Let’s talk about digital identity with Keiron Dalton, VP and UK Country Manager at Prove.

In episode 66, Keiron talks to Oscar about mobile/phone-centric identity, and what it offers to users and organisations that other types of identity/security measures can’t. They also explore the key challenges when it comes to mobile identity and how to mitigate against those, particularly when it comes vulnerable people.

[Transcript below]

“Mobile is obviously the most relevant future-proofed method of verification.”

Keiron DaltonKeiron Dalton is currently UK Country Manager and VP for International market development at Prove. Prior to Prove, Keiron has had roles within the GSMA’s mobile connect programme, BT’s mobile identity division and successfully helped to establish the UK mobile identity eco system as it stands today.

Connect with Keiron on LinkedIn.

Find out more about Prove at prove.com.

We’ll be continuing this conversation on Twitter using #LTADI – join us @ubisecure!

 

Subscribe to
Let's Talk About Digital Identity

Or subscribe with your favorite app by using the address below

 

Podcast transcript

Let’s Talk About Digital Identity, the podcast connecting identity and business. I am your host, Oscar Santolalla.

Oscar Santolalla: Welcome to a new episode of Let’s Talk About Digital Identity. And as you know pretty well, from experience and hearing from others, mobile phones are super important for identity, already they are having a leading role into that. So that’s what we’re going to discuss today.

And our guest today is Keiron Dalton. He’s currently UK Country Manager, and VP for International Market Development at Prove. Prior to Prove, Keiron has had roles within the GSMA’s Mobile Connect programme, BT’s mobile identity division, and has successfully helped to establish the UK mobile identity ecosystem as it stands today.

Hello, Keiron. Welcome.

Keiron Dalton: Hi, thanks for having me.

Oscar: It’s a pleasure talking with you, Keiron. Definitely, it’s going to be a super interesting conversation. And of course, we first would like to hear more about you, our guest today, and how you came to this world of digital identity.

Keiron: Yeah, sure. So, it’s probably been about a 10-year journey now. So prior to that I was kind of in a product management role working in a number of different areas. But then I joined a start-up that was based in the north of the UK. And what we did was we recognised the opportunity around mobile, when it comes to identity, authentication, and fundamentally verifying who the user is. And what we did was we accessed, at that time, data from mobile networks to establish account takeovers, things like that.

So that was, like I say, probably about 10 years ago. So over the last 10 years, it’s been really a focus of mine to get that concept to be kind of recognised more legitimately. So working with a number of the, in particular, banks, working with telcos and that’s globally. And that led me to joining, for example, the GSMA, working with their Mobile Connect programme, helping BT with their mobile identity proposition.

And then now I’m in Prove, where really, it’s taking that kind of 10 years of insight and 10 years of kind of understanding of value, and helping Prove bring that to market, both in the UK and anywhere really outside of the US. So it’s been an interesting ride. But yeah, I think it’s probably, in terms of momentum, it’s probably as fast paced as it’s ever been. So yeah, it’s quite an exciting time.

Oscar: Excellent. So if you can tell us very shortly what Prove does, if it’s more into the mobile authentication or to identity verification, what would you say?

Keiron: And so we have a very kind of short sentence to explain what we do, which is it’s phone-centric identity. So what we do is, if you think of it as being – and obviously, it can get more complicated than this – but it’s basic as leveraging the phone number as a mechanism to understand if you can trust the device, the number, the person, et cetera at the other end. So that helps with authentication, but also things like onboarding and general identity verification as well.

Oscar: I understand, so the key here is the mobile subscription, of course, and mobile subscription of a person, and that enables several services that tackle different problems. So thinking of this mobile-centric identity, what does mobile-centric identity offer the user that other types of identity cannot do?

Keiron: So the first thing I would say is its relevance. So the ubiquitous nature of mobile, and I hate saying this term, but like they– the whole digital transformation that’s particularly occurred during the whole COVID era. What we’ve done is because we centre on mobile, and we centre on creating the most frictionless journey possible but with rigor and security at the heart of it, it ensures that, like I say, there’s a relevant proposition there for anybody that has mobile as part of their offering.

But also, if you think of, it wasn’t that long ago that – using the banks again, as an example, they were offering tokens and people had to use hardware tokens to login, and things like that. Well, we’re using the mobile as a possession factor. And suddenly that opens up a world of opportunity around understanding whether somebody is in possession of a device, without using tokens, or even using things like SMS OTP, which is another kind of legacy technology that we’re currently in the process of reducing the reliance on.

So yeah, relevance is probably the key element, but also, it’s the opportunity from that relevance going forward as well, which is meaning it’s kind of resonating.

Oscar: Yes, relevance, because it’s widely used, of course, the mobile phones. I don’t know exactly what the statistic if you have statistics today, but it’s billions of people.

Keiron: Some crazy numbers out there. Yeah. I mean, the way I look at it is if you look at the UK as a prime example, I think there’s 90 plus million numbers now that are active. When you consider that– and this is another thing that’s critical for our proposition that any individual typically will get access to a mobile ahead of a bank account or any other kind of digital service. The average, based on current trend, is you get your first mobile when you’re 11.

So if you think there’s 90 plus million mobiles out there with a history and a behavioural pattern, and various other things, and a tenure fundamentally, that starts from age 11. It means you can start to get a picture of what somebody is, who somebody is, the risk associated to somebody, at a very early age. Whereas before, it was always difficult, because, you know, fundamentally, at the age of say, 16, 17, 18, it’s highly unlikely these days that you’ll have a house or utility bills or other methods of kind of confirming identity, if you like.

So again, it comes back to that relevance element, obviously, as you’re saying, kind of the ubiquity of mobile. And let’s face it, I think I lose track, there’s some hideous number of mobiles out there – 6 billion, or whatever it is, 7 billion, but it’s– yeah, it’s clearly obviously the most relevant kind of future-proofed method of verification as far as we’re concerned.

Oscar: Yeah, no doubt. And how this translates to the benefits for things, especially from the perspective of organisations, benefits for organisations that are offering some type of mobile identification.

Keiron: Yeah. So if you look at that, again, I’m going to centre on the UK because I’m sat in the middle of London. We’re currently live and operational within a couple of tier one banks. And a lot of what we’re focusing on is, let’s call it kind of digital onboarding. So it’s the idea of registering for mobile app, or re-registering, but in a way that’s frictionless and secure.

So we’ve deployed for example, our technology, within those arenas, because those are heavy requirement for SMS OTP as a step up, which was leading to in particular fraud losses, but also friction and challenges for the end user. Because you’re constantly copying and pasting OTPs across and things like that.

But the second thing is just purely that frictionless element of being able to remove all barriers. And so if you look at some of the numbers, and this is where, in some instances, you’ve got a bit of a kind of unicorn, as it’s called, in terms of, from a customer experience side, we’re seeing an uplift of a minimum of 25% on day one, in terms of registrations, because of the friction being reduced.

And then from a fraud standing, some of the banks that we’re working, where they’re telling us that they’re saving anywhere from £100,000 to £150,000 per month, purely because you’ve got a scenario where we’re taking out the challenges of things like social engineering and scams wherever possible, and ultimately, just trying to make it as straightforward as possible, with as few clicks as possible to register for these things.

Oscar: Yeah, like the account takeover protection, features like that.

Keiron: Yeah. So, if you think of it as being– and the last thing I want to do is go into a sales pitch. So, but if you think of it, it’s kind of two-fold in most of the use cases that we’re involved in. So first and foremost, determining the possession of the mobile number has always been done typically with an SMS OTP, where you’re asking the end user to confirm, “OK, it is me.” The problem with that is that those texts can be compromised, man in the middle attacks, social engineering, those types of things.

So number one, we removed the SMS OTP from the equation, and we’ve got another method, which is leveraging the network itself. But then the second element is actually getting an understanding of that number. So what is the tenure of relationship with the end user and the number? Has there been a recent SIM swap? It could even be something along the lines of, is the number a voice over IP number, or is it a mobile? And obviously, all of these things will generate different trust and risk profiles.

But the fundamental thing, and this has been my thought process for a long time, and thankfully, it aligns exactly with what Prove do. It’s focused on the good. So it’s focused on how can we establish trust around this number, rather than just going, “Right, something looks bad. Don’t let them through.” Because the last thing we want to do is generate tons of false positives and create that friction.

So the idea is that wherever we can glean confidence to give the enterprise the opportunity to let somebody register, or onboard, or whatever it may be, you know, that’s the critical element for us. And that’s the focus.

Oscar: And you mentioned, for instance, banks or financial institutions, you’re helping this type of organisations and still focus on organisations. What other type of organisations are benefiting most with this type of identity?

Keiron: Really good question. So I often get slightly fixated on the usage of the term bank. So just on a wider note. So if you look, I’d say probably the highest growth area for us at the moment is still associated to financial services, but it’s around crypto, and helping to try and provide more confidence and trust around fundamentally what’s going on in that kind of decentralised world. So that’s a high growth area that we’re seeing globally.

Outside of that, something that we’re seeing more and more particularly in the UK, and this actually touches on another topic that’s close to my heart around kind of vulnerability and affordability, but the whole kind of gaming gambling space. So where you’ve got individuals that are, OK, that can be onboarded, because you know, they may have a bank card that can be registered and they’ve got a name and address that is fine, and their credit history might be OK, if the gambling operator, for example, wants to, you can check that.

But what we’re doing at the moment is we’re– it’s kind of two-fold. It’s one, we don’t want to create any friction, as per usual, so we’re helping slicken processes up. But we’re doing that in a way with a very kind of ethical, social kind of conscious, if you like. So this is where, touching on, if you look at kind of mobile identity or digital identity, we obviously centre on that number, as I said before.

But actually, that number then leads us to getting an understanding of OK, who owns that number? And then from who owns that number to leveraging things like open banking, and then using open banking, then to understand vulnerability, affordability, and all of that can all be encompassed into a very straightforward process that starts very simply with a mobile phone number. But it gives the opportunity then, to get a bit more context, which is obviously something that we’re keen to do, because we don’t want to– as much as you want to slicken processes up, we don’t want to do it inappropriately, shall we say.

Oscar: Yeah, definitely. And what do you say there are the key challenges with that now, OK, this type of mobile identity where we have just heard the benefits. But what are the challenges that still are today?

Keiron: So I’m going to go back to GSMA days. And anyone who doesn’t know the GSMA – think of them as being kind of the UN of the mobile operators, it’s pretty much where I saw them.

So one of their key drivers is around driving standards, consistency. And if you look at, for example, some of the things that we’re doing in the UK, or even the US or Canada, Spain, France, you know, you pick any country, it doesn’t necessarily mean that we can replicate them like for like in Mozambique, or Ghana, or Chile, I mean, just picking three random countries off the top of my head. And so, I’d look at it more the challenge is, it’s not the opportunity, it’s not the value it drives, it’s more around that global ecosystem, where it relies on the Telcos to kind of support it. Some Telcos operate at different speeds, some are interested in this, some aren’t.

And so, if you look at Prove as a set of capabilities, just as an example, we will enable the key capabilities that we can wherever we can. Where we can’t do that we’re always having to look at, OK, what’s the fallback? What other technologies can we leverage? What’s appropriate in a particular region? And so, it’s difficult to kind of do this cookie cutter approach and just go, “OK, we’ve done this in this country, let’s do exactly the same in another one.” Because actually, it’s relevant in some but not in all. So that’s typically the issue.

But I mean, one thing I would say just on the challenges side of things, one thing that any entity that’s in this space has to be really cognizant of the fact that when it comes to the operating systems as well, clearly different features, different security measures, et cetera, are being implemented on operating systems on mobiles all the time. We and I are very conscious of the fact that it’s critical that you don’t rely on too much on the device. So it’s more around the connectivity, and the fact that if you’re using a smartphone or a feature phone, the reality is it shouldn’t matter.

Obviously, there are certain things you need an app for, but ignoring that there should still be a route to understanding the trust of a number without having a presence on the device itself. And I think there are other vendors and other you know, there’s other entities that do very similar things. But, you know, that’s a critical thing to make sure that that ubiquity is there. At least there’s some ubiquity.

Oscar: Yeah, exactly. That’s correct. That’s often one aspect that is not mentioned, because most of the newer, more modern standards and products are more focused on the high end, or the newest mobile phones, because of course, there are still the feature phones. I’m sure there are millions of those. Yeah, and…

Keiron: Oh, yeah. Well, you look at some of the– and we might touch on this in a second. But some of the projects that we’re working on at the moment, it’s kind of fascinating to see, even from a mobile network standpoint, that things like 2G and 3G are still leveraged for phone calls. So that it frees up, for example, the whole 5G elements so that it can focus on you know, changing the world and you know, high data throughput and things like that.

So it’s always a–  kind of when the GSM standard came in, that were – we’ll say the ’90s or whatever, but if you look at that foundational element, yeah, there have been some changes and tweaks in things but you know, at its core level, whether you’re using a Nokia from 20 years ago, or you’re using the latest Samsung, the reality is, is that you’re connecting to a network in very similar ways. So it’s just all the things have been added on top, if you like, layered on.

Oscar: And what about the challenge, particularly when it comes to vulnerable people?

Keiron: Yeah, funnily enough, I’ve had an experience around this very recently with my parents. So they’re very much class as they’re the kind of critically vulnerable and they were dealing with a bank that they both use. And they were trying to do very simple things. One was getting a new card delivered, the other was adding a mobile phone number so they could receive a one-time pass code for PSD2 SCA.

The thing that struck me was, you know, the reality is, is not everyone has a mobile, for example, or not everyone has a digital account, online account, whatever you want to call it. But what I would say is that there is enough understanding of who the customer is, their patterns of behaviour and how they fundamentally interact with a bank or any other enterprise for that matter, they should lead to a service that is relevant for that individual.

And so, very kind of brief example, but when I was in BT, we were doing a lot of work– or not we, I mean, I wasn’t doing a lot of work, but BT were around vulnerable and what we can do around connected devices. And the fact is, is that if you look at BT, they’re aware or they’re connected to over 50% of UK households.

They know the mobile signal that somebody has like all the other Telcos do, they know whether they’ve got broadband or speed of broadband, they know, you know, all of these things are contextual insights that should be, “Well, if an individual doesn’t have a mobile and doesn’t have broadband, why are we trying to force them to do online banking, because that’s physically and fundamentally impossible?”

So yeah, for me, it’s one, understanding the user more and getting more context around it. But then secondly, and I’d touch again, on this older technology stuff, it’s making sure that you know, even if you can’t do everything, at least a portion of what you do, can still be done on older technology, and that you’re not leaving people behind, because it shouldn’t need an upgrade of a phone to be able to access a certain service that’s a foundational element of banking, for example.

Oscar: Yes. So you work with– with organisations you work, you somehow help in different ways, of course, there are different scenarios, as you mentioned, to mitigate all these challenges, particularly, let’s say, vulnerable people?

Keiron: Yeah, it’s– what I would say is that, it’s still– how do I describe it? It’s probably embryonic in terms of some of the thoughts and the practices that are still, you know, being worked on and being introduced. Because the reality is, is that the overriding thought of any organisation is basically get people to operate digitally, save costs, et cetera, et cetera. What I would say that we’re doing more and more of is, it’s trying to help understand those that may be more vulnerable, or maybe need additional support, or different journeys, and what those journeys can look like. That doesn’t make it kind of cumbersome. And just being aware of kind of one size doesn’t fit all.

Another random example, but in a previous life when I was working in a different vendor, we used to deliver a phone call, which would ask the end user to enter a PIN number. We determined at some point, and it was a bank that told us that there was 80,000 customers of that bank that were hard of hearing. So they couldn’t play the process. So we had to look at other ways of authenticating.

So it’s that granular insight that can help you deliver a better experience or a more relevant experience. So yeah, it’s very much work in progress. But it’s something that I find quite fascinating, because it just kind of changes the thought process a little bit more.

Oscar: Yeah, and it is super relevant to talk about this. I mean, because sometimes people ignore that, in all these cases, that as you mentioned, how many people have hearing problems is much bigger than one might think. So it’s important to talk about this, and keep in mind in every new project, and also, of course, in existing projects that need to be improved.

Keiron: Exactly. It’s an ongoing process, I think is fair to say. One thing I think that has helped as well, you know, there’s more and more kind of testing and innovation and kind of this approach around labs. We’re getting a cross section of a demographic of customers to try certain things to see how it performs and how it works. You know, I think these things are invaluable, because, you know, you can sit in a room and then theorise over a lot of things, but the reality often can be quite different. And so, yeah, that kind of testing and trying and seeing, you know, where the value is, is particularly important.

Oscar: Yeah, definitely. And mobile operators are, let’s say– if you see like a GSMA, like OC and like many operators across the world, who are this category of companies who are in many countries have this role of identity providers, they are doing these roles, you are working a lot on that role as the mobile operators have this big responsibility, of course, to provide the identity.

And as you have mentioned also in one of the cases, it’s even providing some of these identification services, so this complementary identification services to the banks who are the other group of companies who also provide, in some countries, of course, also digital identity. So it is very important role of the mobile operators to be always, of course, very trustable, secure. So what would you say in the implications for there is a definitely a rise in scams, social engineering… So what would you say on this aspect?

Keiron: Yeah, really good point. So, the way I look at this is that I think a lot of kind of identity services that are out there focus on determining for example, “OK, is this the same device? Is this the same user? et cetera, et cetera.” The reality is, when it comes to social engineering, in the scam side of things, those two boxes are ticked, because it is the same user, it is the relevant person who is using the same device, et cetera, et cetera, they’ve entered the password and all that kind of stuff.

But obviously, there is somebody on the kind of periphery, then that’s phoning or calling or texting or whatever, to try and encourage somebody to say make a payment or make a kind of high-risk change. What we’re doing more and more of, I think fits in two buckets. So, I think there’s a huge opportunity around behavioural biometrics. We’ve acquired a company fairly recently, but just generally, there’s an opportunity there around understanding, OK, the way somebody is interacting, has there been an obvious change whether it’s been triggered by emotion or, you know, fundamentally kind of panic or whatever? Obviously, that kind of frantic tapping of buttons and things should highlight that something’s not quite right.

Something that we’re doing on the Telco side is we’re currently active in a project that we’re loosely calling kind of scam signals. So we’re looking at are there behaviours around a number associated to things like high-risk transactions and high-risk individuals that flag something that doesn’t seem to be right? So it could be anything from how somebody received a phone call recently, with a withheld number. Is there a phone call currently active whilst the payment is occurring? How many– have there been a number of text messages delivered to a particular number prior to a transaction?

There’s a whole heap of kind of data and understanding and data science that’s going on at the moment to establish, OK, what can we determine from a network level that can help a bank, or it could be pay another, you know, anybody that fundamentally, you know, can be socially engineered? You know, we want to see if we can come up with ways of mitigating that without just relying on the education element, which is what everyone has relied on up until this point.

Oscar: Yeah, yeah, that’s correct. Exactly. Mostly, we’ve been taught that education, training and awareness is mostly the only one. But of course, that’s super interesting, the approaches you just described, both on the mobile phone on the application or on the client side, and also on the operator side.

Keiron: Yeah. And it touches on the point you made earlier as well. I look at this in exactly the same way that the two kind of identity providers, probably too grand a term, but if you look at a bank, and you look at a Telco, between those two entities, you should have as good an understanding of somebody as literally anybody could physically have. There’s all the transactional information, there’s the tenure of associations of different brands. And then when you come over to the Telco side, you’ve obviously then got more patterns. And it could even be movement, or don’t use location as an example, because we don’t want to go anywhere near location.

But just understanding you know, if somebody suddenly is not in the country that’s trying to perform a transaction, without delving into where they are, that in itself is a signal that, you know, is powerful. So, between that and the bank’s understanding of where people transact and stay, I mean, it’s really a no brainer. And that’s what I mean I often coin the term that you’ve got open banking, I look at the mobile side now that it’s not quite open banking levels, but it’s almost Open Mobile, as in APIs are being created in a way that are compliant, palatable, as in you know, we’re not delving into deep secrets of anybody. The reality is, it’s questions and answers. It’s highly secure, it would mean nothing to anybody else who got access to those APIs. Similar to the banking world, but it enables us then to start verifying things that you know, potentially before we couldn’t. So yeah, it’s exciting.

Oscar: Yeah, definitely. It is. It is and I could – after hearing all this conversation, I can see of course, I mean in any country, for instance, in UK, that you’re actively working, but in any country, where there is not, for instance, bank authentication or something, identity provider, very strong, yeah, mobile is definitely sounds like a great solution for that.

Keiron: And just to touch on that very, very quickly and conscious that I do over elaborate on the answers. If you look at it, so for example, we’re working with some customers at the moment, they have certain countries where they can’t get an understanding of risk. So maybe, for example, the credit reference agency ecosystem isn’t quite as mature as say, the UK or US or wherever else. But what we can do is we can turn around and at least give some indication of well this individual’s had this mobile for this length of time, and we’re looking at the signals that we’ve managed to establish, it looks trustworthy. So it becomes an opportunity like a new revenue stream as opposed to just being checks and balances.

The second thing very quickly is when you come out of banking, and you get into, or even, you know, could even be in banking, but if you’re applying for a product or a service, and you’re 17, 18 with a thin credit file, this again provides an opportunity of other ways of measuring risk and whether you should fundamentally allow it to happen or not.

So you’ve got people like Telefonica, you know, they do things like micro loans in Spain, and they base it on, you know, your Telco presence, as opposed to, you know, your credit history. So, you know, you could argue it’s probably more relevant, you know, if you’ve paid an iPhone bill for the last three years with the same brand, and you’ve never missed a payment and all the rest. Then, OK, I think you’re pretty good for 1000 pounds worth of a loan. So yeah, just wanted to touch on a couple of examples.

Oscar: Exactly. Yeah. Thank you for that. Final question for you, for all business leaders listening to us now, what is the one actionable idea that they should write on their agendas today?

Keiron: So I want to emphasise here that the opportunity around this, I think we very much only scratched the surface, something that I try and advocate in every speaking engagement that I ever have is carving out the opportunity to try and test and assess and look at the value and fundamentally take it from being a – or hypothetically, this could make a real difference to actually, can we test it on a subset customers? Can we do offline studies? Can we get data science teams together and look and see if there are any kind of– I love to use the term silver bullets, but sometimes there may be silver bullets, but are there indications within what we know from an identity perspective, in a world that’s largely untapped, that can enable new services or make things easier for people?

And so, the emphasis for me is it’s not difficult to start to look and test these things. And that can be globally as well incidentally. Because sometimes it’s interesting just saying, “Well, OK, we’ve never considered Mozambique. But it turns out you’ve got 1000 customers there, let’s try and make life easier for them. And let’s do it in a way that it’s security first and all those kinds of things, but fundamentally by doing as opposed to talking.”

Oscar: Yeah. I couldn’t agree more of course, doing things, testing as you said some services and still talking and hearing of course. Well, thanks a lot for this very interesting conversation. Keiron. Please let us know how people can follow you, get in touch with you.

Keiron: Yeah. I think in terms of social media, if you look for Keiron that’s K-E-I-R-O-N, Dalton on LinkedIn, more than happy to connect to anyone and everyone and have a conversation, so there’s that. If you go to prove.com, it touches on some of our solutions, plus it gives you an insight into what we’re doing globally as well. But I’d be more than happy to follow up and have conversations with anybody. Yeah. And I’m always willing to learn as well. So that’s, that’s another thing I want to make sure to throw in there.

Oscar: Fantastic. Again, it was a pleasure talking with you Keiron, and all the best.

Keiron: Thank you. Thanks very much for the opportunity.

Thanks for listening to this episode of Let’s Talk About Digital Identity produced by Ubisecure. Stay up to date with episodes at ubisecure.com/podcast or join us on Twitter @ubisecure and use the #LTADI. Until next time.

[End of transcript]