We all know that the user ID/password model is antiquated. Everyone from consumers, to service providers, to merchants, to identerati (those that live and breathe identity all day) complain about passwords and the need to eradicate them from the world.
Access to online services needs to scale -- without requiring new credentials each time someone wants to use a new service or site. We’ve seen this model before, and interact with it every day. The payment cards model offers hope for a more efficient identity future. Let’s take a closer look.
Imagine if you needed a different credit card for each merchant you visited. You probably wouldn’t visit many and there would be almost zero utility to each card. The payments card industry realized this and created an ecosystem built on interoperability and standards, with a few different stakeholders:
Financial institutions. These stakeholders back the card issuers by providing the actual funds and that fuel the payment system because they ensure merchants are paid. They also invest heavily in ensuring data privacy and securing accessibility to funds.
Card issuers. These are trusted brands with which consumers share their financial information and agree to pay on the terms of the service agreement. Merchants trust them because they know they will be paid. These are high-value accounts that consumers keep protected and trust that the bank will too.
Payment cards (credit and debit). The payment card numbers provide enough detail that the account is legitimate and valid. They are built on standards that ensure interoperability between banks, merchants, and consumers. They are also easy for consumers to use and trusted by merchants.
Merchants. Online or brick-and-mortar, most merchants accept credit or debit card payments.
Consumers. People just want to buy what they want to buy, and payment cards offer a vehicle. Consumers keep these protected, yet can use them nearly anywhere.
With that basic model, let’s look at how it can be applied to identity and stakeholders:
Financial institutions/identity issuers. Consumers already have deep relationships with financial institutions they trust, and these organizations already invest heavily in security and privacy. It would be a logical extension for them to serve a role in an identity model of the future. After all, identity and payment information are each high-value, personal, and necessary to transact business. Consumers have choices of who they want to engage with, just like their banking decisions. Great for users, and great for providers -- brand extension, sticky service, new revenue streams.
Mobile devices. Like the credit cards that people carry everywhere, mobile devices rarely leave someone’s side. They are the personal devices people rely on most -- especially in an increasingly mobile and connected world. By anchoring consumer IDs in the device, passwords can be eradicated while still providing the proof of identity when needed to access the online services people want or need. This can happen without mobile operator support, but there is new revenue if they get behind it.
Merchants. Applying this model of identity, like credit/debit cards, merchants get out of the business of credential issuance and into the role of credential acceptance. The mobile device ID provides the proof of identity, like a credit/debit card, and authenticates the transaction. In payments, merchants want good funds without regard for card issuer. There is more scale for them if they go this way for identity and authentication.
Consumers. Like credit cards, consumers simply want identity to work. Consumers choose which of their devices to trust (and how to authenticate one) and which identity issuer to trust. Now, consumer ID can be anchored in devices that consumers trust (and protect), and can be used to engage with the merchants and brands they want -- without having to create new unique credentials at each merchant.
As an industry, we need look to payment networks as the future of identity. This approach will make it easier and more convenient for users to be secure -- and harder for hackers to get the identity jewels. It also would make it easy for everyday people (and harder for the bad guys). It’s a model that is already built on trust with credit card providers and security with financial institutions. It’s what we can emulate in today’s mobile world where devices are always with people to serve as their personal identity keys.