Visa’s Post-password Security Strategy
These days, passwords are too easily compromised to be of much use, but people still use them. To get past our reliance on passwords, Visa is building an open platform for the protection of internet-connected devices.
Visa is also joining the open development trend, with a goal of advancing security. Ultimately, the card network wants to embrace a “smarter” alternative to passwords.
Incidents such as the Equifax breach create more urgency to move beyond static identifiers and authentication methods, and Visa is getting aggressive about pushing dynamic tools to vet and shield identity.
Visa recently introduced Visa ID Intelligence, an open platform that issuers, developers and other parties can use to enable biometrics and other forwardlooking authentication techniques.
“We want to provide faster access to what we think is smarter authentication technology,” said Mark Nelsen, senior vice president of risk and authentication products at Visa.
Visa projects that 20 billion devices will be internet- connected by 2020, but not all device makers put security first. This places an onus on faster time to market for identity protection. Visa wants to support forms like face ID and touch biometrics, which improve security through the use of familiar authentication habits.
“Consumers’ expectations for digital experiences have been shaped by frictionless and elegant experiences provided by brands like Apple and Amazon,” said Julie Conroy, research director of the retail banking practice at Aite Group, adding Aite’s research has found consumers choose convenience over security. “While there are certainly technologies that can offer the win-win
and enable experiences that are both more convenient and more secure, getting those solutions deployed in a timely manner is a challenge for many businesses.”
Visa’s not alone in trying to move people, merchants and issuers beyond passwords, nor is its strategy new— companies have wanted to dump usernames and passwords for years.mastercard supports “selfie” ID as part of its implementation of 3D- Secure, and fingerprint ID is a staple of mobile wallet apps, which are also building toward facial recognition.
Available through the Visa Developer Platform, Visa ID Intelligence ( VIDI) is accessible through Visa’s application programming interfaces and software development kits. Visa has vetted its technology partners for security and consumer privacy, including onsite assessments, penetration testing, and ongoing compliance audits. The platform also enables streamlined contracting to shave time off of negotiations.
VIDI compares images from the user’s camera with photo IDS (driver’s license, passport, military ID), while extracting and converting information from documents into digital form. This is designed to speed account creation and serves as an alternative to calls to customer service to perform password resets or replace cards.
Biometric choices through VIDI are eyes, face, fingerprint and voice, with Daon powering the biometric technology. Applications include app login, payments, step-up authentication, and other features. VIDI offerings will expand in 2018 to user data and device data to improve digital identity decisioning, working with Neustar and Threatmetrix.
What could be particularly helpful to banks is the ability to use open development as a “sandbox” to test and develop technology that’s part of a tailored identity risk strategy.
Dynamic authentication does not move people away from passwords, but an interim step is still welcome, according to Avivah Litan, a vice president and security specialist at Gartner.
“Supplementing passwords is important. It will take a long time to get rid of passwords, because people feel uncomfortable with getting rid of passwords,” Litan said.
With Thursday’s announcement, Visa is expediting this approach. Major breaches at Equifax and large retailers have exposed holes in prevention that exist through the payments and broader technology industries. There’s a talent shortage, fears of severe long-term impact on merchants and a concern that even larger incidents are on the horizon.
As such, there’s a “urgency of now” to Visa’s strategy.
The breaches don’t necessarily involve Visa, but have a downstream impact since ID theft usually fuels card theft. It can take up to two years to add a new security system at a bank or merchant, and that timeframe doesn’t fit a quickly changing threat environment, Conroy said.
“Anything that can cut down on the complexity of bringing more effective authentication online is welcomed,” said Al Pascual, research director and head of fraud and security at Javelin Strategy & Research.
Banks contend with far more than technical integration and contract management challenges when implementing new forms of authentication, Pascual said.
“More specifically, institutions need to determine which solutions fit into their authentication strategy across challenges and products, what vulnerabilities may exist and how to best manage for them,” he said.
Consumers encounter many authentication moments during the course of a day, whether accessing an account, checking a balance, or reporting a lost card, Nelsen said. With so many possible interactions, speed and simplicity are key.
“We’re all about speed in introducing new ID authentication technology. How can we do that faster…how can we get biometrics in wide use in six months to a year out,” Nelsen said, adding a more tangible timeline for biometrics adoption is desireable. “Biometrics are stronger and more convenient to consumers…issuers struggle with speed to market.”