What it will take to make digital identity real

The biggest problem with digital identity is that it’s just a pain in the ass.

As banks, governments and e-commerce giants try to solve the issue of customers having account overload and password amnesia, the problem becomes that security is just inconvenient: there are so many required security specs for passwords and so many different passwords to remember, it’s just easier to create an easy-to-remember password and use it for everything — and at the end of the day, if an account is hacked, the bank can just return the money. No big deal.

Passwords are how customers identify themselves for every service they use. They know the system is hackable but still entrust companies their data, even if they don’t actually trust them. Fixing the system means there has to be a single identifying entity that people trust, that has an established history of collecting and holding personal information. Banks are the best positioned to do so, but trust has to be part of the process of designing identity verification services and it should be clear who owns customer data and what happens to it.

“The use of digital identity will exceed the use of physical identity when more digital identity solutions emerge in the market — that’s what’s lacking today,” said Matthew Thompson, director of digital business development at Capital One, which launched a digital identity application programming interface (API) this week that lets websites and apps authenticate the identity of their customers against the identity information stored by their banks.

“We have to design for trust in the solutions: trust with the relying party or business partner that they can trust the assertion we’re making, and trust with the consumer that they want to use or share the information in this ecosystem. When those things come together you’ll see digital identity exceed the use of physical identity.”

Who has my data?
Collecting customer data is in the interest of the customer, banks (or any company, really) will tell you. By doing so, banks say, they can improve their products and services. Knowing more about customers — their preferences, routines, where they save and when they splurge — helps them personalize their offerings and deepen connections with customers, which makes them feel even more comfortable granting the banks even more of their data.

Right now, it’s not clear who owns customer data, whether it’s banks and our payment information or Facebook and the details we put on social media. Banks are held to higher standards of privacy and security; that’s part of what makes them so well positioned to take the lead on providing digital identity services.

“We don’t know who really owns our data but I bet you the large banks absolutely don’t want that” to be made explicit, said Pascal Bouvier, a venture partner with Santander InnoVentures, the Spanish bank’s fintech venture capital arm. “There [would] be clear liabilities as well as clear asset and cash flow streams that people either have access to — or don’t. In order for us to fully actualize federated digital identities built off data streams we create directly or indirectly, we need to have some type of clarity on that ownership.”

The ownership question is also more important now than ever, as startups and technology providers look to increase their data-sharing agreements with banks. Intuit has landed agreements with JPMorgan Chase and Wells Fargo; Finicity just signed one with Wells; Xero established similar deals with Wells, Silicon Valley Bank and most recently, Capital One. These initiatives also give banks safer ways to move data and help give customers control over how their data is used — the holy grail of digital identity — by using application programming interfaces instead of the more commonly used screen scraping method, in which customers log into the third party site or app with their bank credentials and that company “scrapes” the information to log in as the customer to retrieve account data as necessary.

Convenience over safety
The widely agreed upon solution is data minimization: That an organization will collect only the data it needs, using it only what it agreed to use it for and getting rid of it when the purpose is achieved. A bartender doesn’t know customers’ ages to serve them, she just needs to know it’s greater than or equal to a certain age.

One way is to let the customers opt in to having their data shared. The Canadian banks have a solution to this. Or put a disclaimer on the bank website that spells out how the data is going to be used. But that’s slightly inconvenient. And even when customers are cynical toward banks, they seem to be trusted enough to continue serving them.

“Consumers will always choose the path of least resistance, and if you rely on your consumers to be interested in their best interest when it comes to security, that’s probably not going to happen,” said Ryan Fox, director of consumer identity at Capital One. “We’re always two-step or multi-factor authenticating our customers. It’s always dynamic, always risk-based, aways multilayered.”

In 2015, Capital One launched SwiftID, which removes the friction of passwords by letting people authenticate biometrically from their phones when signing in from an unknown device. By designing security right in the banking experience, Fox says, the bank can send the customer a push notification they can respond to in a second instead of requiring them to read a lengthy security statement, Fox said.

The important thing for banks to remember when building on their security is that people don’t think about it in terms of what’s most secure; they think about what’s easiest, he said.

“That’s why touch ID had such an adoption rate,” Fox said. “We went away from knowledge-based login to something I can just touch. It was adopted not because it was a pattern they understood but because it took half the time. Is it easier? Yes. Do I have a cognitive load associated with doing this? No? Then I’ll do it.”

WTF is digital identity?

Moving shopping and banking online means our transactions are more than making money: They’re about getting data.

“People are extremely aware of how digitized their lives have become and how little control over that. They want to know that if they’re providing this info they’re getting something for it and it’s not just for banks or large technology companies to use for their own purposes,” said Steven Ehrlich, lead analyst for emerging technologies at Spitzberg Partners.

That data says a lot about us — a lot more than a piece of plastic with a photo and address on it. There lies the digital identity dilemma: legally accepted drivers licenses and passports supposedly show that we are who we say we are in the physical world, but don’t do the same in the digital world. As the digital world evolves, that could get complicated. But right now banks, technology firms and governments are all looking at how to make it easier for people to prove they are who say they are, effectively allowing customers to own their own identity. In this WTF, we dive deep into digital identity.

So, what’s a digital identity?
A guy walks into a bar and shows the bartender his ID. In doing so, he gives the bartender more information than he needs: his name, date of birth, address, height, weight, eye color, whether or not he’s an organ donor. But all the bartender needs to verify is this guy’s date of birth, because all he needs to know is if he’s of the age to be in a bar.

People do this online everyday: when they want to login somewhere or make a transaction they often give away more data than they may realize they want to, and to a company that doesn’t need all of that information.

“How the consumer behaves when online, what they share about themselves, where they’re located, how they interact with their device — all of those components are really what creates digital identity,” said Kim Sutherland, senior director of fraud and identity management strategy at LexisNexis Risk Solutions. “There are use cases where your digital identity never has been connected to the physical world and there are other times when your digital ID and physical ID do need to intersect.”

What’s the problem?
Everyone owns your identity, except you. According to the government, you are what your drivers license or identification card says you are. Amazon, Facebook and Google identify you by the places you check into and map, what you purchase and where you have it delivered. But the airline operating your flight home won’t believe you’re you if you give them the email tied to all that data. And Amazon doesn’t ask for your drivers license when you want to buy something, you enter a password.

Where do banks come into this?
Banks are well positioned to provide identity verification services because of the amount of data they hold and the level of trust consumers and corporations have in them as authoritative institutions. Even when confidence is low.

“Banks really think about their role as custodians of personal data and the identities of their customers,” said Ehrlich. “They recognize it’s becoming more important to have access to this information so they can optimize services but do it in a way that is transparent, secure and equitable so people continue to use the services and provide them with even more data.”

Now banks need to look at what data is necessary for them to conduct their operations and how they can best use the information to optimize their services in a way that makes their clients feel they really are equal partners.

What’s the solution?
The holy grail of digital identity is that people only provide the minimum data necessary for their purpose. There isn’t a credible plan to make it happen across the world and across industries. But everyone involved is working on it.

“In order to get to that situation we need to find a way for people to be in charge of their own information so they don’t necessarily have to trust a bank or Google or Facebook,” Ehrlich said.

Biometric authentication efforts are the most visible examples.

IBM is working with security company SecureKey and several major Canadian banks on an app that would push notifications to people when utility providers need access to their information. For example, when signing up for a new phone line, the customer would receive a notification saying the wireless provider needs to verify his or her name, address, date of birth and social security number, and that it will access that information through the customer’s bank. The customer approves, by biometrical authenticating on the phone, and the bank transfers that data to allow the customer to open the account.

“People will feel much more secure if they know they can control their information and permission it out only if they want to,” Ehrlich said.

He added that there’s a design element to the solutions as well. Organizations working on solutions worry that everyday people won’t have the tech savvy to work with encryption, but that can be solved by creating a user interface customers want to try and use.

How long will this take?
As they say in the Valley, it will change the world in our lifetime. Future generations will be taking this for granted.

The biggest challenge to secure data access is time: Xero president

Xero is making it easier for small businesses to manage their finances, one bank partner at a time.

The accounting technology firm on Thursday entered its fourth bank partnership with Capital One, which built an application programming interface that lets Xero retrieve customer data from the bank without compromising, through scraping, customers’ sensitive bank login credentials — the more common way of accessing customer data. Xero has made similar deals with Wells Fargo, Silicon Valley Bank and City National Bank.

“For a business owner to have their own customized financial web and sit at the center of it, we have to have the relationships all across the ecosystem,” said Keri Gohman, president of Xero Americas. “All the banks, accounting partners, ecosystem partners so the business owner can see its full tech stack and how to make it work together.”

Gohman joined Xero less than a year ago from Capital One. Tearsheet caught up with her to discuss the problems data poses for small businesses and the challenges for banks and third parties trying to serve them.

This is Xero’s fourth bank partnership. Is there a theme here?
These bank integrations are happening more and more and it’s a recognition that customers want control of their financials. This is just another continued reinforcement of that trend and the reality that banks really want to get ahead of customer demand.

How has demand from small businesses changed in the last five years?
As consumers, we’re able to log onto Google Maps and have it pull ratings and reviews from Yelp, Uber so I can schedule a car, Waze so I can see traffic. I don’t really know I’m in all those things but I expect them all to work together. In much the same way, business owners are starting to expect that. They’re using the cloud, realizing the benefits of collaboration, they want things to work that same way.

Can you explain the data access issue for small businesses?
Getting access to lending is about your financial history and performance over time. It’s the lifeblood of what a business lives on, and relies on how they get underlying data and how that data all works together. Third party integration is always tough because the data isn’t always reliable, and the feed can get interrupted. Having this data feed directly with the bank creates a tighter integration.

So what’s the problem Xero is trying to solve with Capital One?
Sharing customer data with third parties safely, securely and in a way that puts the customer in control. There’s been a proliferation of great fintech solutions for small businesses, but they don’t all work together. And financial companies are recognizing they want the world to work together. Everything financially should work together so if I’m a business owner I’m asking what’s my bank, what are all the business applications I need? I need all my data to flow through to my P&L. I need to be able to manage all of my business in one place.

What’s the biggest challenge?
Banks have higher fiduciary standards. I don’t tell Google to start feeding Yelp, Waze or Uber, but consumers don’t expect their financial data to just be shared everywhere. If it’s sitting in another system and your bank allowed it to go there, who do you blame? Not the other company. All the banks are wrestling with the right way to do this but also give customers flexibility. We have to go one by one by one to all the financial institutions to set up these partnerships, and they also need to go one by one by one. The challenge is really time.

Where do we go from here?
Everything will become interconnected over time. What this unlocks over time is the economy. It has the ability to transform the data we have access to, the ability to make the systems work together really have the potential to unlock productivity in ways we can’t consider today.