Consumers are stuck using outdated or easily compromised means of proving their identities in a world where banks and retailers need something better. Mastercard and Microsoft are teaming up to take on this monumental challenge.
They’re far from alone: Payment companies, fintechs, merchants, processors, marketers, and data providers are all looking for ways to make their services an indispensable part of securing a consumer’s digital identity.
To these two giants of payments and technology, the initiative is more about what identity systems are not doing right now. They’re “patchy,” “inconsistent,” and don’t always work from one country to another. What they are promising to do is a goal that all digital companies will be chasing in the years to come.
“In concept, I think this collaboration has the potential to be very powerful. It is seeking to address one of the messiest problems on the Internet today—reliably and seamlessly identifying the person at the other end of a transaction,” said Julie Conroy, a research director at Aite Group. “Everyone wants to win the race and become to federated identity what Google is to internet search. I think this analogy is probably an apt one — while there are other search engines out there, Google is absolutely dominant.”
Much as Google is a ubiquitous search engine, providing a wealth of benefit for data analysis and advertising, Mastercard and Microsoft could become the lead for how people initially access e-commerce, banks, governments and other parties, giving the two companies competitive position as the enrollment party.
Mastercard and Microsoft are trying to solve what is a relatively old problem of advancing beyond passwords. For years the solution has been called “federated identity,” or one ID that works in all stores and for all accounts in different jurisdictions.
But the worlds of payments and e-commerce have stubbornly clung to static passwords and PIN codes, with stronger security layered on top in a way that may seem secure but can be easily bypassed. Even Apple’s Touch ID, which arguably made consumers comfortable with using biometric fingerprint authentication for everyday tasks, can be duped by malicious apps that trick users into authenticating transactions they did not knowingly agree to.
Many systems use SMS text messaging as a second factor of authentication, but this channel paints a target on carriers, which can be duped into migrating a consumer’s phone number to a scammer’s SIM. The carriers have a potential solution in Project Verify, but that isn’t expected to go live until March, and there are no guarantees that it will fix all of the issues with mobile authentication.
As people increasingly shop with a mobile wallet, open a hotel room door with a wristband, or pay for a ride invisibly through an app, a more modern version of federated identity becomes necessary. And with cashierless shopping on the horizon, any company that figures out how to seamlessly and securely identify users will be in a great position.
“This would put Mastercard at the center of the payments universe,” said Richard Crone, a payments consultant. “All payment value chains start with identification.”
Mastercard did not return a request for comment by deadline. In its announcement with Microsoft, the card brand said it aims to improve the applicant identification process for establishing a new bank account, loan or payment service account. Streamlining shopping and making it agnostic to payment type is also part of the plan, as is access government services such as taxes, passports and securing government payments. Other use cases include streaming services, ride-sharing platforms and securing social media and email programs, and adding more than 1 billion people to the global identity rolls.
“The world is undergoing a global digital transformation where digital and physical reality are blurring into a single integrated modern way of living. This new world needs a new model for digital identity, one that enhances individual privacy and security across the physical and digital world,” said Ankur Patel, a principal program manager at Microsoft’s identity division, in an email. “It is essential for individuals to own and control all elements of their digital identity. Rather than grant broad consent to countless apps and services, and have their identity data spread across numerous providers, individuals need a secure encrypted digital hub where they can store their identity data and easily control access to it.”
Though they haven’t released details, Microsoft and Mastercard are building on technology that’s called self-sovereign identity, which replaces the “proof of ID” documents required to open an account. These include birth certificates, motor vehicle records and other bank accounts.
“You no longer need to copy and send all of this,” said Tim Sloane, vice president of payments innovation at Mercator Advisory Group, adding self-sovereign identity uses technology that enables the bank ask the consumer for proof of identity.
The consumer authorizes the other entities to validate via a “zero-knowledge proof” that allows a question to be answered without sharing specific data. A bank can ask if someone is older than 18, and find out without knowing the person’s actual age. Other queries such as income can also be accessed this way, Sloane said.
“In this new world of self-sovereign identity, a new bank receives a certified electronic package that states you have an account at the other bank, that you have a driver’s license and that you were born at a certain location,” Sloane said. “This is the technology that Microsoft and Mastercard have agreed to work on jointly.”
For Mastercard, universal digital identity would be a key element of the EMVco single “buy button” for online payments, a cross-card brand initiative to standardize how digital payments are executed. Visa, which is also part of the “buy button” initiative, did not return a request for comment on the Mastercard/Microsoft ID project.
“If [Mastercard] nails it, they not only can leverage a single buy button but also act as a central authenticating authority, acting as a gatekeeper in every transaction,” Crone said. “They could become the new clearinghouse for new accounts, loan origination, switching institutions, even providing identification for unidentified schemes such as bitcoin. The key question is how do they keep it secure if they share it with others?”
There are other challenges to this project’s success. The collaboration will have to succeed in a market where there hasn’t been much prior success, if any. Other attempts at universal digital identity, such as biometric-based single sign-on or “password as a service” solutions, have not taken off because of a lack of buy-in from stakeholders.
Also, given the international ambition of Microsoft and Mastercard, it’s worth noting that that there are myriad projects already underway in Canada, Asia and other regions. Will they cooperate with Microsoft and Mastercard?
“It’s a messy problem because there are so many disparate endpoints and stakeholders, so devising a secure, customer-friendly, and ubiquitous solution is by no means easy,” Conroy said.