Identification, Authentication & Authorization: The Identity Puzzle

Posted by Taylor Nemeth on Jul 14, 2021 10:01:00 AM

Our most recent podcast guest, David Birch, had so many insights into the world of identity that we’ve created a two part blog of his highlights. Our conversation was wide-ranging and fascinating, but don’t just take our word for it, you can hear the entire interview here.

david birch headshot

Part One: Identification, Authentication and Authorization

For someone who wears so many different hats, David Birch is the least likely person we know to have an identity crisis.

Birch is an author, advisor, commentator on digital financial services and is regarded by many (including everyone at PaymentWorks!)  as a top money expert. But the area where he may have the most mastery is identity, a topic he believes isn't quite as complicated as some choose to believe.

"People say identity means all sorts of different things," Birch says. "But I have quite a structured model, which I've found is useful for facilitating conversations in business. So I tend to think of it in three related domains: identification, authentication and authorization."

 

Identification

According to Birch,  identification is connecting something in the virtual world to something in the physical world. The main problem that needs solving  in the identification space, Birch says, is making the onboarding processes cost-effective. 

"It's very easy for me to establish whether you are a real person," he says. "If I can get your passport, send it to an expert in counterfeit passport and anti-terrorism, and then pass it on to credit checking agencies to make sure that you really exist -- and you haven't got the passport from somebody else -- then I could check here and there and everywhere else.”  

He continues,  "So I can find out whether you're a real person or not, but it's an enormous expense and inconvenience. Getting that digital onboarding done properly was a problem that obsessed people like me and it obsessed people in finance and payments. But because of the pandemic, of course, everybody has had to move to digital onboarding."


"I actually don't want to know who you are. I want to know what you're allowed to do, and I think that's a way of delivering both security and of course, privacy."

 

Authentication

Of the three identity domains, the one that vexes him the least is authentication, which is knowing that you are dealing with the person that you think you're dealing with.

Birch views authentication as "essentially a solved problem" and is already looking to the future.

"As companies like (PaymentWorks) develop stronger and stronger networks with more and more data and more accurate identification, I can see a slightly different future where these third-party private solutions actually begin to scale," he said. "I know it sounds very ridiculous to say it, I can easily imagine a future where your Facebook profile and your LinkedIn profile and your company LinkedIn profile actually become the basis for getting any business done. Simply on the grounds it's actually much harder to fake a LinkedIn profile than you would think.”

He went on to explain that "If I wanted to make a fake profile now because I wanted to conduct some sort of fraud I would have had to have started 10 years ago building up this profile and posting in it."  While today’s fraudster’s are patient, he finds it unlikely they are playing that long of a long con.

 

Authorization

Birch's third domain of the identity realm is authorization, which is knowing that a person is allowed to do something. Just because you have identified a person and authenticated their identity, doesn’t mean you know if they can enter into the transaction your business is about to conduct with them.

"Typically the way we [solve authorization] at the moment is by taking the identity and using it as a lookup in a database, using it as a proxy for some other thing we want to get," he said. "How you're allowed into this building or you're allowed to access this record, you're allowed to send this payment. And we need to sort of toughen up on that side of things as well."

While all three areas are essential in their own way, Birch explains that authentication is the linchpin upon which the others rest.

"Clearly, you've got to have the foundational identity," he says. "But if you go to all the trouble of onboarding me but then there's no authentication, anybody can just log in as me. That's not terribly helpful. As a general point, we want to move all online interactions over into the authorization space, in fact, I actually don't want to know who you are. I want to know what you're allowed to do, and I think that's a way of delivering both security and of course, privacy, which is becoming more and more important."

Birch is optimistic that the progress which has been made across each of the three domains -- identification, authentication and authorization -- will help companies to solve their own identity problems.

"It's not perfect," he said. "It's not where we'd like it to be, but I think the pandemic has shown pretty starkly what the costs of not having that kind of infrastructure in place are. And so people are more aggressively now moving towards practical strategies across all three of those domains.

Listen to David Birch's entire interview here.

 

Part two to be published July 20, 2021.  Subscribe to our blog (page right) to be notified when it is published.

 

See how PaymentWorks solves B2B identity challenges here.


David Birch leads 15Mb Ltd (his advisory practice), is Global Ambassador for Consult Hyperion (the secure electronic transactions consultancy that he helped to found), Non-Executive Chairman of Digiseq Ltd, Ambassador for Jersey for Fintech, a member of the Governing Council of the Centre for the Study of Financial Innovation (the London-based think tank) and holds number of board-level advistory roles. He is an Honorary President of EEMA, the European e-ID Assocation. Before helping to found Consult Hyperion in 1986, he spent several years working as a consultant in Europe, the Far East and North America.

Dave was named one of the global top 15 favourite sources of business information (Wired magazine) and one of the top ten most influential voices in banking (Financial Brand); created one of the top 25 “must read’ financial IT blogs; was found to be one of the top ten Twitter accounts followed by innovators, along with Bill Gates and Richard Branson (PR Daily); was ranked in the top three most influential people in London’s FinTech community (City A.M.), was voted one of the European “Top 40” people in digital financial services (Financial News), was listed of the world’s top 100 fintech influencers (FinTech Weekly), rated Europe’s most influential commentator on emerging payments (Total Payments) and was awarded Contributor of the Year 2018 by the Emerging Payments Association.



Topics: podcast, risk, identity

PaymentWorks-Logo-Black_600tall

The Business Identity Platform that automates complex payee management processes to:

  • Eliminate the risk of business payments fraud  
  • Reduce cost
  • Ensure compliance

Sign up to be alerted when we publish interesting things

Recent Posts