User-Driven ID Authentication on Steroids

by Alex Johnson 0

In my recent report on mobile account opening, I made the case for an emerging approach to identity authentication that is driven by end customers. I profiled vendors like miiCard and Trunomi that enable consumers to create ‘digital passports’ that they can use to confidently assert their identities in digital transactions. According to a recent article in American Banker, a new vendor called Trusona is taking a similar, but more intensive approach.

“Trusona (the name is an amalgam of “true” and “persona”)…has created a heavy-duty authentication scheme designed to check, beyond a shadow of a doubt, that a person is who she says she is. The service is being marketed to banks, large companies and government agencies for use by their customers or employees.

Trusona requires effort on the user’s part. It’s meant for private banking clients, corporate customers and VIPs, in situations where security needs to come before convenience.

At the heart of the service is a hardware token that Eisen refers to as “the baby” (the official name is TruToken). It’s a small magnetic stripe card reader that can be plugged into a smartphone and used to scan an identification card or credit card and capture not only the information on the magnetic stripe, but also the patterns of the barium ferrite particles in the composition of the stripe. (No two are alike, according to Eisen, so the device can identify fake cards.)

To sign up for the service, a prospective user needs to photograph or scan her passport or driver’s license. Then she needs to go to the post office or have a postal delivery person come to her home to verify that piece of identification before receiving the token. (Trusona says it has a partnership with the U.S. Postal Service to do this.) Alternatively, a corporate customer could have someone in accounting or human resources play the role of “true notary,” and check employees’ IDs. Or a bank could have its private bankers serve this function.

There are steps built in to ensure that even in the case of a rogue mail carrier, the integrity of the account opening remains intact. For one thing, Trusona binds the serial number on the back of the token before giving it to the post office; without the correct serial number, the user cannot access the account. Registration for the service can only be completed on the phone used to start it. If another user tries to plug it into a different phone, it won’t work. (Should the user get a new phone, she would need to cancel the service and get a new token.)

The company was founded by two of the most well respected identity security experts alive today; Ori Eisen (formerly of AmEx and 41st Parameter) and Frank Abagnale (onetime con artist and current security consultant). Their goal? Eliminate the ‘last mile’ of identity fraud detection.

“41st Parameter provided 99% fraud detection, because the main tenet was not to disturb customers — everything was passive,” Eisen said. “It works really well, but it doesn’t solve for the last mile.”
By “last mile,” he means authenticating the user’s identity every time they log in — on the online banking site, on the mobile banking app or in the call center.
“I’m not OK with 99% of nuclear power plants being protected. Tweets out of CNN can’t be 99% true — one false tweet from an AP account and weird things can happen,” Eisen said. “Just before we retire, we wanted to fix that last thing.”

Overview by Alex Johnson, Director, Credit Advisory Service at Mercator Advisory Group

Read the full story here