20-10-2020 09:00

Finding the key to digital identities

As the digital age and enhanced connectivity makes banking more accessible and convenient for users than ever before, banks need to support ease of access while prioritising security. Adaptive authentication with digital identities confirmed from multiple devices may provide a way of ensuring banks can rely on the information being shared digitally in the future.
Offline to Online

In the pre-internet era, a bank generally identified its customers in person as they walked into a branch and presented themselves, often with paper documentation such as a driver’s license or passport. With the majority of people now engaging financial services through online and mobile  channels, the chances are that many financial services institutions might never actually have physically seen or met a large proportion of their customers.

Ville Sointu, Head of Emerging Technologies at Nordea, says: “Looking at the challenges that banks have been facing traditionally in digital channels, it’s typically related to the fact that they want to be in complete control of all of the tools, methods and keys that are being used to access their digital channels. In the Nordic countries, this began in the 90s with banks physically delivering customers scratch cards for one time authentication codes in online channels and has later evolved to giving out hardware tokens for customers who for one reason or another don’t want to use their mobile banking and authentication applications for identification. The common theme in all of this is that banks have always controlled these authentication and verification methods from day one of online banking.”

Looking at the challenges that banks have been facing traditionally in digital channels, it's typically related to the fact that they want to be in complete control of all of the tools, methods and keys that are being used to access their digital channels.

Ville Sointu, Head of Emerging Technologies at Nordea

As mobile devices have continued to evolve, banks have sought to move in step with technological developments to enhance the usability around accessing digital banking. Improving the user experience for authentication processes has in some cases meant a loosening of the original concept of complete control.

Ville continues: “Leveraging advanced and user friendly mobile technology for user authentication means practically one thing; banks need to be able to find ways to trust different kinds of devices while not necessarily having complete end to end control over them all of the time. An obvious example is the usage of biometrics on Apple’s iOS devices. Banks place a certain level of trust on authentication services such as face ID and touch ID based on the specifications given by Apple regarding these methods. This verified trust in Apple’s solution on the iOS operating system level is one example of a step forward on this front that banks have taken in the past years. Moving from completely controlled environments and tokens into a world where banks can at least partially trust a third party doesn’t sound like much but in a world of immense regulatory scrutiny and risk management this is not insignificant.”

Trust on many levels

In order for financial institutions to navigate the fast moving evolution of digital identities, a key factor is related to understanding the different levels of trust attached to providing access from different digital channels.

Ville says: “Banks want to identify the context of a transaction correctly and assign different levels of digital authentication accordingly. Obviously, if a bank is signing off on a multimillion Euro transaction, they still fall back on things that they completely control themselves. This needs a strong level of trust. However, if the transaction in question is a person to person payment, for example, to another individual that they’ve already made several payments to and the value is fairly low, a bank might trust a third party authentication system with high usability like touch ID or face ID.”

“It’s important to understand that it’s not a binary game between not trusting and trusting on digital channels. Different levels of adaptive authentication and understanding the required trust level for any particular transaction allow banks to approve a vast majority of small day to day transactions with much higher usability. A simplified practical example of this is when we pay at a store just by tapping our payment card on a contactless terminal without giving a PIN code. Creating different levels of trust for all these usage scenarios allows banks to require more complex digital authentication methods when it actually matters, i.e. when the transaction is higher value or has an unfamiliar beneficiary,” adds Ville.

Leveraging advanced and user friendly mobile technology for user authentication means practically one thing; banks need to be able to find ways to trust different kinds of devices while not necessarily having complete end to end control over them all of the time.

Ville Sointu, Head of Emerging Technologies at Nordea

Regulating identity

As different types of identity verification techniques are introduced, it remains to be seen the extent to which banks will move towards partnering with other entities, whether government or commercial, to offer collaborative identity solutions.

Ville says: “When we consider the usage and sharing of identity data in broader networks, from a regulated bank perspective this becomes a question of liability and customer consent. For example, if a customer would like to share a certain identity or other personal attribute from their bank, this is all fine and well as long as the technical capabilities of doing that in the future are in place. The bigger question here is what is the liability of the bank as a financial institution when they give that attribute to a third party with their customer’s consent? These things have to be very clearly defined. For example, if that attribute is being used by a third party to secure a transaction, we have to be 100% clear that every participant in this chain has the same understanding about what the liabilities are related to using this data.”

The evolution of broader identity networks also involves concepts such as self-sovereign identity (SSI), which argues that a person controls their own identity across all areas and touchpoints of their digital persona. By managing all of the aspects related to their digital identity themselves, the goal is for a person to operate with the same level of trust and freedom as they have in the physical world.

Ville adds: “SSI is one of the most interesting questions for financial institutions in the near future. We’ve already seen some of the global networks in the SSI space been to a large extent dismissed by financial institutions due to the fact that it’s impossible to control risk on a global level. However, building verified data networks at a national level from the ground up based on local laws and local trust mechanisms creates a very strong foundation for doing this in a sustainable and regulatory compliant way. As national networks get up and running, interoperability offers the possibility of joining different regions together to grow organically connected identity networks. European level initiatives on SSI can play a key role on the path towards interoperability. Especially from a Nordic standpoint, connecting our upcoming national networks with other European networks in the future is a great opportunity to build an interoperable data economy in this region. If we’re able to find interoperability across these networks at the EU level that’s a good stepping stone towards maybe one day having some kind of a functional global network.”

Know Your Customer, Know Your Device

With the average customer now accessing their banking services on more the one device, banks will be able to develop more nuanced approaches to the level of trust attributed to different digital identities.

Ville says: “If banks have good information on their customers and their personal attributes, one of the extensions of those attributes should be linking them to an array of different kinds of devices. Those devices could have different trust levels and depending on, for example, the kind of software being installed on them, again with the customer’s consent, banks could use that data in order to take them up the ladder in terms of trust levels as they access different kinds of digital channels. Know your device or understanding the digital fingerprint and trust level of devices is obviously important and is going to be an interesting area of growth for managing customers profiles in the future.”

SSI is one of the most interesting questions for financial institutions in the near future. We've already seen some of the global networks in the SSI space been to a large extent dismissed by financial institutions due to the fact that it's impossible to control risk on a global level.

Ville Sointu, Head of Emerging Technologies at Nordea

At the same time there are still a number of security challenges that exist when considering device centric approaches for digital identity. One of these includes what to do when changing the mobile device itself.

Ville adds: “If I have different kinds of mobile banking and finance applications in my personal mobile phone, as soon as I upgrade to a new model, it’s still a challenge to migrate all of those things and bootstrap my new phones identity into all the digital access channels and applications that I had on my old phone because these things don’t migrate easily. The last time I changed my phone, it literally took me days to manually do a lot of these migrations that were always related to enterprise applications, banking applications and different kinds of identity systems and security services that I had set up on my own device.”

An optimal know your device approach will need to ensure that users changing and upgrading their devices are able to complete the process in a user friendly and secure way.

Ville concludes: “The right way to address digital identity is all about finding a balance between security and usability. Know your device is just another example of how you need to do that in a good way because otherwise we might see a combination of problems, especially when these devices become even more proliferated in terms of how many devices I have. For example, in the future I might have different kinds of voice assistants that are linked to certain hardware, I might have my connected car, I might have all of my IoT (Internet of Things) devices personalised and then to a certain level identified by my financial institution. What if one of these things breaks? What if I move? What if I change my car? Making these migration processes easy, intuitive and secure becomes an increasingly complicated problem. We have a lot of work to do in the digital identity space especially now that every day more and more things become connected.”

For more information write to Ville at ville.sointu [at] nordea.com (ville[dot]sointu[at]nordea[dot]com).