Who are you? Not just content to be a great song lyric from The Who, it’s a question we get asked literally every day. We’re challenged to provide passwords or biometric identifiers to prove we are a person that has the right to log in to our phone or our email application. But what about proving who you are to an online service? How do you know that I’m Tom Hollingsworth and not John Doe of 123 Anywhere Dr. in Iowa? Better yet, how can you prove that I’m really not Miley Cyrus? Or the president?
Identify verification is a huge business online. There are a number of services that collect data on users and use it as a way to validate their identity. One of the largest of these is Equifax. If that name gives you pause, it’s probably for two reasons. The first is that they are one of the largest credit monitoring and reporting companies around. That fact is one of the reasons why they’re a huge identity verification system. The second reason that name gives you pause, and likely why Equifax is no longer a trusted name in identity verification, is because of a huge breach in September 2017. It cost the company billions of dollars in settlements and lost income from people freezing their credit and avoiding the use of a company that allowed their identity data to leak to nefarious actors.
Having all the data about someone means that you can easily verify who they are. But you also run the risk of that data getting out into the wild if someone were to breach your organization. Worse yet, you have to pay a premium to those companies to access that data. They build their business on selling access to companies to verify that users are who they say they are. And by relying on that third party you also have to trust that their data is valid and up-to-date. Who knows how often they update their databases? Or how likely it is that they catch new addresses or other identifying characteristics that can be used to confirm who people are.
With the democratization and deconstruction that has been going on across technology for the better part of the last decade, we have been searching for better ways to leverage first-party sources for things. We shouldn’t need to pay a third party for access to data that they got from someone else. Why can’t we go directly to the source? Instead of a new online service asking Equifax to verify my identity, couldn’t they just ask the sources that Equifax would have asked anyway? This is especially important when you consider that this transaction may only occur once or twice a year.
Identifying Peer Potential
I had a chance to sit down and talk to a company recently that is trying to turn the identity equation on its head. Identiq is a company that is building a network of identity validation. But they aren’t amassing the data like companies such as Equifax do. Instead, they are using individual companies to validate that identity data. Essentially, they’re building a peer-to-peer network of validation. What could be more democratic than that?
Companies already have data on you that they trust. Usage patterns, login attempts, and even identifying information like birthday and credit card info can all be used to ensure that a person claiming to be Tom Hollingsworth is the actual Tom Hollingsworth. But that data is a closely guarded secret. Netflix doesn’t want my viewing history to get out into the wild, both because they use that for their algorithms but also because I would be seriously upset if people learned how much I loved bad sci-fi movies. But that data could be useful to prove that I’m the real Tom and not just some Internet robot. I just have to know how to ask the right questions securely.
The method that Identiq has come up with is actually pretty ingenious. As I listened to Shmuli Goldberg, CMO, describe the technical math behind what they’re doing with the platform, I realized that I’d heard this description before. It turns out that they are using a version of Diffie-Hellman key exchange to power the exchange. For those that aren’t completely up to speed on DH key exchange, here are the basics:
- Two systems want to exchange keys
- They both pick a huge seed number based on an algorithm they both are configured to use. This isn’t a secret.
- The systems each pick a secret value they add to the seed value.
- They send the information to each other.
- When I receive the message, I add my number to the message and the other side does as well.
- If the values match on both sides we have secure communication.
The actual math is complicated and the linked article above has a great example, as does this StackExchange post. But the key is that Identiq can help foster identity validation between two services that don’t normally talk to each other. They can do this because the originator of a request can ask Idnetiq to validate a piece of information. Identiq can then ask a partner company for the validation and return the result. This is great for all sides because no one knows who initiated the request or who responded. Identiq deletes the keys and seed values for each exchange as they go along so they can’t reconstruct anything. It’s totally secure.
One of the other things in the briefing that I loved was that Identiq doesn’t just rely on positive validation questions. It’s easy to do your own analysis to start figuring things out about someone if all you ever ask are questions that are supposed to be positive. Does the user live here? Does the user have this card number? Does the user have this birthdate? Instead, Identiq can receive a validation request and ask it in a variety of ways to confirm identity without giving away specifics. Maybe you want to verify a card number. You can ask three different networks to verify the number with a missing digit or a transposed sequence. If the return of the number is invalid, you know that your purposely created negative is correct. Likewise, you can then ask other companies to verify the actual number and be sure that the answers are correct. You can ask all kinds of interesting questions in this manner to get answers you know are correct or incorrect and verify identity without someone being able to build an accurate profile of who is asking the question or the person that is being asked about.
Bringing It All Together
Identiq is solving a problem I think needs to be dealt with. I don’t like huge companies having a stranglehold on my data to then be used to sell it off to other companies to validate who I am. Especially if those companies can’t keep their house in order. Instead, the idea of making peers validate each other is a much better solution in my mind. The companies already have the data. And because Identiq can act as a neutral party that facilitates communications only, they can help companies avoid the need to build relationships or pay licensing fees to other companies. I would rather foster communications between companies and build a trusted network over keeping my data insecure in a large database with Equifax.