Replacing Legacy Identity Authentication Methods

Episode 309

State of Identity Podcast

12/8/2022

Episode 309

Replacing Legacy Identity Authentication Methods

Why is cryptographic authentication replacing risk-based authentication at tier 1 banks & enterprises? On this week’s State of Identity episode host, Cameron D’Ambrosi welcomes Co-founder & CEO at Prove, Rodger Desai to discuss how and why banks are making the decisions to transition their auth stacks, and what some of the key value drivers in transitioning are. 

Host:

Cameron D'Ambrosi, Senior Principal at Liminal

Guest:

Rodger Desai, Co-Founder & CEO at Prove

Links:

Share this episode:

Cameron D’Ambrosi [00:00:00] Everyone, it’s Cameron. Thanks again for joining us. We’ve got another great episode for you this week. Long-time guest and friend of the podcast, Roger, CEO of Prove. Joining us to talk digital identity and all its facets. How and why. FIDO2 Passwordless is the way forward, but also how Prove is kind of putting their unique special sauce, if you will, on top of increasingly commodified FIDO2 Passwordless solutions. And I think some of the most interesting context Roger shared is about how they’re navigating these rough waters of digital transformation. When you start thinking about making significant changes to an enterprise’s digital identity stack, that necessarily requires multiple stakeholders dueling budgets. Competing mandates, how they’ve been so successful in breaking down some of those barriers. It’s another great episode. I think you’ll really enjoy it. So stay tuned. Welcome everyone to State of Identity. I’m your host, Cameron Ambrosi joining me again on the podcast. Please welcome Rodger Desai, CEO of Proof, formerly known as Payfone. For those who haven’t gotten that memo, although it’s been, I think, a few years at this point. Roger, welcome back.

 

Rodger Desai [00:01:21] Thank you so much for having me, Cameron.

 

Cameron D’Ambrosi [00:01:24] So lots of excitement. I guess you might say, across the digital identity space, although I guess when you’re a hammer, everything does look like a nail. Nevertheless, I think this time the excitement is palpable. You know, just got back from hanging out with you in the beautiful desert of Las Vegas for money 2020, which as subscribers to my morning brief will know. You know I quantified is not an identity conference per se. However, I think, you know, everything as far as trends in the payment space are really moving towards identity centrism. You know, we’ve we have for the longest time, I think, had effective ways of moving the money around. But the question is, you know, who is that money going to? And with, you know, whether it’s real-time payments, whether it’s open banking, whether it’s alternative credit, you know, the identity of the parties involved in the transaction is really more critical than ever. You know, Greg, these questions around Reggie and all of that really, you know, who you are and being able to authenticate. The identity behind those transactions is so, so critical. So I thought, what better time than now, you know, to get the proof gang back on the line and really talk about, you know, what you’re building and where you’re hearing buyers in the space, you know, demanding, you know, new features and new functionalities. Because I think that perspective is really, really important for audience to hear.

 

Rodger Desai [00:02:55] Yeah, absolutely.

 

Cameron D’Ambrosi [00:02:56] So for those who, you know, may have been living under a rock or are just not familiar with the proof platform, maybe we’ll kick it off with that. Just a quick 15,000-foot introduction. You know, where you’re playing in and where you see that puck headed in in terms of your product-level features. And then we’d love to unpack some of those trends alongside you.

 

Rodger Desai [00:03:15] Yeah, absolutely. Yeah. Prove we really think that you know, most transactions are legitimate. In fact, within 98% of transactions with humans behind them, whether account openings or logins or payments are legitimate. So internally we have something called a pass rate where we think in an ideal world everyone’s pass rate would be 98%, that you just kind of part the seas and you know, people would have a secure, frictionless, easy journey and the bad guys are kind of sequestered over here. Yeah. The reality is was more complicated than that. But, you know, we’re now able to achieve based on the unique way we do identity and authentication, pass rates in the 90% or higher. In fact, we’re publishing a white paper today with one tier-one bank where the pass rate is I think about 90% at scale. So what that means is we can enable more commerce and of let people get to business more quickly. So our way of using identity authentication is to drive business.

 

Cameron D’Ambrosi [00:04:12] I think that’s so, so critical to think about, you know, a lot of the conversation and for good reason, right, is about fraud, especially at shows like Money 2020, because I think it’s a big question mark. There are certainly large dollar amounts that are attention-grabbing as far as headlines around fraud. But when you really look at the ecosystem holistically, you know, it’s a proverbial drop in the bucket to a large degree. And I think when you look at the size of the opportunities that are being missed in terms of false declines. Right. People who are good customers who are trying to transact to some degree, it puts those numbers into perspective. Obviously, data around those things is somewhat challenging because, you know, to some degree, you can’t Prove a negative. Right. Obviously, if it’s a decline and the person doesn’t come back in. I think a lot of fraud vendors are inclined to say, well, look, you know, this Proves that this was a bad customer. They went away and they never came back. Whereas in reality, oftentimes it’s just someone who is frustrated enough that they threw their hands up and went to another channel or just walked over to the store and maybe bought it in person with cash. So that conversion is a bit harder to capture from your perspective. You know, do you really feel that growth is the proper way to be looking at these challenges as opposed to a more defensive posture around, you know, building is as spiky and sharp of a, of a razor fence around your platform as possible.

 

Rodger Desai [00:05:42] Yeah, it’s a great point. I think the thing we’re feeling is that identity is becoming more front and center. Part of what’s happening is that it’s becoming more of a sea-level conversation. Now, if you go into a CEO of a major company and you want to talk about fraud, they’ll politely listen and send you to the person you know if you float below the managers. Right. But if you talk about transforming their business. You know, one example we use as a tier one bank is that we make them nearly $1,000,000,000 of incremental revenue. And that’s because of the friction we reduce. And the fraud is down to less than five basis points. So in some ways, you would say like, well, who wouldn’t want that? Make lots of money by removing all this unnecessary friction and cumbersome processes and have almost no fraud, you know? And so that is is something that kind of gets a close attention to, I think, like for that audience, for that persona, which is probably the best one to be able to engage with. It’s all about growth, I think, in a market where, you know, obviously there’s an impending potential recession, especially as digital becomes more and more of the chosen way to do business. I think people are going to start looking at like using brands that are easy to do business with the digital, and those brands will get more market share. So I think I think growth has become the right conversation for identity to attach itself with, especially when talking to CEOs.

 

Cameron D’Ambrosi [00:07:06] In conversations with folks, you know, in the financial services sector, I think to your point, it can sometimes be a challenge to identify those right stakeholders who can maybe help advance the conversation more broadly. I know Liminal we’re fond of talking about breaking down silos, getting organizations, thinking holistically about digital identity. It sounds like you’re seeing that shift firsthand in terms of maybe who you end up at the client level you’re engaging with. Have you noticed that shift in terms of previously maybe being engaged more with CISOs and now either moving higher up the chain or more into those growth-focused stakeholders when you’re, you know, spinning up a deployment of the platform? And then I guess as a follow up to that, you know, how have you been working on your messaging and product level features to kind of speak to that focus around growth as opposed to maybe a purely defensive posture?

 

Rodger Desai [00:08:01] Yeah, I think that also has a confluence of different factors at play. You know, I think the ability to look now at Prove we have a lot of referenceable accounts. You know, when you start off in a most of the best places to partner with are the best companies to partner with aren’t early adopters. You know, they want to see something Proven in the marketplace before they adopt something. There are plenty of ways to spend their time and resources, so they want to make sure that, you know, things like are always good to deliver that are promised. So proof is in a great position today where there are enough right principle examples where we can take something to the sea level and talk about how we can transform their business that comes with our models where they would like the lift is easy to understand. It’s not buried in kind of fraud modeling and then saying, We’ll save this much fraud and we’ll take a piece of that. It’s more on we’ve got a pass rate like every single deposit account that we can help pass that otherwise wouldn’t have gotten passed because of friction. You know, there’s a measurable amount of money that that’s worth, you know, every single credit line, every single auto loan. You know, these are things that are measurable. The combination of reputable accounts are why models? But the thing that really brings it all home is the experience of showing people versus telling them, you know, like if I could make it so that and Prove we don’t use PowerPoint ever again, that would be a great day. And I think the ability to show people and that’s what I do now I start like I can see the look on of CEOs face before I fire up the laptop where we’re here we go again. How many slides, why the bear through this time and now? And I say, you know what, I’m going to show you a demo. I’m going to show you something that’s live. I’m going to show you how it applies to your business. And that gets kind of the emotional hook. You know, often in life, you know, people buy an emotion, confirm a fact. And I think we’re at the point now where we can show versus tell, you know, as an industry. And that’s definitely what we’re taking, you know, fully at heart.

 

Cameron D’Ambrosi [00:09:54] So in that vein, you know, I think one of the areas that’s been of intense interest across the industry right now is this shift to Passwordless. Obviously, big news out of the Fido alliance in terms of rolling out FIDO2 Passwordless off. And I think one thing in my conversations with buyers that has stood out is folks struggling to wrap their head around, you know, the vendor landscape around Fido, you know, are all Fido solutions the same? Are they all interoperable and kind of making heads of tails of their passwordless journey, for lack of a better word, you know, at Prove? How do you see yourself as standing out among the myriad of choices and strong platforms that are available to help organizations, you know, transition from whether it’s, you know, plain passwords or an existing kind of cobbling together of passwords plus some form of legacy MFA like SMS OTP. Where do you see proof as being able to kind of set yourselves apart? And do you think that buyers should be thinking hard about exactly how and when they deploy, you know, this transition from passwords to passwordless?

 

Rodger Desai [00:11:06] Yeah, I think passwordless has been a year away for ten years. And so the question is, you know, why now? Why this year? Obviously, the changes in the adoption that some of the industry leaders, Apple, Google, and Microsoft have done support the standard has helped where it’s available in more places, more browsers. But I think there are three fundamental things. If you said like, you know, how does a CEO of a bank, a merchant, you know, of any business make a decision to go passwordless to me, there are three fundamental decisions or criteria to kind of make your choices to deliver the role you’re expecting. First of all, like, what are the, you know, the obvious reasons to do it? You know, tubes are expensive. They’re, you know, you can steal them and push them and sim swap them so they’re not exactly secure. There’s a lot of OpEx in maintaining them. You have to train people how to use them. So there’s a myriad of issues with just the OTP. You know, I think it had a great premise and there’s a role for it. But I think there’s, you know, all sorts of very specific reasons to kind of move beyond the OTP. But the three things I think people should look for as criteria. One is that not every consumer will want to go past this. Ultimately, it will be a consumer choice. You know, if a hunter consumers are offered the ability to use their face or thumb, you know, not everyone will say, yeah. And I think you have to, you know, kind of reduce the reliance on OTP, not whole cloth, cut it off which which no bank will ever let you do. So the notion of how you can have a platform that can support both a variety of authenticators and it really is up to the individual to decide which one they want to use, you know, means that, you know, a bit like digital payments in cash, like there’s still cash. There’s just a lot less of it. So our premise is that we can kind of look at the older set of authenticators, a newer asset, and offer both to our clients. And again, we’ll start to see. I think one of most interesting things will be to see what will the adoption look like? Will you know, through the customers choose go passwordless or 10%? And what’s the rate of that change? I don’t think there’s enough examples in the real world where we can look at that as a way to understand the adoption that will take place. But that’s the first criteria to us. The second criteria that’s vital is you’ve got to make sure you’re buying the right person. And I think that’s the place the bad guys will get in. So, you know, if I today download a bank site and I log into Cameron’s account and I have my faces, is, well, now, you know, you’ve got a very secure way to secure the fraudster. So the initial buying, like how do I know it’s cam to begin with is just vital in how you, you know, set up things like face I.D.. Another extension of that is when the new phone shows up. So Cameron gets his iPhone 14. Well, is that Cameron on his iPhone 14 or is that me pretending to be you? So being able to kind of passively rewind without, you know, kind of having to reregister is vital because the bad guys will just force free registrations. And then again, that was if Cameron is in phone or someone pretending to be him. So I think the notion of the bind, the rebound and making that kind of not having consumers involved in this processes is vital because consumers make mistakes and then, you know, are the mistakes your customers and you to help them out or is it the bad guy trying to get in? The third, maybe most, you know, to me. Equally vital criteria is managing the keys themselves. So if you’re a bank, you want to manage your keys, you know? And I don’t think the notion of outsourcing kind of will be known as key management to to others, whether it’s to big tech or vendors, is wise. So I think the notion of where you have your keys that represent your customers and you’re managing them and you’re kind of locked in to someone else is pretty vital. And that gets to be pretty nuanced and evolve and Prove. We think we help folks think about those three vital areas to make sure you’re doing as well as the right way. And it makes sense for you as a bank or merchant. So, you know, key management, how are you doing that? How you’re binding and reminding me how to give choice because I’ll be consumers will have that choice.

 

Cameron D’Ambrosi [00:15:18] From that perspective, I think one of the things that gets maybe not lost in the shuffle, that’s a bad word. But elided is the criticality of if you are moving to password lists that you need a dam strong pardon my French binding of the person’s identity and their device to that passkey at the moment of creation. Otherwise it’s worthwhile, right? It’s like, well, if I create the world’s strongest lock, but I don’t know who has the key to it. Have I really secured anything? The importance and criticality of a strong, binding moment between the user, their physical identity and that digital device is so, so critical. And I think I don’t see enough conversation around how platforms are seeking to achieve that portion of the Passwordless transition, whether it’s at onboarding or whether it’s, you know, that transitory moment from an existing account with a password to a passkey.

 

Rodger Desai [00:16:18] Exactly. And I think that’s something that, you know, proof for proof. Just a logical extension. If you look at our account opening products like, let’s say a peripheral product where you can apply for an account with just your phone or phone number, you know, I don’t know a case where we’ve ever gotten the identity wrong, which implies that, you know, the the the statement we make that we know who owns and operates 90% of the phones in the U.S. that just like who’s paying the bill, but the owner operator of that phone at that moment in time, well, that’s a great asset to have when you’re trying to create a bind. So I think that’s vital. And, you know, it’s kind of something we already have as an asset that many banks rely upon. So it’s easy to say, is you like puzzle pieces like we help you open an account and now we can help you secure the account with the photo key. And then, of course, when the new phone shows up, we can help you manage the keys in those situations.

 

Cameron D’Ambrosi [00:17:08] And I think the other piece that we’re really seeing a lot of interest around and uptake of is this notion of network effects, broadly speaking. Right. The ability to engage with a platform like Prove and capture intelligence, not just about folks you have seen, but also be able to kind of proactively sniff out, is this a trusted identity or is this an identity that we know is a, you know, a bad guy, for lack of a better word, because of other touch points across the network? I understand that proof has a fairly robust viewpoint into most, if not all, kind of mobile identities in the U.S.. Can you talk a little bit about that network Flywheel and you know how your customers are able to take advantage of that? Because I think we’re seeing, you know, that the platforms that have really managed to differentiate themselves, I think the network effect is really a common thread there in terms of that success.

 

Rodger Desai [00:18:02] Yeah, absolutely. I’m glad you brought that up, Cam. So there’s a couple of things. Of course, all these things have to be opt-in for our customers. We would never use, you know, one customer’s information with another customer in any way. But from a technology standpoint, there some powerful network effects. So this notion of like almost like a network of networks where if we know something bad has happened to this phone, well, there may be, you know, five banks and ten merchants that rely on the case of that phone. So one thing you’ve can do is to say, hey, you can’t trust this phone anymore or this person, that’s a new phone. And we can kind of federate that insight to all the keys so that we can kind of manage the keys among all the banks and merchants that you can interact with. And as you start getting kind of fraud feedback again, depending upon how that’s kind of the give get model works from a business standpoint, you can kind of share that information for those who want to kind of across the network of proof customers. But I’m also excited by the other end of that spectrum, which is the Federated Trust. So one, you know, for example today if I’ve logged into Bank A 100 times from this phone and then I open account at Bank B, the way the world works today, I essentially start over. I bank feel like my levels limits are low. They’re not sure if it’s me. Well, okay. That probably shouldn’t be the 101st log in a bank B because it’s brand new, but it doesn’t have to be the first. You know, maybe it’s the 10th. That’s, I think this notion that you can federate trust so they can do more business with people more quickly. Because again, if you think that 98% of transactions with humans behind them are legitimate, then why not take advantage of that and do more business? Early on in the relationship? We’re getting into a world where there’s like riskier, riskier transactions that happened the beginning of the relationship that are legitimate, you know, like buying $5 with Ethereum as your first transaction. And Coinbase, let’s say that’s not unusual, but it’ll look very unusual. So how do you take advantage of the fact that, you know, you’re a verified trusted consumer, you know, in a way that businesses can take advantage of that and do more business with someone versus stepping up, inspecting and targeting and, you know, ultimately driving past this slower than it should be.

 

Cameron D’Ambrosi [00:20:15] So I’ve been I’m under. Strict instructions from the team to keep these under half an hour based on the metrics, I guess. You know, reports of people falling asleep at the wheel. Once I once I get past the half hour mark and we don’t want that for the public benefit, you know, in in pulling out your crystal ball and looking towards the future, both, you know, your thoughts as well as kind of what you’re hearing from your ear to the ground in in touch points with all these leading, you know, financial institutions and your other big customers, you know, what’s the next big trend in digital identity that that we should be aware of? And, you know, are we in for a quantum leap or is it going to be more of an incremental change, as, again, organizations start thinking to the Passwordless future and bringing mobile identity kind of more holistically into their product stacks.

 

Rodger Desai [00:21:04] I think it’ll be a revolution and I think it’ll be a dramatic leap forward. So we’re going to get away from the world of scoring transactions based on probabilities and patterns. You know, camera never does this. Or maybe maybe he does by foreign policy. The theory of every Friday now. I think getting away from that is something deterministic that you can Prove happened cryptographically. That’s one kind of leap that’s taking place. The proof is doing it. Why we have the kind of outcomes we have where banks make a lot of money by the reduction of friction but have very little fraud. At the same time, I think the next thing is once you have kind of a persistent identity and you can make it portable, where you can start taking it with you to open up accounts that rely on parties and merchants, I think that’s another step you’ll start seeing happening in the next 18 months. We’ve already done our first version of that. We have a portable identity that can go from a bank to a merchant. And so that’s another kind of step in that direction. But I think where it really is going is about like use cases like pricing risk more accurately. So if you could not just bring your identity, let’s say there’s a merchant that sells used cars. Great. If they know it’s you, that’s great. But wouldn’t they also want to know your credit score or your income open banking data? And with your permission, as a consumer, if all you had to do is say, yes, I’m willing to share these things. And that was it. There was no friction in logging into those accounts to try to share that data or facts, information or or anything along those lines. And that’s the kind of future I think folks really want, which is the ability for me as a consumer to bring a file cabinet, my stuff and securely share what I want to counterparties when I want to share. It could be financial data, could be health care data, could be a variety of types of credentials. But I think the identity is something we talk about a lot because it’s so broken. But that’s really step one. If if I can automatically see how much the monthly payment card would be for me, that maybe they’d be more inclined to to get that car. So I think that’s kind of where you’ll see at least Prove headed. And I think it’s a very exciting, very different future.

 

Cameron D’Ambrosi [00:23:11] Yeah. I mean. You know that I’m fond of of bad analogies, but you can kind of, you know, pick your poison here. Right. It’s one hand washing the other in the sense that every additional layer of, you know, assurance that you can build around who, you know, is potentially behind a transaction or or behind even an application. The more tailored you can fit those product offerings to those folks, the more accurate that information can be. So as they progress through the flow, they’re not getting hit with surprises where, you know, to your point, oh, they thought that the payments were going to be X and then actually turns out your credit isn’t as good as we thought or you may have self-represented. And then it goes up, you know, to X and you bail out after that company is maybe already committed some resources to continuing to try and bring you in as a customer, not to mention the power of, you know, on the marketing side being able to get better analytics around things like advertising, efficacy and conversion rates. You know, for people who came through a partner channel, what percentage of those people are converting after I spent money incentivizing them with coupon or or doing targeted advertising? And I think, you know, all these trends are converging, whether you’re talking depth of third party cookies, an increasing reliance on first party data, whether you’re talking the move to Passwordless rise in mobile transactions, adoption of ID and and civil ID, real time payments, open banking like identity is at the heart of all of it and and giving platforms the tools to really make heads of tails. Heads from tails, I should say, regarding the identity of those people coming in is going to, I think, hit on all of those business objectives. You know, I think we’re often taught there’s no such thing as a free lunch. And, you know, every action has an equal opposite reaction. And while I think those are fundamental truths to some degree, as far as, you know, laws of physics and and things in nature, it does not have to be a paradox where you for boosting your conversion and reducing your fraud, there needs to be a corresponding reduction in growth. And in many ways, I think it’s it’s counterintuitive that if you can secure your platform with more seamless and more secure authentication and a better identity stack, you’re going to reduce fraud. And at the same time, you’re going to bring more good customers through more effectively and actually see an uptick in revenue to go along with that reduction in friction. Thank you so much again for your time and really looking forward to staying in touch.

 

Episode 331

Onfido CEO Mike Tuchen shares his insights on the digital identity space, and the challenges businesses and consumers face. Tuchen discusses the need for a privacy-first approach, the growing demand for reusable digital identities, and the shift towards user control of personal information.

Episode 330

Secfense Chief Technology Officer, Marcin Szary, joins host Cameron D’Ambrosi to explore the current authentication landscape. They discuss why FIDO Alliance has been a truly transformative moment for the death of the password, how Secfense sets itself apart in a crowded and competitive landscape, and Marcin’s predictions for the future.

Episode 329

Measuring the reach of digital advertising and smartphone app performance is a difficult task made more challenging by tightening data privacy regulations. Edik Mitelman, SVP & GM of Privacy Cloud at AppsFlyer joins host Cameron D’Ambrosi to discuss the current state of the consumer data landscape, how platforms must balance first- and third-party data usage, and why the death of cookies is a tremendous opportunity.

Episode 328

John Bambenek, Principal Threat Hunter at Netenrich, joins host Cameron D’Ambrosi for a deep dive into the current trends across the cybersecurity landscape, from ChatGPT and deepfake offensive threats to leveraging data analytics across your XDR, SIEM and SOAR technology stacks for improved defenses.

Episode 327

Vyacheslav Zholudev, Chief Technology Officer of Sumsub, discusses the current state of the identity verification market with podcast host Cameron D’Ambrosi. They explore the factors driving platforms to move beyond basic identity verification and into other aspects of the digital identity lifecycle. They also discuss the challenges of implementing artificial intelligence in regulated use cases such as anti-money laundering (AML) transaction monitoring.

Episode 326

Host Cameron D’Ambrosi is joined by guest Marcus Bartram, General Partner and founding team member at Telstra Ventures, to dive into his company’s digital identity investment thesis, its transition from corporate VC to an independent fund, Strata Identity’s right to win, and the expanding role of identity in the cybersecurity landscape.

Filter by Content Type
Select all
Research
Podcasts
Articles
Case Study
Videos
Filter by Category
Select all
Customer Onboarding
Cybersecurity
Fraud and Risk
Go-to-Market
Growth Strategy
Identity Management
Landscape
Market Intelligence
News
Transaction Services