He took the physical aspect a bit further in citing the use of an electrocardiogram (ECG), heartbeat or BioStamp that can turn a user’s heartbeat into a unique differentiator that authenticates his or her digital identity. Whichever system or service a person uses could gain real-time access to their vital signs in order to verify the user throughout the entirety of a session or transaction.
Zlockie said cognitive authentication is still in the research stages, but it collects multiple parameters to create a unique user profile. When a person is presented with a novel stimuli, like a familiar photograph or song, it measures his or her response using a variety of techniques like EEG, ECG, blood pressure volume, electrodermal response, eye trackers and pupillometry. Cognitive authentication would then validate the user by matching the response to pre-recorded metrics.
Looking further into the future, to truly devalue data the industry needs to consider a more comprehensive approach to identity authentication – a hub of identities, Breitenfeld said. This centralization of information would combine dynamic factors with PII to create a centralized “consumer identity.” Companies would then request authentication of that specific identity, rather than requesting, sharing and ultimately storing consumer PII. “This removes the burden from a company collecting and being responsible for consumer PII that is unnecessary to the transaction, and having to risk the potential of being hacked and dealing with the consequences,” he said.
Don’t credit card companies already block irregular purchases though?
Breitenfeld admits that is the case, but what he espouses is the consistency of identity elements being used to open an account. “At Experian, we analyze more than 3 million identity transactions (not solely financial) a day, and over time we can start to see if elements like names, addresses, SSNs and dates of birth are being used consistently or not,” he said. “For example, if we see that one specific person’s information is used at a relatively normal velocity and consistency, and we can verify their identity, that’s a low risk of fraudulent activity. If, however, we begin to see that person’s name with five different addresses and SSNs, or we’re seeing high velocity of any one of these elements, that’s a bad sign. Overall, we’re looking for the consistent use of identities; deconstructing them down to the element-level enables us to see if they’re being used to perpetrate fraud.”
Experian also uses device risk assessments, a combination of specific device attributes, habits and associated identity elements, to verify the identity of the person making a purchase or logging into an account. For example, geolocation (a device attribute) helps ensure that the person is conducting a transaction (making a purchase or logging in) from an expected and/or regular location.
Sign up for CIO Asia eNewsletters.