Connect with us


Digital identity is broken. Can we fix it?

Digital identity is broken. Can we fix it?

By Jeremy Newman, founder and executive director of ShowUp

While we have all been enjoying a life online, an awkward truth threatens to wreck everything. It is this: a password is the same irrespective of who enters it. This means that when an organisation asks for passwords or other ‘memorable’ information for verification purposes, it is unable to tell the difference between their customer and an impostor.

So why do organisations persist in asking their customers to do something that a fraudster can also do?

Since ancient times passwords have played a role in keeping the enemy from the gates and telling friend from foe. The first use of passwords in the context of computer logins was in 1961 for an early multi-user computer system developed at MIT. Fast-forward to today, and people have to use passwords to interact with just about every supplier, government department and service on offer. Indeed, the way businesses verify customers has barely changed in over half a century.

The problem is that the dominant method of verifying people – testing their knowledge – was flawed from the outset, and it still is.

How we’ve lost our way

Given that passwords cannot distinguish between customer and fraudster, you might hope that this flaw is benign. But it’s worse than useless. By using knowledge-based authentication (KBA), organisations expose their customers to risk.

Knowledge-based authentication drives fraudsters to obtain data by whatever means they can, and then either use it to malicious ends themselves, or trade in it. Vast markets have opened up on the dark web where personal information is being bought, sold and collated, patiently tended in databases like shadow credit reference agencies. The value of this data to criminals lies in the fact that, armed with this data, organisations can be easily fooled. Let’s not forget that KBA is responsible for every phishing email that’s ever been sent.

The reality is that wherever access to a bank account, email account or indeed any online resource at all is controlled with a password, if you know it, so can the fraudsters. All knowledge can be shoulder-surfed, discovered, leaked, hacked, intercepted and (ahem!) guessed.

I believe that passwords persist in part because they give people the sense they have a secret. Until, that is, an organisation gets fooled and customers are left to deal with the resulting mess. They call it identity fraud, but really it’s corporate negligence on a global scale. We live in this Kafkaesque world where we all must jump through hoops to “prove who we are”, while the practice is widely known to be little short of a complete waste of time.

It’s time to change habits 

The world is in desperate need of a way to tell the good guys from the bad guys. If it’s not knowledge, then what? What if we could find a means of differentiation that is already present in the population? 

The assumption has always been that you cannot see your customer online. As the famous cartoon in the New Yorker had it – on the internet, nobody knows you’re a dog. However, in the past decade this assumption is no longer valid. For the first time nearly everyone has a camera phone with internet connectivity. Therefore it is now possible to draw upon the tried-and tested mechanism of visual identity, and the innate ability of people to recognise one another.

To harness visual identity is to build upon a foundation laid down over several millennia of human evolution. Using this powerful natural capability goes with the grain of everyday experience as opposed to against it. Visual identity is practised by around 7.2 billion people every day, and it manifestly works. Also, there’s no need to distribute anything – no secrets, no special hardware, or even documents.

After many attempts at fixing the problem by adding layers of complexity, we are about to turn full circle. Going back to our roots promises to make the job of the fraudster much harder, while making life much easier for the true customer. There’s an old saying, “People are the weakest link in security”. As ever, it depends on what organisations ask them to do.

Continue Reading
Editorial & Advertiser disclosureOur website provides you with information, news, press releases, Opinion and advertorials on various financial products and services. This is not to be considered as financial advice and should be considered only for information purposes. We cannot guarantee the accuracy or applicability of any information provided with respect to your individual or personal circumstances. Please seek Professional advice from a qualified professional before making any financial decisions. We link to various third party websites, affiliate sales networks, and may link to our advertising partners websites. Though we are tied up with various advertising and affiliate networks, this does not affect our analysis or opinion. When you view or click on certain links available on our articles, our partners may compensate us for displaying the content to you, or make a purchase or fill a form. This will not incur any additional charges to you. To make things simpler for you to identity or distinguish sponsored articles or links, you may consider all articles or links hosted on our site as a partner endorsed link.

Recent Posts