Updated April 1st, 2020
This blog post has been coauthored with Karen Lewison
The coronavirus pandemic is causing unprecedented disruption throughout the business world. Businesses that are not able to cope with public health orders and new customer behaviors are going out of business, while businesses that are able to adapt are thriving and expanding their market share. Disruption will be temporary in sectors of the economy where face-to-face interaction adds value to the business-to-customer relationship and a physical presence on the street is an essential requirement of the business model; gyms, bars and conference centers will no doubt reopen once the pandemic has been controlled. But changes brought by the pandemic will be permanent in sectors of the economy where face-to-face interaction adds no value and a physical presence is a legacy of a traditional business model. One of those sectors is the financial world.
A challenge to financial institutions
Financial institutions have been less impacted than other businesses by the pandemic. In the US, the entire financial sector has been declared critical infrastructure by DHS and is thus protected against closure orders by states or counties. And most financial transactions are now conducted online using web browsers or mobile apps, without face-to-face interactions that would put employees and customers at risk of contagion. Nevertheless, coronavirus poses a challenge to financial institutions: how to verify the identity of new customers.
Although most financial transactions are now conducted online, creation of a financial account by a new customer is usually accomplished in the traditional way, by means of a face-to-face interaction where the new customer is identified by a photo ID. But requiring a face-to-face interaction for identification will make it difficult to acquire new customers now that potential customers will be “sheltering in place” from the pandemic.
Identity verification without prior relationship
The reason why in-person presentation of a photo ID is still being used for new customer identification, or was still used until the pandemic made face-to-face interaction unhealthy, is that identity verification over the internet is difficult when there is no prior relationship between the verifier and the person being identified. We are all routinely identified over the internet when we log in to web sites or web applications with username and password or two-factor authentication; but the password must have been registered earlier with the verifier, and if a code is sent to a phone as a second factor, the phone number must have also been previously registered. Without a prior relationship registration is not possible and such authentication methods cannot be used.
An FDIC exception
That is not to say that remote identification of new customers is impossible. In the US, many banks have a button on their web site for opening an account online. To do so they rely on an exception to the know-your-customer (KYC) regulations of the FDIC that allows the use of non-documentary procedures for identity verification instead of a photo ID.
A commonly used type of non-documentary procedure known as knowledge-based authentication (KBA) consists of asking the new customer questions whose answers he or she is supposed to know. The KYC regulations explicitly endorse one particular KBA procedure, described as “independently verifying the customer’s identity through the comparison of information provided by the customer with information obtained from a consumer reporting agency”, i.e. checking that the new customer knows his or her credit history.
A surge of fraud in new account applications
KBA can be used for remote identification of new customers, but it has a number of serious drawbacks.
First, the use of KBA has caused a surge of application fraud (i.e., a surge of accounts created with the intention to commit fraud), as the answers to KBA questions are often available to fraudsters on the dark web. This is discussed in an earlier post.
Second, KBA is cumbersome for the customer, who has to run a gauntlet of questions some of which may be difficult to answer.
Third, KBA is privacy unfriendly, as it relies on the KBA service provider collecting vast amounts of information about the customer.
Fourth, KBA unnecessarily turns away potentially valuable customers who have forgotten the answers to some of the questions.
Fifth, KBA cannot be used for remote identification of large and important categories of potential customers on which the KBA service providers does not have enough information to construct suitable series of questions, such as: people without a long enough credit history, including young people, recent immigrants and high tech workers holding H-1B visas; people who choose not to use credit for religious, philosophical or practical reasons; and owners of non-traditional businesses.
Thus, financial institutions that turn to KBA as an alternative to face-to-face identity verification will be increasing the number of customers who sign up with the intention to commit fraud, while failing to acquire potentially valuable customers who are discouraged by the application process, who are turned away for providing wrong answers, or for which the KBA service provider cannot find suitable questions.
A better method of remote identification of new customers is needed in the age of coronavirus, when most new customers will have to be identified remotely.
Rich credentials
In the same blog post where we discussed application fraud we proposed an alternative method of remote identification that uses the novel concept of a rich credential, and explained how rich credentials can be issued and used as financial credentials for a variety of purposes. Coincidentally, as announced earlier, we were granted a patent on this method on February 18 of this year, just before the coronavirus epidemic in Wuhan became a pandemic. Rich credentials provide a good solution to the challenge of identifying new customers without face-to-face interaction, now backed by a patent.
Rich credentialsare cryptographic credential that provide strong security by allowing the subject of the credential, such as a new customer, to prove knowledge of a private key without revealing the private key. This is a conventional feature shared with other cryptographic credentials. But, beyond that conventional feature, rich credentials also have several novel features that make them ideal for use as financial credentials.
A rich credential can carry multiple attributes of the subject and only disclose to the verifier of the credential those attributes that are required for a particular purpose; this is called selective disclosure of attributes. A rich credential can thus be used by a customer to open accounts at different financial institutions with different identification requirements without disclosing all the information in the credential to each institution. It can also be used to identify the customer when performing a one-of-a-kind transaction with specific identification requirements by presenting the exact set of attributes needed to satisfy the requirements.
While a traditional cryptographic credential only amounts to one identification factor, a rich credential supports multifactor identification by allowing the subject to submit to the verifier a password and/or a biometric feature that the verifier matches to verification data included in the credential, without prior relationship between the subject and the verifier. The biometric feature may be a live visual or audio-visual stream showing the face of subject, which the verifier matches to a facial image included in the credential while performing presentation-attack detection on the stream. Different factors can be presented for different purposes, a feature that we call selective presentation of identification factors.
Selective disclosure and selective presentation are implemented using the novel concept of an omission-tolerant cryptographic checksum. The signature of the credential issuer binds the public key associated with the subject’s private key to an omission-tolerant cryptographic checksum of the subject’s attributes and the verification data rather than to the attributes and the verification data themselves.
Special privacy features
The use of a facial image for identification should raise privacy concerns. But rich credentials eliminate the main privacy risk associated with facial recognition technology by storing the facial image in the credential rather than in a database where it would be vulnerable to security breaches. Selective presentation further protects the facial image by making it possible to only present it to verifiers that are trusted by the subject and require facial identification for a good reason.
Protection of the facial image is a special privacy feature of rich credentials. Selective disclosure is another special feature, which supports the implementation of the important privacy principle of data minimization.
Credential issuance
In the above-mentioned blog post on application fraud we discussed the issuance of rich credentials and proposed to split the task of issuing a credential between a financial Certificate Authority (CA) and a financial Registration Authority (RA), using traditional concepts of the cryptographic literature.
In the long term we envision an ecosystem with multiple financial CAs and RAs, where rich credentials would be used for remote identification at many financial institutions. Each financial institution would trust the credentials issued by some set of financial CAs (just as web browsers such as Firefox and Chrome each trusts the TLS certificates issued by some set of TLS CAs) and each financial CA would outsource registration to one or more RAs. Companies that are trusted by the financial industry and have expertise in fraud prevention, such as FICO or Experian, would play the role of financial CAs, while companies that have a large physical presence and provide notary services, such as The UPS Store, would play the role of financial RAs.
In the short term, while the coronavirus pandemic still requires social distancing, one or more leading banks could pioneer the use of rich credentials by issuing them to their own customers. Rich credentials issued by one bank could be trusted by financial institutions such as mortgage lenders, robo-advisors, insurance companies, credit unions, and other banks. Such credentials would provide an important benefit to the bank’s customers, and would help shorten the duration of the pandemic by bending the curve of new cases.