringing innovative distributed ledger applications to the market.
Compliance training and professional development courses that are efficient, effective and on-point. Give your people the latest industry-approved tools they need to improve performance, reduce operational risk and better serve your customers.