Security news that informs and inspires

Mastercard, Microsoft Team Up on New Digital Identity Platform

By

Identity—proving we are who we say we are—is a difficult problem to solve. Despite the growing consensus that passwords don’t solve the identity question, there hasn’t been a lot of progress in figuring out how to verify identity online.

Mastercard and Microsoft are teaming up to develop a “single, reusable digital identity.” There are no details yet on what this digital identity would look like, when it would be ready, or even an idea of the architecture (other than the fact that it will be built on Microsoft Azure). Even so, the two companies have big plans, saying the universal method would work for various activities, ranging from signing into online services and online shopping, to obtaining government services.

The current system of credentials place a heavy burden on users as they have to remember multiple passwords across different sites. They are also easily stolen and used fraudulently to make unauthorized purchases, confirm transactions, and impersonate users. Even if the credentials are supplemented with physical proofs, such as biometrics or personal objects, the burden is still on the user to manage the different forms of identity.

“Today’s digital identity landscape is patchy, inconsistent and what works in one country often won’t work in another. We have an opportunity to establish a system that puts people first, giving them control of their identity data and where it is used,” said Ajay Bhalla, president of cyber and intelligence solutions at Mastercard.

Need New Approaches

While usernames and passwords are the most common form of online identity, they aren’t the only methods currently in use. Many platforms verify user identity with cell phone numbers but there are problems with that approach. For example, there have been an increase in SIM fraud, where attackers trick mobile carriers into porting a phone number to a different SIM card. Once they have control of the phone number, they can log into various user accounts or use the number to intercept the two-factor authentication codes.

Much of online identity is tied up in traditional proofs of identity used in the physical realm, such as passport and Social Security numbers, driver’s licenses, and street addresses. Knowledge-based authentication systems rely on information from the user’s physical life, such as the name of the street the user grew up on. Attackers can look for the answers to these questions, or trick users into giving them up, in order to gain access to the user’s digital accounts.

By stealing user credentials, thieves gain access to the user’s entire online presence, such as emails, shopping information, social media profiles, and bank accounts, as well as corporate data and files. A digital identity could solve verification issues and prevent unauthorized access for financial services and online services such as email, social media, and rideshare platforms.

A universal method for verifying identity would help prevent fraud by authorizing commercial transactions, such as online shopping and paying for movie and music streaming services, as well as for obtaining government services, such as filing taxes, applying for a passport, and collecting payments from benefit programs.

Separating the digital identity from physical identity also has an advantage, as it would allow people who may not have these traditional proofs to still be able to access online services.

“Digital identity is a cornerstone of how people live, work and play every day,” said Joy Chik, Microsoft’s corporate vice president of identity. “We believe people should be in control of their digital identity and data, and we’re thrilled to first work with Mastercard to bring new decentralized identity innovations to life.”

Changing Online Payments

The fact that Microsoft is partnering with Mastercard is significant, since it could impact how payments are made online. There are many different online payment services, but the majority of them are based on the existing system of credit cards. The payment card industry is under a lot of regulatory pressure to update its architecture as part of the effort to combat fraud resulting from stolen credit card numbers. One idea is to add digital identity credentials to online transactions to make it harder for someone with stolen numbers to make fraudulent purchases. Microsoft and Mastercard can help shape the standards on what online payments should look like and how they would interact with online identity verification.

The collaboration will eventually include partnerships with government, financial services and mobile network operators, although the companies have yet to announce other partners.

Who Rules Identity?

The case for digital identity is clear, but there hasn’t been a lot of progress in coming up with a working scheme. Back in 2011, the Department of Commerce unveiled plans for National Strategy for Trusted Identities in Cyberspace, but that effort never gained traction. The idea was to create a voluntary identity ecosystem with credentials that could be used across the Internet. Instead of relying on one trusted identity broker, users would be able to pick and choose from several different providers.

Microsoft has focused a lot of its recent efforts to create universal access to identity. Last year, the company partnered with Accenture to build a digital identification network using blockchain. The technical proof-of-concept is slated for 2020. Earlier this year, the company joined the ID2020 Alliance to develop a secure, open source digital identity system.

There is also a trust factor. Google and Facebook, for example, have enough user information to act as a de facto authentication provider, but many users would be reluctant to have one single company control their identities online. For Mastercard and Microsoft to be successful in their plans to develop a digital identity scheme, they would have to overcome the distrust about having too much user data in one place.