The identity management startup Civic launched this summer to kill the social security number as a means of authentication — a worthy goal, but its ambitions are much grander. At Money20/20 in October, CEO Vinny Lingham revealed a bit more on how the company plans to solve the enormous and expensive identity problem.
Civic‘s launch product was an alert system tied to a user’s Social Security number. When a user’s SSN comes up in a new account opening, he receives an alert, and can find out what is happening. This is intended to foil identity theft, and shines a light into how promiscuously our SSNs are thrown about by the likes of dentists, landlords, mobile phone service providers, and the rest. SSNs are neither secure nor private, yet are somehow expected to be both.
Secure Private Login, Civic’s new product, aims to protect our online identities and may be the foundation to a digital identity than can span the digital world. It aims to eliminate the email/username-and-password login that is ubiquitous across the web. Email addresses are not private, and passwords are static and hackable, making this system of logging in unsafe and a pain (“Your password should contain one uppercase letter, one lowercase letter, a special character….”) And yet we’re faced with it everyday.
“The idea of using username and password to prove identity is from the 1980s,” Lingham told Bank Innovation. “It’s super insecure and we all know it is.”
Lingham, whose previous company was the bitcoin-friendly digital gift card service Gyft, thinks banks, at least, can and must do much better.
“It will be like what’s done today with OAuth to sign into a third-party site,” Lingham said. “But it’s a new generation of technology.” OAuth borrows credentials from another service, typically Google or Facebook, to log a user into another site. The problem, Lingham pointed out, is that one could create a fake Google or Facebook account and immediately use it to log in elsewhere, so nothing is actually being authenticated, and further, the user is sharing yet more information with two of the most data-hungry entities in the known universe.
“The verifier of your identity should be separated from the provider,” Lingham said. “If you use your driver’s license to prove your identity, it’s anonymous — the DMV doesn’t track you. But Google needs to know — their business is to know — who you are and what you are doing.” This makes them poor choices to be arbiters of our identities, to say the least.
Civic’s SPL offers a new way promising greater anonymity and security:
With Secure Private Login, Civic Members first request access to our Partner web and mobile apps via the Civic mobile app, such as scanning a QR code on a website. The Civic mobile app then validates the identity of the Civic Member requesting access through facial recognition or other biometrics. Lastly, the Civic app sends unique, encrypted credentials for the Civic Member to gain access to the web or mobile app via authentication on the blockchain.
In other words, nothing sensitive is shared and privacy is guaranteed, and with tokenization and encryption, is extremely difficult to hack. Competitors in the digital identity space include Trunomi and Shocard. The adjacent authentication space is crowded — a few players are Verifyoo, Trusona and AuthenticID, and Au10tix.
Lingham is targeting banks as users of the service, and is currently in discussion with several institutions. Next quarter, he said, Civic will roll out several additional products for banks around the two existing Civic features.
“We’re working with banking institutions that have spent hundreds of millions of dollars verifying their customer base,” Lingham said. “We provide an opportunity to recover the cost, an open ecosystem to use that information.” An example of this ecosystem, Lingham said, is personal financial management, or PFM.
“Right now, say you’re a customer at XYZ Bank,” he said. “You go to a PFM provider, type in your bank user info to log in, in order to give a 3rd party access to scrape your financial information — this is a broken process.” The more places you spread your username and password, the more likely that information is to be compromised. That PFM provider could have a tech vendor (or a vendor of a vendor…) whose security protocol is less than perfect, and it’s holding the keys to your bank account.
Civic could make banks the center of one’s identity, rather than a data-hungry social network.
“The basic framework is enabling banks to use their own information to issue private IDs to customers to authenticate on private sites,” Lingham said. Think, ‘Login with XYZ Bank’ instead of ‘Login with Facebook’, and it will actually be secure. And maybe your payment information will be right at hand for shopping, if you like.
It shouldn’t be a surprise that Lingham sees Civic’s identity management as having “the widest possible application” — a way for users to securely and privately authenticate across the entire digital world. Will banks step up and be a part of it?