Is Authentication of Identity Even Possible?
Before we can answer this question, we first need to define what identity is. Too often authentication is used interchangeably with identity, but that’s like saying a bank account and money are the same thing.
In its most basic terms, authentication is the ‘what-of-you’ and identity is the ‘WHO-of you’. You can authenticate via a password to log into your computer or buy a cup of coffee, but if you want a mortgage, considerably more background information is required. I could give you 5 usernames & passwords, 5 forms of biometrics, and have 5 different hardware tokens and you would still not know to any degree of certainty if I’m good for the loan.
For example: Two people are standing in front of you, one’s a stranger and one’s a close friend. You know [for the sake of this example] that they are both who they say they are, but do you feel equally comfortable lending both of them your car?
I would assume the answer is no, you would not be comfortable loaning a stranger your car, so what’s the difference? Trust, pure and simple. You trust your friend because you know WHO he is, not WHAT he is.
Unfortunately you will never be able to know everyone on the planet as well as you know your friends, so how can you assure a sufficient level of trust to do business of any sort? Currently, authentication is enough, but it’s almost entirely one way. If you want to buy something on the Internet YOU have to complete the login details (often including a permanent account), YOU have to enter all of your payment details, and YOU have to accept the risk that the merchant will send the goods as promised.
With an identity, built over the course of time and receiving input from many sources, every individual and every organisation can build a demonstrable level of trust so that both sides have the assurance they need to conclude the transaction. Fraud in e-commerce is rampant partly because we simply don’t have this 2-way assurance, or the ability to seamlessly authenticate to a centralised and universally trusted source.
From the individual side: Credit score, confirmation of available funds, payment history, and any number of other factors can build a Trust Assurance Score (TAS), and it will be up to both the buyer and the seller to agree on the level of score required to complete a purchase e.g. on a scale of 1 – 100 (100 being a perfect TAS) the consumer needs a score of 5 to buy a cup of coffee, but a score of 50 to rent a car, and a score of at least 75 to get a mortgage.
From the merchant side: Time in business, corporate credit rating, ratings and reviews and so on can build their TAS, so you can decide up front the level of risk you are prepared to accept to conduct the business at hand.
Clearly there are many challenges with this; How do you build a rating in the first place (the young and new businesses should not be unfairly disadvantaged). How do you provide instant access to this rating without exposing all of the detailed information behind it? How do you tie in the appropriate level of authentication required to even request a TAS in the first place? And so on.
We’re not proposing a way to fix this, we are simply trying to demonstrate that the reason we don’t HAVE identity built into transaction authentication is that these issues have not been addressed yet. And until we have identity built into transactions, we won’t have the levels of trust required to make significant change. Payments for example will move from plastic to mobile, but if authentication is not multi-factorial, it will be insufficient to significantly reduce fraud.