Biometrics, Big Data, and Tossing the Password
Digital identity is the black hole of the internet. Our online lives simply aren’t protected by a system without strong authentication. Killing the password is Mission One for security professionals because they’re so readily stolen through phishing attacks and malware. Users, warned to make passwords complex and unique, have no hope of remembering them. And a password is simply one factor of secure authentication. Biometrics and data, when used in combination, can relieve password fatigue and, for the relying party, increase security substantially, bringing some light to that dark place on the internet.
We talk with MasterCard’s biometrics and authentication leader, Bob Reany, about where biometrics work and the intersection of device-based tools with what the cloud provides through Big Data, particularly device profiling and behavioral analytics. Your fingerprint’s not just for unlocking the phone anymore.
Transcript below the break
George: Welcome to Payments on Fire a podcast by Glenbrook Partners. I’m George Peabody, a partner with Glenbrook, and today it’s my pleasure to have Bob Reany, who is the EVP of Identity Solutions at MasterCard. Welcome, Bob. Good to have you here.
Bob: Thanks, George. I appreciate it.
George: I think Bob’s got one of the coolest jobs out there. He’s wrestling and corralling, piloting and working with largely biometrics on behalf of MasterCard. As I look at this area of authentication, we are all in need of trying to kill the password as quickly as possible, and biometrics is clearly one of the leaders in methods, and there are so many options today. Bob, why don’t we start with maybe just a few minutes of your view point on the problem of authentication, and what you’re seeing in the space, just generally, in terms of this shift from what we know about using passwords and this future of authentication going forward?
Bob: It’s interesting, and I actually love this problem, because everybody you identify with, every person you talk to, you say “Do you hate passwords? Raise your hand”, and the whole audience just jumps up and down.
George: I’ll bet.
Bob: So, what we’re trying to do is establish trust again, because we’ve lost some of that in the card present business. When you walk into a retailer with your card, you know what to do. The merchant gets the information they need, the issuer gets the cryptographic stuff in those chips and all that great stuff, and we see fantastic results – very low fraud in the chip environment and great results, generally high approval rates. In a digital world, trust is broken. We don’t know how to trust each other, and we see much bigger impact on things like approval and much higher fraud. It’s a great problem to work on. Establishing trust has to be getting away from things that represent a consumer. In the past, we had a card that we mailed to your house; well that’s pretty clear that you went to the bank, you showed your driver’s license, and they took your secret information, they mailed something to your house, and then you produced that card, and that card was something you have, and that was great for authentication because we could count on that to be worth something as far as identifying the consumer. In the digital space, we don’t have any of that. You could go buy your PC from Dell, you could go buy your Apple phone on eBay if you want. There’s no chain of trust there, so that’s really the actual problem. Biometrics is one of the parts of the answer. And if you look at pure authentication technology, you want to have something you have, something you are, and something you know. For us, something you know was very broken; it doesn’t scale. If you just had one password, you would remember it and use it.
George: And that’s what most of us do.
Bob: Unfortunately, you need to have 50 or 60 strong passwords, and that’s just beyond the human capability to remember and track and all that. Then you get into all this broken into passwords, which we don’t need to go over, because I think everybody intuitively knows it. Biometrics is something you don’t have to remember. Also, it’s not a proxy for you, it’s not a card, and it’s not a phone. It is really you, and then you get to have the rights and privileges that you’re entitled to, because we can identify the consumer; we’ve gotten to that last mile. That’s the strategy behind biometrics, and it’s just really about establishing trust in a way that consumers can manage.
George: One of the challenges that all of the problems with identity is the identity proofing step. It’s connecting the biometric to the device that works for the relying party. I don’t want to get into a long discussion about having to present your driver’s license or passport online. What are you seeing? How are relying parties thinking about that connection between a physical device, a biometric to maybe unlock it, and the existing account that employs?
Bob: There’s a lot there, and that’s really a question I can answer for a half hour that we have. But I would say that, if you want to break it down, to get someone to enroll or register to a program, especially in the digital space, becomes largely an issue where there’s 2 things you can do. You can be a chain of trust going “You know what, in India there’s UID project, and there’s fingerprint on file, etc.” I can go to that source, and that’s as reliable as anything, and I can establish a chain of trust, and then I can provision credentials, and then I could store them in a secure element. I can do all the great things, once I get that. So that’s one way to get trust and get the right person, it’s really through some reliable source, typically a government service. Unfortunately, there are not a lot of those around in the digital space, and they’re really hard to do, so we’re not going to be able to count on them. The other way, is what I would call a learned identity; meaning brute force, big data, lots and lots of information that’s pre-existed, reaching out to the mobile network operators and getting your phone information, and being able to ping that, getting an account, an address, and going back to the social network and seeing if I’ve got four identities online that have pre-existed for three years, and then looking at your pan information, blah, blah, blah, blah, blah. Lots and lots of big data coming together to say, you know, it’s just beyond anybody’s will to socially engineer this identity, and I’ve cross correlated it so many different ways that I can do, and again, that’s hard to do because the data available is different in every market, but those are your 2 choices, and I’m going to use them both because when a routed source is available, let’s take it. When it’s not, let’s use our data capabilities to help identify a consumer for our banks.
George: That’s great. Love that you brought that here about this application of big data, the data resources that are out there for the onboarding step. We’ll get back to that as we think about different layers of authentication and how you balance the use of a biometric signal versus the behavioral analytics that can be driven by big data. Once an issuer, or a relying party of any kind, deploys a biometric, what is the role of behavioral analytics, of big data at a transaction level?
Bob: Well at a transaction level, you can’t do all the things that I just described.
George: It takes too much time, too much cost.
Bob: Right. It would be very expensive and nobody would like it. So what you do at a transaction level, is you’re going to create a, really kind of a digital identity based off of a few things, like the biometric template match, you’ve got that, you’ve got some type of device identification – now that’s going to vary by device, et cetera, et cetera – but that’s something you have, not something you are, and then you back it up with reference data like geolocation is really predicted, we’ve got that, and then you put all the behavioral analytics that MasterCard has built through their networks over the years. You have those layers to support the decisioning, and it turns out to be very, very strong if you put all that together. Think about where you were just a few years ago when you were buying something on a PC that you couldn’t have been identified on the internet with an HTML, a browser session that you couldn’t tell anything about, and then go to those 4 things that I just said. It’s a sea change as far as our capability of identifying somebody. The great thing about it, it’s safe and it’s simple. It’s simple for the consumer because they don’t have to do much in that scenario that I just said. You would hold up your phone, you would blink, that would capture the image, and all those other layers would either pre-exist or are done in the background, so the consumer isn’t bothered by any of it.
George: Biometrics has really solved that convenience problem, that convenience or the friction, if you will, for authentication.
George: I also know that there are a certain set of population that’s always been pretty leery with the idea of giving up, as they see it, their attributes about their physical being and are concerned about them being stored online. What kind of uptake are you seeing? Is that concern falling away? How does it vary by market?
Bob: Well I can’t speak to every market. I do think that you’re going to see geographic and demographic preferences in this. I would say, largely, the response that we’ve gotten from our identity check product, which does the selfie as one of the options, we actually have more than that as options, but the selfie is the one that everyone kind of gets turned on about, has just been phenomenal.
George: It’s a muscle everybody has these days.
Bob: I guess. I joke about the Kim Kardashian references, but I’ve seen them, where they’ve said Kim Kardashian could buy something because she likes selfies so much. It’s a pop-culture thing, but it is convenient, and consumers know how to do it. But anyway, back to answering your question, the different biometrics are: we believe in consumer choice, and we believe in having our identity check application, for example, it allows for fingerprints, we could do voice, if we found that to be interesting in payments. We can plug in other modalities, we do facial recognition, and I’m looking at other things, because people are different, situations are different, and we want to be able to take many different ways to do it. As far as storage goes, which you also mentioned, and that being a concern, we’re working with Fido, we’ve been a real leader with Fast Identity Online, which is an industry consortium, and we’re pushing very hard to have most of this biometrics stuff matched on the edge of the network, meaning the phone, for example. There is no big database full of great stuff for bad guys to go target, because it’s distributed all over the world, and it really breaks your business model badly because to hack one phone and go through all that trouble to only get one account, but then again, you probably couldn’t use it very long because of the behavioral analytics and geolocations and all the other layers.
George: And never mind the fact that you all have deployed payment tokens, which are bound to the device. It’s a better world we’re headed into.
Bob: It is. It’s going to be a lot better, and you really want to make it so it’s just bad for the bad guys’ business model. It’s not good for them to distribute the data, and then put layers on top of it; that’s exactly what our strategy is. I think consumers feel safer when we tell them that.
George: One of the challenges for issuers is really as enterprises who have different silos of products beyond card alone, it has the idea of a single authentication platform. How does identity check play into online mobile banking authentication that’s outside of payments? How do you wrestle with that? If you were running security or identity for one of your big customers, what would you do?
Bob: Well, that’s interesting. I’m smiling because you kind of called me out on something I learned. Our real goal when we first got into biometrics, about 3 years ago, was to make the payments process better because it was so broken and there were huge inefficiencies in it. That was, you know, let’s fix the problem, naturally. When we developed it, we learned about it, we got it smooth, we did a lot in this area, when we took it to our banks, they said, “Great, Bob, we love this, but I want to use it for other things. I want to use it for my financial wellness application, I want to use it for my mobile banking log on, et cetera, et cetera”. Quickly, because nothing like hearing what your customers really want, we added a second phase onto the project, where we developed at STK API version of it. So instead of just coming out with an app that just fixed the old 3D secure experience, which again was phase 1, we had to listen to our customers and say we want to access this many different ways, and it’s well beyond payments. To a retail bank, a consumer is a person, is their customer. So if they want to make a payment, that’s great, they’re happy about that, but also if they want to do a bill pay, if they want to do a funds transfer, if they want to do a report on their financial wellness, if they want to track their savings, they want to service their customers. So, from their perspective, digital identity is not a payments issue, it is a retail banking issue.
George: Are you hearing that there are different steps that they want to take? How does risk vary based on the transaction context? Are you seeing the use of: in this case I’m going to use a simple selfie or a fingerprint unlock, and in this case I’ll do those two plus I’m going to pour on the steam from the big data point of view, or I just want to have a higher level, let me use an iris scan or an eye scan of some kind that I have greater trust in? What are you seeing in terms of that kind of thinking?
Bob: It kind of is inverted. So what we’re seeing is the data side of it, the analytics, the geolocation, and the device identification is always, always, always used. If it’s a $4 transaction, and the man or woman always makes a $4 transaction, that’s probably enough, you don’t really need to do anything else. Now, if you can grab the fact that the phone was opened or the device was opened with a password or a biometric, that’s icing on the cake. Analytics are first, because it’s completely frictionless, and then the biometrics comes into play. We want all of our biometrics to have the same type of characteristics; we’re not going to offer a biometric that is super week and say that you can use it. There’s missed standards out there as far as how they should behave, as far as their false reject and false accept rates, so we’re only going to deal with biometrics that fall within the industry recognized standard for that, and then we’re going to allow choices to be made. I haven’t seen people ask for 2 biometrics yet because if you look at the layers we just described – analytics, the device ID, the geolocation – and then a biometric on top of it, you really find that it’s so much more secure than anything else we had forever, that we haven’t had to go on that extra step. We can ask for more than 1 biometric, and I’ve seen it in certain nonpayment applications, such as: proof of life for social distribution of benefits, a completely different application, but we are involved in that as well.
George: I can imagine treasury, having the CFO log-in is going to require it in order to do a 50 million dollar transfer; the stakes get higher.
Bob: Yes you can, and you can do 1 time passwords on top, you can just layer and layer. The most important thing is to have the layers there, and then let the banks manage whoever’s using this application. Manage their own security policy based off their risk profile. MasterCard does not know what each individual portfolio is going to be optimized by a security profile, so it’s very important for us to give the banks, or whoever is using our applications, some type of flexibility, so they can tune it to their needs.
George: So we’ll step away for just a second from our conversation with Bob Reany, just to remind you of a couple of things. First, that Glenbrook is indeed a payment strategy consultancy, so if payments is important to you and your role in the payments ecosystem, by all means, reach out to any of us. You can find us at Glenbrook.com on our website, or just reach out to me at George@glenbrook.com. We’d be glad to talk to you about what you have in mind. We also want to remind you of our upcoming public boot camps. Glenbrook is a leader in payments education, and we continue with some of our public offerings coming up in the fall, so look to October 11th and 12th in Palo Alto for our payments boot camp for 2 days, followed by, on the 13th, data and payments in the Insight Workshop. We have many people stay for that third day, but others come in just for the single day, for the insight workshops. Then we’ll be moving the next week, back to New York for a 2 day boot camp, October 18th and 19th, followed by the B2B Payments Insight Workshop on the 20th. Finally, back on the West Coast in December, the 6th and 7th with the 2 day boot camp in Palo Alto again, followed by a 1 day Insight Work Shop on Innovation in Payments. So check your calendar, or reach out to us if any of these topics are of interest to you or inside your own organization. Ok, let’s get back to our conversation with Bob Reany.
George: So, we’ve talked about layers of biometrics and layers of authentication – signals coming in, but you also mentioned you’re members of Fido, which the Fido Alliance is a group that’s come together to try to rationalize the reporting of biometric signals so that relying parties have an easier way of making decisions, and certainly, deploying biometrics at the edge. That’s one platform, then there’s the Apple ecosystem, which is unique itself, and you’ve got platform providers like Google, with its Project Abacus which is really about taking a lot of behavioral data that’s coming off this phone itself to develop a profile if you will, and they’re even talking about developing a trust core based on behavior. What can you do to help an issuer rationalize, or a relying party that you’re working with, make sense of this stuff? There are multiple platforms and it gets tough.
Bob: Well, it really does point out a need for a couple things from a network perspective to make sure that A) our consumers are safe, our consumers can transact, and that our banks have access to the tools that we have available without having to make all those investments on their own. A couple things that we do: we’re active in driving these standards, both at EMV Co. and at Fido, so we’re in there slugging and we’re representing the banks and the merchants saying “we need these things”. Fido originally, and again, this is just a process, they originally were more focused on identifying the parts in the chain than the actual quality of the biometric, which is an interesting thing. When you’re in banking or you’re in the merchant sales business, you better make sure the quality of the biometric is good. We push for those kinds of things, and we try to represent at both EMV Co. and Fido to make them happen. We also have certification programs for some of the stuff, we have a way to certify whether a device, for example, a fingerprint on a device meets the standards that can be trusted by the ecosystem. We do have a role in certification. From a data standpoint, we’re sitting in a pretty unique position to understand how all this stuff works. If a device is doing well and the scores turn out to be probabilistic or are meaningful or predictive (which was the word I was reaching for), then we can incorporate them in the data we give to the people in the payments ecosystem. We’re not exclusive, we’re not like “hey, it’s got to be our way”, but there has to be some kind of entity at the top, rationalizing all this stuff that the consumers are choosing. That’s what we think our role is and we’re doing that through standards development, through certification, and then through actually just modeling and looking at the data we’re getting and then try to make it in a way that can be consumed by the people in the ecosystem; meaning we’re going to produce scores, we’re going to have thresholds, we’re going to help people understand what they’re seeing, and if we see something that’s ugly, we’ll also help them understand that and help them blacklist and shut those things down. It’s a big role, and as you said earlier, it’s a very dynamic role. Every day I read something else, and it is like “oh my god, we’ve got to deal with that now?”
George: You must live in fear of every new developer’s conference coming from Apple or Google.
Bob: I do, but you know, they’re good for consumers and this is a big problem, and we have to change. We’ve got to get off of passwords, and we’ve got to get it where consumers feel safe to transact online because they need that. And so, it’s a big job, but that’s the path we’re going down. We want to change the industry. I know that sounds crazy, but we want to change the industry; we want to make it safe for consumers, and we want to make it simple for them.
George Identity is sort of the black hole of the internet at this point, or it’s certainly the big hole in the internet and so it’s great to have this set of tools. You all are putting your arms around a pretty big problem. I referred to it earlier about your concerns about giving up your biometric, and I think that connects more to this general concern about privacy on the internet. What do you do from a messaging point to talk about privacy or to try to allay the consumer’s or the account holder’s concerns about the use of this data?
Bob: Well, I mean, we have a lot of information available about our data security and privacy policies, and everything, mostly, is available through the terms and conditions when a consumer opts into these programs.
George: Yeah, we all spend a lot of time reading those things.
Bob: We do a lot of media outreach. We talk very specifically about these issues with issuers and merchants who have more of a direct consumer contact, but to be honest with you, we’re doing the right things so that it can be explained if a query does come. Do we want to store this stuff centrally? No. We’re pushing to have it done on the edge. Do we want to keep it personally identifiable? No, we don’t actually need to know the personal identifier. We can create a digital ID that is anonymized and all that to kind of protect people. Do we want to store a template, a photograph, or a fingerprint image? No, we don’t want to do that; we don’t need to do that. We can use it, we can create an algorithm that scores it, creates values, and all the math that happens after that point doesn’t require the original image, so you really aren’t giving up your fingerprint or your face. That’s destroyed, and we’re actually now into the realm of advanced mathematics. That’s how we want to do it; we want to do the right thing. We are MasterCard and we take this stuff super seriously. Reputational damage and all that, we can’t afford to be lackadaisical about it. Its table stakes for us.
George: Lot of education, lot of concepts that are difficult for folks to understand.
Bob: Yeah, it is hard. I’ve had a lot of help with trying to get it simplified, but to say we don’t keep it, people do understand that and we try to make sure that you have control over your data, people understand that. So those are some key messages that are probably – there’s a lot behind those messages that we’re trying to get across.
George: We can keep going forever in this conversation, but I am curious, you mentioned merchants as one of the stakeholders, and we’ve certainly seen over the last 6 months a number of announcements about merchants developing their own apps, and that’s really accelerated where we were 3 or 4 years ago – it wasn’t so easy to build a payment enabled app. Now there are lots of folks who have that capability. Are you working directly with merchants or are you working through outfits, like acquirers who are offering these tools?
Bob: We’re working through, I mean MasterCard has a whole channel strategy, we do have people that manage through acquirers, we have direct relationship with what I would characterize as the larger merchants, and we have, I think you’re seeing with our Master Pass product, the wallet that is obviously a tool that merchants can choose to integrate to help them to settle payments, as well as API STK strategies around all of our tools. I think you’re going to see that more and more where were providing capabilities to connect and use tools, as opposed to just being the frontend, where you’re going to see MasterCard plastered all over every single wallet or whatever.
George: We’ve been saying at Glenbrook for a long time how the payment is simply becoming an embedded process and less and less explicit.
Bob: You can see where that STK strategy, though, where I talked about it earlier, now that we have our Master Pass product and our identity check product, it lends itself to a whole toolset for merchants, and that’s what I was alluding to.
George: Yeah, that’s great. Well, thank you very much. It was an interesting conversation. We really appreciate it, Bob. Best wishes as you continue to corral all these events that are happening out there in the industry, and all these new tools, you must be like a kid in a candy store with all the new tools you’re collecting.
Bob: You know, I’ll tell you that I feel very lucky to have such an exciting problem to work on. The industry is collaborating a lot on this, Fido and EMV Co., we’re all trying to fix it, and yeah, that’s just a really dynamic space and let’s touch base again in 6 months and see how it changes. We haven’t even talked about wearables and persistent authentication and all kids of good stuff for other topics.
George: Good, I’ll look forward to that. Let me just close with this question. Where do you think we’ll be in 5 years?
Bob: I think there’s 2 big trends that will really manifest itself, it’s going to be much simpler and it’s going to be much safer because, first of all, with wearables in the internet of things, frictionless authentication is going to win. Then we don’t need dedicated authentication devices anymore. We’re going to have multi-purpose devices. The phone is the first one, but this watch will be the second one, and your car will be the third one, so your personal network around you will help validate who you are through understanding all these things you have. So the internet of things will make it easier because we can frictionlessly figure out who you are based off of your personal cloud, more or less, and then the wearables, the things that you already do in your life, will perform persistent authentication, meaning I don’t have to provide anything at the time of transaction, because I put my watch on at the beginning of the day, and it’s still on and it knows who I am, and therefore, my life is easier. So I do think the idea of persistent authentication will become a good thing because anytime you give a choice to a consumer about having to cross a barrier to do something or do nothing and still have the same good result, they’re going to take the do nothing path. We’re going to do that for them; we’re going to work for frictionless authentication.
George: Cool. Well, thanks again; great conversation. I look forward to that next call in 6 months.
Bob: Aright. Thanks, George. Bye.