Author | Source
Severin Renold
Weissknight Corporate Finance
Severin Renold
Weissknight Corporate Finance
Cyber Security – Digital Identity & MFA
Proving one’s identity is clearly critical to participation in societal, political, economic, even cultural life. Trust is a precious commodity earned over time and challenging to build between consumers and businesses in an online world. This requires businesses to apply the right tools and relevant information to identify them. Unlike face-to-face encounters, digital interactions lack the visual cues that normally builds trust. As digital interactions seem anonymous businesses and consumers must find ways to establish mutual trust.
Digital commerce is expected to grow globally at 20% CAGR by 2022, reaching nearly $ 6 trillion in value and digital banking users (online and mobile) exceeded 2 billion in 2018 with an expected 11% CAGR (2019-2023), where mobile banking users are expected to be 58% of the global banked population in 2020. That means it is imperative that businesses build meaningful digital customer relationships based on trust. What does it take to build trust online? Practically speaking, it is about maximizing both security and convenience.
There are some important differences and similarities between authentication and digital identification, which need to be outlined to understand the markets.
Identity verification – Identification is the method to prove we are who we say we are. This is different from identity, which is a person’s unique group of characteristics. Identification is the method to authenticate identity.
Authentication – Authentication is the extension of the first identity verification in a user’s onboarding. Once the user’s identity has been verified, the user authenticates themselves to make the purchase, get the loan, or open an account.
A trusted digital identity is a set of verified attributes that provide an authenticated link between a person and their unique digital identity. These attributes can be biometrics, identification documents, or third-party verification procedures, among others. A trusted digital ID is usually created in three steps: capturing verified attributes, verifying the records, and digitizing the ID.
The World at a glance
Proving one’s identity is clearly critical to participation in societal, political, economic, even cultural life. Still, more than a billion people in low-income economies lack any formally recognized ID – either paper or electronic – negatively impacting underprivileged groups in Africa and Asia. A digital identity presents a life-changing solution opening up for access to retirement and unemployment benefits, education, healthcare, voting, and more.
Financial institutions
Digital ID could give access to financial services for 1.7 billion-plus world citizens who are presently financially excluded, according to the World Bank (2020). In contrast, millions of consumers open new accounts daily in the digitally connected parts of the World, with online stores, telecom, streaming services, ridesharing apps, and, naturally, banks.
Opening a bank account includes time-consuming and complex KYC (Know Your Customer) checks and repeated identity verification throughout the entire client life cycle. KYC help identify money launderers, tax fraud, and other criminal activities. With the entry of PSD2 and customer convenience demands, physical, face-to-face identity verification methods are no longer rational; they slow down onboarding, frustrate pressed-for-time customers, leave room for human error, and are hard to scale. Digital identity verification is the logical approach, accelerating the entire process, opening up access, and eliminating barriers like time, geography, and cost. Mobile banking users are expected to be 58% of the global banked population in 2020.
The covid-19 pandemic effect on online banking
The no-contact, quarantined pandemic has pushed a global shift towards digital transactions, speeding up trends already in place. Consumers firmly demand digital transactions, and banks and businesses must find ways to build trust in a Covid-stricken world.
(Deloitte Digital, October 2020)
State and government
Besides security for both nations and citizens, well-implemented digital ID programs can provide individuals and businesses with access to the entire set of governmental services. Creating a trust framework for digital ID is therefore high on every government’s to-do list. In many connected countries, like Sweden, Belgium, Estonia, Finland, and more, a national mobile digital ID, valid for both physical and digital realms, is already a reality for millions. Sweden stands out as it has raised the bar very high in digital identity verification and authentication. Most Swedes use their smartphone to identify themselves over the internet without ever having to show a physical ID. Instead, authentication is done with the trusted mobile identification solution Mobilt BankID, which today is the Swedish national standard for mobile and online digital identification with a 98% adoption rate and 8 million users. Mobilt BankID is also recognized by the Swedish government.
Commerce
In-app purchasing, person-to-person payments, and e-wallets result from consumers’ relentless demand for instant access to their money. This is why the most convenient and readily available device of them all – the smartphone – is the payment channel of choice. Sending money to friends and family, shopping, or doing day-to-day things like paying a bill inside various apps are examples of consumer behaviours taking off phenomenally. In doing this, today’s consumers also expect a seamless customer experience. So, for merchants, customer enrolment is all about the balance between security and customer experience.
A complex ID verification/authentication process will turn customers away. A well-designed digital identification/authentication method, on the other hand, allows businesses to doubtlessly know their customers while providing enhanced security, greater scalability, better user experience, and regulatory compliance. Moreover, digital ID verification boosts efficiency and lowers the costs of handling customer credentials.
The arena for digital identification has risen due to recent years’ demand for greater security and data privacy, in line with the growth of digital services Worldwide. The market is fragmented and diverse, and a clear definition of what constitutes a digital identity – which can be presented with a digital ID – is yet to be determined.
To evaluate the Identity Verification market, it’s necessary to add a dimension beyond the number and type of digital ID providers, and it’s the kind of authorizing source(s) the digital IDs use for identity proofing:
Multifactor authentication is recognized worldwide as the most secure method to on-board new customers to services that demand strong customer authentication (SCA). In addition, it assists in compliance with strict regulations such as the Anti-Money Laundering (AML) Directive and PSD2 in Europe.
Today countless vendors are claiming to offer multifactor authentication (MFA) solutions. However, they still have security flaws – primarily as they still depend on passwords or other authentication tokens.
What has been considered the most secure form of authentication is password-less. Password-less authentication emerged as a type of MFA that replaces the password with a safer alternative, like biometrics or PIN codes. This form of authentication requires two or more verification factors that are secured with a cryptographic key pair.
Besides the technological security solution, multifactor authentication tends to rely entirely on user experience as the main driver and primary competitive advantage.
The ease of online shopping, peer-to-peer money transfers, and seamless payment systems makes identity the new treasure trove when it comes to cybercrime. Cybercriminals hijack identities and grab credentials in numerous ways: skimming’s, phishing, malware, and significant, brute force data breaches, to name a few. As data is everywhere, the avalanche of digital services has created numerous customer touchpoints and a long tail of micro-moments that widens the attack surface, and where each one poses a possible entry point for an attacker. Cybercriminals know that businesses, in many cases, rely on weak passwords, SMS or email link confirmation, or One Time Passwords (OTP) to authenticate their users – all of which are very easy to crack, hack, and steal. Data that’s been stolen ends up on the dark web – a part of the deep web – a hidden part of the internet that is not indexed or accessible by search engines. The dark web is where cybercriminals buy and sell malware and cyberattack services, which they use to assault unsuspecting victims, businesses, governments, and individuals.
The FBI has estimated the size of the deep web at as much as 5,000 times larger than the “surface web,” and growing at an inconceivable rate. So, there is a considerable gap between the amount of data being produced today that needs security and the amount of data that is actually being secured, and this gap will broaden as a consequence of all things digital. Nearly 90 percent of all data created in the global data sphere will require some level of security by 2025 (Data age 2025: The evolution of data to life-critical, Seagate, March 2017). Once an identity is stolen, an impostor can pose as the actual customer, using their standing and track record to open new accounts, take loans, or use a person’s credit cards to make unauthorized transactions. More than 2 in 5 consumers worldwide have already experienced a fraudulent event online at some point in their lives, with the highest incidence occurring in the United States, closely followed by the UK and the lowest in the European, Middle East, and Africa region.
Another downside is that identity theft, and account takeovers are increasingly threatening businesses. Besides substantial financial losses on both sides, account takeovers, data leaks, and credit card fraud can tear banks’, public entities’, and merchants’ reputations apart. Many reports are stating multi-billion-dollar costs after an actual cyberattack and the gruesome costs for preventing them. In a widely cited estimate by The World Bank, institutions lose nearly three dollars once associated costs are added to the fraud loss itself for every dollar of fraud.
Estimated global losses from cybercrime are projected to hit just under a record $1 trillion for 2020 as the coronavirus pandemic provided new opportunities for hackers to target consumers and businesses (Center for Strategic and International Studies).
The digital-ID opportunity grows as costs drop, technology improves, and access to the internet and smartphones goes up. The digital infrastructure that supports digital ID grows in range and decreases in cost daily. As usernames and passwords are no longer secure, even forbidden for banks as a method of authentication according to PSD2 new security approaches are needed.
The market for Identity, Authentication and Fraud Solutions will reach 28 billion dollars by 2023 and identification will be an increasingly important component of that market. (BCG Research and analysis).
Market trends:
Drivers and opportunity: Increasing digitalization with initiatives, such as eID and intelligent infrastructure.
North America to hold the largest market size during the forecast period: North America is expected to contribute the highest market share in terms of revenues during the forecast period as it is a technologically advanced region with an increased number of early adopters and the presence of significant market players. Factors such as the development of government initiatives, like intelligent infrastructure, smart cities, digital identity-based driver’s license and increasing integration of various technologies, such as AI, ML, and blockchain, for securing digital identities are suspected of driving the demand for identity verification market.
Asia Pacific is expected to contribute to the fastest-growing region with the highest CAGR during the forecast period as it is getting equipped with the early adoption of new technologies. The government takes factors such as Initiatives towards tackling identity-related frauds, mainly for strengthening eKYC to verify identities, such as compliance regulations initiated by countries, increasing demand for cloud-based identity verification, and increasing identity-related cyber-attacks are driving the revenue growth in this region.
Conclusion:
Established identity solutions providers and startups alike are building capabilities and pursuing patents and acquisitions. In 2017, there were 226 identity deals funded via the private equity market, according to CB Insights, up from 123 in 2012. Yet even with all the investment and interest, the market still lacks a clear leader.
Below are three significant challenges to explain why this is the case:
The market presents a paradox. The startups that have promising technology often don’t have sufficient scale, while the established players that do have the necessary scale frequently don’t have the innovative technology. Either way, compelling advances in identity authentication aren’t utilized to their full potential.