My mother has lived in the same house in the same town for over 40 years. She has been going to the same bank for at least 20 years. Before that, she went to the bank a block away from the new bank for about 20 years.
When she walks into the bank, everyone says, “Good morning, Mrs. Brodie!”
She gives them her passbook (she may have an ATM card now; I know for a while she didn’t want one) and they complete her transactions. She doesn't need to show them an ID or anything to prove who she is - they know she is who she claims she is.
My dad sometimes runs errands for my mom, which can include a visit to the bank. He has also lived in the same house in the same town for over 40 years. However, he rarely, if ever, goes to the bank. If he does, this is an example of his experience after he hands over his passbook:
“Sir, do you have an id?"
(He gives the person his driver's license.)
"Sir, are you sure you are Mr. Brodie?"
(That question took him a little while to process.)
Once, they even called my mom to be sure he was allowed to make a withdrawal because they didn't know who he was and thought someone was trying to scam my mom.
(I felt bad for my dad when I heard that story. It's nice that the bank is protective of my mother, but at the same time, what does the man need to do to prove his identity, besides calling the wife to make sure he has "permission" to be there?)
I strongly believe the best online experiences are translated from efficient and effective offline experiences.
With that said, why can't validating identity be similar to my mother's local bank experience rather than documents that could be forged (like my father's experience)?
And if we can't do this well offline, how can we translate validating identity online?
Let's start with how we validate identity offline.
My mother's offline identity is mainly based on her physical identity. But what constitutes her physical identity to make her Mrs. Brodie?
- Her voice.
- Her speech patterns.
- Her appearance.
- Her personal preferences and tastes - from what she chooses to wear for clothes and shoes, her personal style, her nail color.
- Her mannerisms.
- Her signature.
- Her memory of past events and conversations.
At the bank, when they see her walk in, they know who she is from these traits. An imposter would be identified quickly from a conversation or an interaction that was "not quite right." It could even be as simple as the person not having her gait or her signature being a little weird. It's hard to replicate how someone acts - ask any impersonator.
This type of identity system works great in smaller, local environments where you interact with someone on a regular basis, but fails once you leave that environment.
Let's say you travel to another city and decide to stay in a hotel. When you check-in, you are asked to provide an ID and credit card. The hotel desk person looks at the picture and signatures to make sure everything matches. Your identity validation is based on possessing a set of documents that all say the same thing, almost like possessing a set of keys.
But what if it is all a lie?
In a way, once you leave somewhere where people can identify you from your personhood, you really have no way to confirm your own identity. No one can vouch for you.
We live in a culture where we assume that by possessing a few of pieces of paper, you have a secured identity. If a picture matches what you look like, then we say you have a positive ID. If the signature matches, you have a secure ID.
What happens if someone has a stolen name and social security number, gets a credit card, creates a fake ID with their physical identity and your name, and uses their own signature for that name? (Sounds like the movie, Identity Theft, but it can and does happen.)
Sadly, we trust too much in possessing official documents to establish identity rather than the characteristics of personhood. Even experts agree.
Since the earliest days of human history, we’ve needed to verify who the people around us are. In more recent times, as the human population has surged into the billions, that need has only intensified. Are you part of the tribe or are you an outsider? According to research by Robin Dunbar, an anthropologist at Oxford University, the average person can only recognize about 1,500 faces. That’s a pretty astonishing number, but it pales in comparison to the numbers of people we come into contact with over a month or even a day.
Today, our identities are verified almost exclusively by one of two methods—things that you carry with you and things you remember. Driver’s licenses and passports are examples of the former, passwords and PINs the latter. But physical identification is easy to fake, and passwords are easily cracked by hackers, who then have nearly unfettered access to our credit cards, bank accounts, and personal data. Something needs to change.
--Tim De Chant, The Boring and Exciting World of Biometrics, Nova Next/PBS
We never really mastered the art of identification offline, so how can we do this online? Offline we rely on the possession of documents and cards, but those can be lost, stolen or forged. Online, we use a safe/lock metaphor for security and hiding personal information (not the same as someone's identity), but this is a muddled perspective of security and identity validation - and they are not the same thing.
Passwords are like combinations to a safe. Sure, you need the key to get into what has been locked, but it doesn't establish your identity. Anyone could own a key or get a combination to access data.
If we were to purely map an offline process to online, how would you identify a person? How could you map their personality?
Biometrics.
Voice recognition technology is one specialization area of biometrics (he's a
brief definition of voice recognition vs speech recognition. Voice recognition is more about identifying the speaker rather than what he is speaking about, or speech recognition.). By identifying someone through
his own unique identifier - his voice - you can quickly validate his identity. It is better than a signature.
The Tolly Group was hired by BSI to try and breach BioSig-ID™'s biometric security. Over 100 people unlimited access to try and validate against a website protected with BioSig-ID™. Additionally they were informed of the password used "Mom". After over 10,000 attempts at breaching our security BioSig-ID™ blocked 99.97% of the attempts.
There are other aspects of biometrics. DNA (although intrusive), retina scans, face recognition technology, and others.
The beauty of these technologies is that identity validation is based on what makes you unique rather than possessing a key/password.
Unlike traditional identification which you must either remember or carry with you, biometrics are you. Fingerprints, voice analysis, iris patterns, vein matching, gait analysis, and so on. Such traits are unique to an individual and often, though not always, incredibly difficult to fake.
Although biometrics are a more accurate method of identity validation because it more closely resembles how we identify others every day, this approach does come with a price.
Some of the anxiety stems from the fact that biometrics are a part of who we are—they’re not an internet username that can be easily discarded or created anew. Biometrics will likely persist in government and private databases, accreting information whether we like it or not.
And that is a scary risk - how does biometric information get stored and used? And do we trust those purposes?
So what to do?
Rather than programing computers to become more like humans and identify others using personal attributes, we should perfect the offline identification process beyond documents and incorporate ethical systems around data use.
Nefarious uses of biometric information may sound like something out of a bad sci-fi movie, but the opportunities for misuse are very real and if something were to happen, the costs could be very high. I mean, stealing biometric information would be like literally stealing someone's personhood - and then how could someone prove who he was or wasn't?
Let's return to the original story about my dad and the local bank. To make it simple, let's say the bank decided not to implement a biometric identity program. And let's say my dad went back to the local bank and decided to withdraw money from his account. Would the bank teller still want to call my mother to confirm his identity? Yes.
Is there a better offline method to validate identity today? No.
(Biometrics depends on my dad participating in the program. If he didn't, we are at the offline method for identity validation. If he did participate, then there is the risk of what happens if the bank is hacked or misuses that data.)
How do we change this situation? As a society, we need to rethink how we define identity beyond possessing documents. (To note, having a chip in our bodies is similar to possessing a document - it is about possessing a thing.) Until this happens, we are stuck with our current models and metaphors, which are open to fraud and theft and continue flawed identity validation.
Comments
You can follow this conversation by subscribing to the comment feed for this post.