We continue to build products allowing our customers to do more things online. While bringing convenience, it also raises the stakes of fraud, for our customers and our companies. The democratization of technology means that those intending to commit fraud can take advantage of some amazingly sophisticated tools. Consumers and governments have little trust in technology due to the questionable ethics of some of the biggest players in the industry.
Identity online continues to evolve; governments, businesses, the open source community, and grassroots organizations are all evolving how we validate, protect, and secure our identity. Whether your software is targeted towards businesses or consumers, if you are in a regulated vertical or a non-regulated one, or if you have customers in multiple countries or just one, how you ethically manage customer identity will be crucial to your product’s success (or existence).
Auto-generated transcript - may contain errors. Tap a timestamp to jump the video.
Yeah. I am Kim Goldsmith. I am the chief technology officer at Onfido based in London. As as as we said, said, we do we help people prove they are who they say they are on the Internet and we help companies avoid fraud when people are lying about who they who they are.
And I, as far as you know, I am the Kevin Goldsmith and I am the Chief Technology Officer. Well, where am I? But how do you know? Alright. She just read some stuff from my CV, but how do you know any of that is true?
Well, this is an industry conference. You can look me up on LinkedIn except there's forty Kevin Goldsmiths at least on LinkedIn. I'm not the only Chief Technology Officer that's on LinkedIn named Kevin Goldsmith. You could Google me. Okay. Well, that's a good way find out who who I am except I'm not the only Kevin Goldsmith in the UK, surprisingly, with a non British name like Kevin Goldsmith.
So alright. That's not necessarily any sort of proof. You could go to my Twitter and hey, look, I've been verified. Or you think I've been verified because I don't have my picture in my profile. And as a matter of fact, I don't do selfies or anything like that, so you could look through my Twitter and I don't know.
You wouldn't find me there, at least this version of me. Hey, guess what? There's a lot of Kevin Goldsmiths on Twitter as well. A lot of Kevin Goldsmiths on Twitter and a whole bunch of them are bots. So I am probably not a bot.
You can be tell because I'm walking around and speaking to you like a human, but if I was online and I was interacting with you online or I was on your site or interacting with your app, you wouldn't actually know. It wouldn't be easy to tell.
Well, you could Google image search and now, hey, there I am in the upper left hand corner there. But you just heard I worked at Spotify and hey, here's somebody else that's definitely not the person that's standing here that's listed under the Kevin Goldsmith of Spotify.
Well, what happened there? Well, what happened there is I photoshopped that person in. That's not even a real person. And if I was given and that's that's funny if you were doing Google image search, but if I was actually handing you pat my passport or a passport or showing you a picture of a passport, I could put that photo in and make it look pretty good and you wouldn't necessarily be able to tell.
This has become a significant problem with things like data breaches and just people sharing online. A lot of the data that you used to do is to verify somebody, that's all public now and it's very easy for someone to find that out, especially in the wake of the Equifax breach.
The Internet has identity problem. We actually it's a very serious one and it's getting worse. How do you know that the person on the other side of the browser, the person on the phone using your application interacting with your platform is the person they say they are?
And when should you care and when is it okay not to care. As I said, I was one of the hundred and forty three million Americans affected by the Equifax breach. And what that means is in the US, Equifax has your whole credit history.
So it knows where you've lived, it knows what bank accounts and phone numbers you've had. Those questions were used by lots of folks including the government. If you were trying to log in to some government websites, they would use those questions to validate your identity.
All my data is now public effectively so they can't use those questions anymore. They're too well known. Somebody else knows the answers to those and can pretend to be me. And this is also a serious problem because it leads to a massive amount of fraud.
Over seventeen million or almost seventeen million in twenty seventeen in the US, globally significantly higher. So this is a real problem. I'm going to talk about identity today and establishing identity, what is digital identity. We're going to talk about how you use it, how has it evolved, and we'll talk about when you have this data from your customers or the public, how do you protect it.
To start off with, do we mean when we talk about digital identity? This definition comes from the Internet Society. I like this, it's sort of digital identity is who you are and what you do. So it is the characteristics of you, it's my home address, it's my nationality, it's my hair color, it's my height, it's those things that are sort of uniquely me, but it's also the sites I visit, how I interact with things I bought on Amazon, those kinds of things as well, those combination of things.
And if you go with that definition, I will have multiple identities. So who Amazon thinks I am and who Netflix thinks I am are two different people effectively. This I just threw some off the top of my head a little bit, these are some of the ways we use in our when building applications to try and figure out who people are.
I put them sort of in how much certainty they give you over who a person is and how hard that data is to get, just to chart it out, but I think it's a little bit easier if we group it into four groups.
Those four groups are sort of an increasing level of certainty about who you are. So to start with is the one a lot of us use, so just simple IP address tracking, putting cookies. So I don't know who you are at all but I know I've seen you before.
That's really useful for doing things like analytics, ad targeting, because everything is used for ad targeting, things like that. But I have no idea who the person on the other side of the browser is. You move up to the next level. At the next level now, I've created an account on your site.
You still don't know who I am because I can tell you I have lots of accounts on lots of sites that they have no idea who I am or I've even given them false information if I don't think they need to know it.
But once I have that account like Facebook does this, have tracking pixels all over the web so they know everywhere I've been if I don't make if I'm not studious about logging out of Facebook constantly. So they'll track me, they know a little bit more about me, they're getting a good picture about me, but they don't really know who I am with this kind of information.
At the next level, this is where companies like mine come in on Photo. So this is where I've actually validated my identity in some way. So the I'll show you a little bit about how we do that, but it's I've gone into in some cases, I've gone into a physical environment.
I've gone to the post office or something. I've shown them an ID. Or it is I've done an online photo and selfie or spoken to a person online to actually validate I am who I say I am. Or it used to be this would be more valid, I've done that credit history question and answer piece.
The good part is now you know at least at some point that account has been tied to a real person, that person being me, but that doesn't mean I'm the person on your site right now. I could be anybody. I could have given my credentials to somebody else or they could have been stolen or I have a bot that's running for me.
I actually do that on some of my accounts on some sites. That's no guarantee that the person that you're talking to is me. The last is, that's where you know right now you're speaking directly to me or I'm the one interacting with your application.
The only way to do that is to also do that second level. When I authenticate on your site, we either do a second ID proofing step or we use something like when you log into your bank, you put the card in the card reader and you do your PIN and it gives you the code.
That means I have a physical thing that only I should have and then I have something that only I know which is my pin and that proves that I'm the one logging into your site. And the reason why banks do this is because of something called KYC, know your customer, because they deal in finance, there's financial regulations that they need to know, they need you to prove that you are who you say you are if you're going be dealing with somebody's money.
So that's the highest level. There's another area that we're just starting to get into, there's nobody doing this yet but there's a lot of folks thinking about it, is continuous authentication. For example, right now I'm walking around, I've got my Fitbit on, if I have my phone in my pocket, my phone knows my gait, knows how I'm walking or how I'm waving my hands.
I actually don't do this normally but I do it enough that you could actually say well that's how Kevin walks and so I know right now that I'm interacting with Kevin because of his gait or things like that, these separate biometric things or my pulse or things like that.
My body temperature. So I like this definition. This comes from McKinsey. This is a definition of good digital identity. Right? So do you have that earlier definition from the Internet side that's very broad? I wanna focus on how you know that there's a real person that's interacting with your application or your site.
This is the the definition I like because it includes things. I'm not gonna read it to you, but includes a couple things that are important. Verification, I've proven that I am who I say I am and when I've authenticated on your site as I was just talking about with the banks, I've proven that it's actually me and not somebody I've given my credentials to or had credentials stolen.
The other part is just kind of good hygiene for the world we live in now around security, around consent, around those things as well. This is the way I want us to think about and the way we should be thinking about identity when interact with our customers.
This is how we do identity verification at my company, that's what we do, we have lots of people just focused on this. There's three steps, one is you have a document, that document has to be a government issued ID. So government identity proofs you and gives you a physical representation of your identity.
We do that. We have to make sure, is it real? There's a tremendous amount of money in fraud and pretending to be someone you're not or inventing whole new people and getting them things like loans. Lots and lots of money in that, so there's there's a lot of reason why people want to generate fake documents and they're doing it constantly.
We are super busy always catching the latest things they try. First, do you have a real document? Second, is who you are right now? Does that match that document? And third is actually, are you alive? Because what happens is, well, I have a photo of a photo, or I have a photo of a screen, or I have a mask on, and masks have also gotten incredibly complicated.
The scary thing about the folks who commit fraud is that because there's so much money, they also have access to all the same tools we do. They read all the same academic papers. They have access. They have AWS accounts and Azure accounts. They're using the same they're using deep learning and all these things to try and fool us because it's worth so much money.
Keeping on top of this is actually really complicated. These are different versions of faked IDs, each different in very very subtle ways that is increasingly hard to detect. This is hard stuff to do, but it is important to do. So for example, this is the simple mask.
This is stuff we do, but that actually would trip up a lot of machine learning algorithms, just that holding up picture of a face in front of you. And like I said, now people are doing latex masks that's actually hard for a human to tell the difference, trying to fake identity.
Understanding what level of identity proofing you need to do with your customer, very very important. Understanding that based on what they want to do. Maybe you don't always need to have that full level of ID proofing, but being able to make a decision about it and reasoning about the risk is important.
I'm going to talk quickly just about how we've gotten to where we are now. This is the sort of sixty year version how we got to here. I'm not going go through all these things but these are obviously not exhaustive but these are sort of the waypoints I thought were particularly interesting.
So going back to nineteen sixty when we were all well, none of us maybe, or a number of us were using time sharing systems that had a shared file system so everybody's files were in the same place. And somebody realized, hey, have their sensitive data here, we maybe should have a password.
So that's MIT nineteen sixty. From therein, we get into things like PKI. PKI was really interesting. It was actually not successful in the mid nineties, but it's led to a lot of stuff around securing identity that we still use today. We get into government issued digital identities.
The Estonia one, for those of you who remember back in two thousand, that was a really big deal because it was the first massive kind of public version of this. They did a lot of work around securing it and actually making it really robust and unfortunately they didn't do a good enough job because it actually had a lot of problems with fraud.
But it was a good early attempt. Then we get into more private stuff like the Swedish bank ID. I lived in Sweden for a number of years, I still have a Swedish bank ID that was started by the private, by the banks. It is also how I use to log in to Skodaverket in Sweden to do tax stuff or my pension, things like that.
So it started from the private side and went public. The Aadhar card, and I probably still don't pronounce that correctly, in India. This one's fascinating. India had a problem, and there's a reason why identity is an important thing. A few years ago, the majority of people or a large percentage of the population in India didn't have any form of ID whatsoever.
And this was a problem. They had no access to economic improvement. They couldn't get a bank account. They didn't have good access to government services. The Indian government came up with this biometric digital ID that they got to ninety percent of their population, over one point two billion people now have this ID.
And it's biometric, it's also actually pretty cool in that it's it's it's not like a card, it's not like my b r my BRP card for the UK, It's actually you can just print it on your home printer. By the way, that makes it very difficult to check for fraud, that's our problem.
It it actually does a great job because it's given access to the to a big chunk of people who didn't have it before. OpenID and OAuth you probably are already familiar with. I wanted to talk a little bit about, and I'll talk a little bit more about decentralized identity.
This is something new that maybe a lot of you aren't aware of unless you're kind of in this world. This is something that's been new. It's emerging. I don't know if it's gonna actually be successful, but a lot of the technologies that are part of this are become are kind of breaking out from this.
And so I wanted to I'll talk a little bit more about it in a moment because I think it's interesting given where we are today. So this is constantly evolving. Monday, this is from Monday. On Monday, the Malaysian government basically approved that they're moving and generating digital identities for their entire population.
This is happening and this is evolving much and much faster these days. I want to talk in the slides I talked about federated identity. All of you use it, you don't really maybe call it federated identity, I wanted to talk about it mostly because I want to introduce some of the terms.
When you actually start thinking about identity, you hear these terms and you don't realize you've kind of already lived with them. So if you use Twitter, I use Twitter to log in to Medium, for example. So in the federated identity world, Twitter is my identity provider.
I go to Medium, it says login, it sends me into Twitter. Twitter is my identity provider, it is my credential service provider, in this case it is saying, yes, this is Kevin back to Medium and that is passed in a cert, encrypted cert back to Medium, thank you PKI.
Medium has that. Medium is my relying party. It relies on Twitter to validate who I am. And it is my service provider. That is the service I'm trying to use. I just wanted to get these terms out because it's actually I was I'm relatively new to this space.
I've only been at Onfido since April and I kept hearing relying party and certain kind of us these terms and I didn't understand I knew them until I actually read up on it. Federated identity is interesting because of a couple things I'll talk about.
Decentralized identity is interesting for a couple things that have actually of emerged beyond it. In the wake of Cambridge Analytica, in the wake of Equifax, folks have said, you know what, we actually need to take control of our digital identity and so we're going to do something that is sort of owned by the people, people first.
So they came up with this notion, this group proposed the spec, they created the decentralized identity foundation and it put together this proposal. The idea is that, let's say I use Barclays, Barclays can issue me an attestation because Barclays has done an ID proofing step on me to validate I am who I am.
I say I am. They can give me a cert essentially saying you are Kevin Goldsmith. That cert will go into a distributed ledger, could be blockchain, probably it's blockchain but could be something else, it's not really important. That distributed ledger, you need an identifier to that attestation.
That's called a distributed ID or DID. DID is now being Microsoft supporting it, Google supporting it. This is why I wanted to raise it because it is kind of escaping this particular world. That DID points to a DID document that is essentially JSON that's encrypted, inserted again, thank you PKI, to prove to encapsulate that attestation.
So then if I go to another site and they say, well, we need you to prove you are Kevin Goldsmith, I can give them the DID that points to the attestation from Barclays that they can use to say, well, Barclays is the trust anchor here, we trust Barclays, therefore we believe you are who you say you are.
The part of this where it becomes now into my control, if that distributed ledger is in a wallet on my phone that is mine and I decide who gets access to these different DID documents, that is what is called a self sovereign ID.
And sovereign ID is something that's emerging to help people protect their identity on the internet and is something that you may actually if it continues to grow, you may be having to support in your applications. So how do you use this digital identity?
You you you now know you you can show who's on the other side of the browser, you can know who that is, how do you use it? These are the industries we work with commonly. So if you think about any time you've had to show your passport, like getting on a plane or doing a bank account or your driver's license, these are all the people that are doing this now.
Gaming, when we talk about gaming, we're really talking about making sure you are of an appropriate age primarily for gambling, but we call it gaming because that sounds nicer. And I think in the UK soon you're gonna have to do that for other adult things as well.
I think you're either gonna have to go online with your to do a selfie and do your passport to prove you're over eighteen, or I don't know what the age is, in the UK if you want to do other adult things. These are some of the areas that are kind of obvious and you may say, well, I'm not in any of these industries, I don't really care.
There is some things where you actually really do want to care about this. Think about this, one of the primary vectors for fraud is me calling up a customer support person or or going into a chat and saying, you know, my wife has died or my husband has died and I need access to their account.
And they'll ask you some questions. Well, okay, we need to prove you're the person because we can't just give you access to their account. Tell us about this and of course I already know that because I've gotten all their public details off their Facebook page or off their CV or off stolen data from Equifax or another credit agency or something like that.
And they'll say, okay, we believe you. Here's login data for that account. Okay. Once I'm into that account, and that account could be anything. Right? I can get access to the other accounts, I can take over your identity, I can start opening new accounts in your name using these existing logins and steal money from you.
And this will affect each of you in your own applications because you may be that vector that somebody uses to bridge into an email or bridge into a bank account or something like that. So you actually do this is a case where you actually may wanna say, okay, we really need you to prove you are who you say you are, we're gonna do an ID proofing step on you that doesn't involve things that you can Google.
Another thing in social media, that verified check mark that is currency in social networks, I am actually the Kevin Goldsmith although you have no idea still. I could be an actor hired by Kevin Goldsmith to do his talks for him. You'll see if you go to the Q and A stage later because if I was an actor I wouldn't be able to do the Q and A.
And then if you do let's say you have small transactions, you're in Etsy or you're selling stickers on the internet, so you're not doing large financial transactions and you say, well okay, If if the the cost of fraud is low, so we'll just pay.
When when somebody defrauds us or one of our customers, we'll just cover that. It's easier than than adding friction to our process by doing ID proofing. Let's say you're selling cars or property or now you're into thousands of pounds instead of hundreds of p, right, of pence.
That's a case where you act the cost of fraud is very high and you may want to add explicit ID proofing. How do we protect it? You've done some sort of ID proofing, you have data, or you haven't even done that, you've been building a portfolio on your customers because you wanna track it back to them, because you wanna be more efficient at selling things to them.
How do you you still need to protect this. How do you do that? One is know what you want. So as you heard, I worked at Spotify. I one of the things at Spotify and and and other companies, although as well, I was bad at this.
I said, I want all the data. Give me every piece of data and let's store it because someday I want a more efficient way of recommend doing recommendations to you. And I may not care today that, you know, your geohistory, but someday we we will care.
And actually while I was there, we got into trouble cause we did a test that some that went public where we were actually gonna try and get your location as a way of better recommending tracks. Hey, you're at the gym. We're gonna give you gym playlists now.
People turned out they didn't like that idea that Spotify was watching where they were going. But I wanted that data because I and I even if we weren't gonna use it today, I wanted to use it in the future. That was a big mistake as as I found out.
Not only do you not need did we not need it when we did want it, we could have gotten it then. And if we had lost it, if somebody had hacked us and gotten access to this data, let's say it hadn't gone out public that we were looking to know your location, we would have gotten in massive trouble for collecting all this data we didn't need to know.
So that's something really important to think about. Gather as little data as you need for right now. If someday you think, oh, this would be much more efficient to have more data, start collecting it later. It's fine. When you do collect data, store it as little time as possible.
Delete it as soon as you can. So you're doing some new training data, so you're gathering some data from your users, you wanna build your new models, build the models, delete the data. If you keep it around, it is just it is just attractive and valuable to somebody breaking into your systems.
So we are very careful about that at Onfido. Controlling access to who has this. If you're doing GDPR, if you've done a SOC two or ISO twenty seven thousand and one compliance, you're hopefully already doing this or you probably would have failed your audit.
But if you're a startup and you're just starting to think about this, and believe me, I've worked with tons of startups, know lots of startups, none of them do this at first cause they don't think it's worth the effort. This is absolutely worth the effort.
Keeping privacy first at the beginning is super important. Logging every access to personal data. Cause even if even if no one breaks into your systems, you get one sort of bad employee like they had at Facebook who starts following their ex around and that goes gets out.
If your company depends on the trust of your users, you're in real trouble. Minimize disclosures through your third party, through your vendors. Right? So you have this digital identity data about people and you have these vendors that you work with choosing what to give them and minimizing what you give them because they are now if they lose the data because they aren't being as fastidious as you, that's still your problem.
Or if they become a vector to get into your system, that's a problem. So minimizing who you share data with, very important. And vetting the vendors you have. So one of the things we do because our currency with our customers is absolutely protecting privacy, the privacy of consumers, we are very fastidious about this, we will pen test our vendors including like our ERP vendors and our paycheck vendors because if they are lax, they become a vector that somebody can get into our systems.
So we'll do, we'll cut off vendors if we find and we will look for ways into their systems. We hack our vendors sometimes. Minimize data linking, so you're collecting data, different data points. Oh, here's this IP address that logged in and we know it's this person and here's this piece of information about this person.
It is very tempting to put that into a big collection. Right? And store a single user with all the data around them. But if you actually don't need to link that data, leave it separate. Keep it in separate places. It makes it a bit of a problem for right to be forgotten, but if you put it together, even those two different pieces of data, those being very innocuous, together they actually start to build something that's valuable to someone that wants to do bad things.
So keep them separate unless you really need to put them together. And consider where to store your data. Do you need to keep the data in the cloud? If you have an app, could you leave the data in the app? And when you need access to it from the cloud, you send it to the cloud then.
If on a person's device, it's a lot more secure than if it's all collected in the cloud. So copy it, bring it up to the cloud, do whatever processing you want on it, and then delete it from the cloud. Get it again from the app if you need it.
Finally, be aware of the legislation because it is changing quite rapidly. You all know GDPR hopefully. You hopefully also know the UK data privacy laws which are different than GDPR, if you weren't aware of this. Are you aware that January first California in the US has its own data privacy law that's gonna affect a population bigger than the UK?
And if you're doing any business with the US, it's also different than GDPR and you're going to have to deal with that. India, coming back to India, has a massive piece of data privacy legislation working its way through their government. When it whenever it goes live, it is gonna have a massive impact to any of those with employees in India or customers in India with over a billion people.
That's most of us in our businesses. So I'm almost out of time. I just want to wrap up real quickly. We have an identity crisis on the internet. Being aware of how much you need to know about your customer, how much you want to prove their identity, how you want to know who's on the other side of the browser.
Be very deliberate, be very thoughtful about that and then be responsible when you collect that data and know and use it responsibly and protect as best you can. I am on the Q and A stage in a little bit And if you have questions, can also tweet to me.