Onfido CTO Discusses Identity Verification, Blockchain, ML

'TF7 Radio' Program Dedicated To IAM Progress



Dan Gunderman
08/28/2018

Host George Rettas was joined by Onfido Chief Product Officer and Interim CTO, Kevin Trilli, on the Aug. 27 episode of “Task Force 7 Radio.” Topics ranged from the history of identity verification, to machine learning (ML) concepts.

Trilli kicked off the program with a discussion of the digital identity, and society’s many tangles with perfecting it.

Verification Over The Decades

In the digital world, the identity began to be (further) conceptualized in the 1990s, where familiar and trusted processes could be brought to the digital domain. In the late ’90s, Trilli said, the form began with credentials stored in smart cards and inserted into readers to access a building.

He also touched upon another aspect of identity verification: The radio show guest said there was a broad focus in public key infrastructure (PKI), and using digital credentials to exchange attributes about identity, encrypt and store them, and embed them in a machine-readable format. Trilli said this avenue was technically complicated, and so the space migrated back to the concept of the user experience. He said knowledge-based authentication questions became the second phase of the market development; this required “out-of-wallet” questions to query a database.

Trilli said even that had its limitations – as it had to be based on a trusted source. The CTO said this led to an evolution of that approach. By the 2000s, he cited methods utilized to build better systems. By 2015 (and onward), Trilli said the industry entered a new phase: a need for new systems and methods. He cited the call for digital-only businesses and banks. These business models, coupled with shared-economy services, demand heighted identity verification principles.

Issues attached to identity verification include “vulnerabilities of the digital system,” Trilli said. “(An attack could come from) anywhere around the world, with multiple approaches and people. The data is available for purchase, making the problem difficult to solve. Think of it like an arms race. There are vulnerabilities from the human side – from a social engineering perspective. The threat there is harder to deal with.”

Refocusing

On the types of businesses that require new identity verification solutions, Trilli said there are “two halves” to the answer: Regulated businesses (financial institutions with know-your-customer (KYC) requirements and exorbitant anti-money laundering spending) and non-regulated segments (digital businesses that have emerged in the last five years). To the latter, Trilli said the “system is predicated on trust, but there are bad apples and over time the trust (wears).”

See Related: 'Diversity In Security Is A Business Imperative': EY Partner Shelley Westman

On ways in which identity verification can create user-experience friction, Trilli said that all sides of the business agree on the same thing: It’s a business-first goal, which needs to be considered at every step. However, every additional requirement on the user results in potential drop-off. And yet, the organization must consider bad apples coming through the system. It is a bit of a dilemma. Even still, the setbacks proceed: If fraudster presence is just 1%, Trilli said it becomes an immense challenge to optimize any process.

Verification Challenges

“What identity verification tries to accomplish,” Trilli added, “(is applying its principles) to the constraints of the digital environment.” He used physical document examination by passport officers in an airport as an comparative example. The CTO said that even in person, with more context, the officers are not 100% effective. That challenge is magnified when it becomes a digital process.

The “TF7 Radio” guest soon labeled mobile devices as an “intrinsic identity augmentation of who we are” and a “core piece of human existence.” That said, the devices also become a high-resolution capture aid. This helps alleviate some of the aforementioned issues.

Low Friction

The program guest soon continued: “There is a desire or nirvana of having something extremely low-fiction and convenient to the user, but yet super robust. In any type of system, there are a number of factors: the user experience, classic cost, operation of the system, maintenance and integrity, existing integrity of that system and applicability or ubiquity of the solution…”

Keeping in mind those parameters, Trilli also discussed the importance and utility of biometrics. He called them a sort of authenticator and a compliment to some other form of identification.

Due to the dynamic nature of this identity and access management (IAM) space, Trilli said one must stay apprised of all the latest trends. That includes the effectiveness of databases and the multiple choice answer query – he said these solutions have had their signals “devalued.”

See Related: Collaboration & Motivation: Cyber Security Exec Shares Helpful Tips

The guest cited a motion right now in the U.S., thanks to groups such as the Better Identity Coalition, to get the government to rethink the use of social security numbers going forward. They’re looking at the driver’s license bureau for the ability to be an identifier.

The Last True Indicator

The “TF7 Radio” guest suggested that biometrics is the last true identity indicator. Yet, because of the “old revocation problem,” once indicators are stolen, you can’t remove them. He said biometrics must be the “last protected bastion we have” and “used in a careful manner.”

Artificial Intelligence

In the final segment of the show, Trilli dedicated time to discussing artificial intelligence (AI) and machine learning (ML). One such use is in document verification. It’s here, he said, where ML comes in: in converting the image of a document, evaluating it and making a decision on whether it can be trusted. It’s taken, compared to a biometric representation, and must match the image on the identity document.

He said ML can “do things in a digital manner in ways humans can’t even see.” But the oversight must be “supervised,” as the machines must be “taught” to improve and scale.

The importance of user input is that in the supervised ML, trained expertise is utilized to “tune the machine” as new fraud techniques show up. He called this “deep learning” a process of “evolving.”

Mobile Wallets

To steer clear of the age-old tangible wallet is the ultimate goal, Trilli then added, suggesting it’s a transition toward “absolute convenience.” However, it won’t come easy as the shift will take cross-sector collaboration.

Beyond that, it will also take a fair share of digitization and governmental acknowledgement. That means  a government would accept a common format/standard and consume identity documents in a machine-readable manner.

Blockchain

Speaking about this larger shift toward digitization and verification, Trilli added that blockchain “shows promise” in augmenting it. “It gives you the ability to have a system that no one fully owns; there’s no central entity,” he said. Blockchain can thus help with facilitating the storage of identities and associated transaction history in a way that’s not centralized. He called it a building block of what the future system could look like.

Long-Term Strategy

In wrapping up the show, the guest opined: “Identity is a key to access. It’s easier to share in a trusted manner, where users can access more services, and businesses can flourish… But data has to be protected, as it is very valuable to fraudsters… If you remove the centralization concept, in a blockchain-type system, you start to help with that problem…"

The "Task Force 7 Radio" recap is a weekly feature on the Cyber Security Hub.

To listen to this and past episodes of "Task Force 7 Radio," click here.

Connect with Trilli on LinkedIn, here.

Be Sure To Check Out: Top 5 Security Initiatives Include IIoT, ML & Extensive Research