The option to “login with Facebook” just isn’t what it used to be.
Since Facebook Connect launched in 2008 the social network has tapped into its repository of user profiles to provide a sort of digital passport to the web. Developers offering it could easily draw some public profile details from the profiles of new users to easily set up an account. Users didn’t have to go through an onerous account creation process. And Facebook got just a bit more data on its users’ online behaviour.
But in the wake of another privacy scandal that has regulators launching investigations and demanding answers, the Facebook login option is altered both from a perception and technical perspective. Users might start opting to use their email addresses instead, not trusting Facebook to act as an arbiter of their identity information. At the same time, Facebook as restricted access to its API, requiring any developers using it to be approved.
Over the past several years, digital service providers like Facebook and Google have served as centralized repositories of the digital identities of Internet users. But with the digital economy becoming more important and intertwined with physical interactions in the real world, industry forces are pushing against that trend. Instead, the traditional holders of identity information pre-dating the Internet are organizing to once again act as arbiters in the digital space. In doing so, they’re hoping to set up a system that is more decentralized, secure, and private. Some even see it as the potential path to issuing credentials to the one-third of the world’s population that has never been officially identified.
There’s an app for that
At Mobile World Congress in Barcelona at the end of February, the GSMA’s Mobile Connect service was pushed by the conference organizer. An identity solution that much of the mobile industry is collaborating on, it’s demonstrated in the “Innovation City” section on the massive conference floor. It promises capabilities for authentication, authorization, and attribute-based verification. Among its first users are the San Diego Health Connect, InterBev, and OpenCDE.
Speaking on a panel, Mastercard Labs’ Vice President of Product Development and Innovation Nina Nieuwoudt neatly sums up the problem solutions like this are looking to solve. In a world where data breaches are the norm, all the static identifiers normally used to prove identity can no longer be trusted. Then there’s the 2 billion people that have received a traditional ID from any authority. In short, in today’s world your identity has either been stolen or never properly established at all.
Nieuwoudt advocates for a decentralized method of proving identity that puts control in the hands of the individual.
“You want to have an identity that you as an individual own and it’s not about being put in different pockets for people to misuse,” she says. “We have an opportunity where we can get everybody included.”
As the organizers at MWC surmise, wireless carriers can play a role in providing that type of solution. Such a prospect is already underway in Canada, where Enstream (a joint venture that’s owned by Bell, Rogers, and Telus) launched a consumer identity verification services in early 2017. Enstream says its services cover 90 per cent of the Canadian market and don’t require any software pre-loaded to mobile devices. But Robert Blumenthal, head of identity and authentication services at Enstream, says that individual consent is required any time that Enstream provides information to verify identity.
“It can’t be tucked 15 pages into the terms and conditions somewhere, it has to be somewhere you can see it,” he explains. “It has to be enough that you get a signal that we’re doing something here that you may disagree with.”
Enstream conducted a Canadian pilot of Mobile Connect last year. Some Telus customers were able to download an app to authenticate their identity, and then access some self-service options for their accounts.
“It’s like Facebook ID or Google ID but with higher privacy and security,” Blumenthal says.
Compliance requirements get tougher
Enstream is able to serve as a conduit between Canada’s three major carriers and services that require identity authentication to prevent fraud. After anti-money laundering regulations in Canada were updated last year to require three years of credit history to prove identity instead of just one, there was a need to supplement the picture painted by credit agencies like Equifax and Trans-Union. Because carriers already have a good enrolment process to issue wireless subscriptions, they could fill in the blanks.
Talking at MWC just after a Feb. 22 upgrade to its identity services, Blumenthal explains how new analytics help business judge their protection against fraud. Viewed through the palette of financial regulators, identity is viewed not as black or white, but in shades of grey along a spectrum of probability. Enstream provides both a “summary score” that gets stronger as more fields of information are matched such as name, address, phone number, etc. There’s also a “confidence score” that rates how likely it is that information is accurate based on the type of account held with the wireless provider, and how the customer’s identity was verified in the first place.
Already, Enstream’s clients have taken advantage of its services to innovate their offerings to customers. One national retailer allows customers to sign up for a credit card in the store and immediately issues it to them in the form they can use it via their mobile device. It may just be a hint of things to come.
“The whole notion of digital identity is so new,” Blumenthal says. “If I look forward 10 years, we believe passwords will go the way of the dodo bird and you’ll have there or four trusted IDs online that will confirm you are who you say you are.”
Building a broader eco-system
To accomplish that, it’ll take more than just carriers chipping into the digital identity ecosystem. Toronto-based SecureKey Technologies is building just that, looking to integrate Enstream’s identity services with other authoritative sources to vouch for identity, including banks and government. CEO Greg Wolfond explains that for digital identity to work, it has to have a higher confidence value than any one party could provide.
“If someone can show up at a telco store and say they are me, and suddenly set up bank and medical records, I’d be pretty nervous about that,” he says. “Having multiple sources makes this even stronger.”
SecureKey has been working with Enstream to make its system interoperable with its own blockchain-based digital identity platform for more than a year. Wolfond says SecureKey is working to provide multiple principles of security into the equation. That amounts to proofs of identity by answering questions like “what I know, what I have, and what I am.”
Do that with a high degree of confidence, and you can issue government services through an online portal, Wolfond says.
And that’s certainly something that “login with Facebook” can’t do today, and likely never will.