As interest in remote identity verification and strong authentication has accelerated during the last few years, Prove has emerged as a leading vendor in the digital identity space. The company was quick to recognize the massive potential in leveraging mobile technology for identity verification, and showed innovation by adding behavioral biometrics to its technology mix through the acquisition of UnifyID in 2021. More recently, the company has added fuel to its ascent in the form of talent, bulking up its management team with new CPO and CRO appointments. So it’s the perfect time to catch up with the company’s VP and Global Head of Identity & Fraud, Ryan Alexander, as Prove picks up steam in early 2023.
In this conversation with FindBiometrics’ Peter Counter, Alexander examines the many facets of the ongoing fraud crisis, and presents the solutions that stand to solve the problem of identity on a global scale.
Read the full interview with Ryan Alexander VP, Global Head of Identity & Fraud, Prove:
Peter Counter, Editor, FindBiometrics: Ryan, thanks for joining me. Can you tell my audience a little bit about Prove and about yourself?
Ryan Alexander VP, Global Head of Identity & Fraud, Prove: Prove is our modern way to identify and authenticate consumers, and we do it through your phone. We do it through the method that everyone has closest to their body, and they take with them everywhere they go. People don’t tend to ever leave their phone for more than a minute, and people are on their phones all the time.
We help customers in the financial services, healthcare, e-commerce, payments industries, among others. We’re also global in nature. Right now, our focus is on the UK, Brazil, and India, but we also have capabilities and services in other countries.
As for myself, I’ve been at the company for about two and a half, almost three years. I’m currently the Global Head of Identity and Fraud Product, and I have a background in financial services companies in tier one banking. Previously, I was at Wells Fargo for 10 years, both in fraud prevention and authentication in product. And prior to that, I was a Chase and Washington Mutual, mainly in fraud prevention at customer account open. I have a long history in trying to battle the identity problem through banking and account open, where you see bad actors using synthetic identities, and committing identity theft with real identities. It’s been a big challenge fighting fraud on the front lines at these banks. That’s been my biggest passion here at Prove: I want to make a big, positive impact to help solve the identity problem for the nation, and globally as well.
Peter Counter, Editor, FindBiometrics: That’s something we’re passionate about at FindBiometrics – this idea of the human at the center of everything we talk about.
As you very well know given your history, financial services have been on the forefront of identity technology adoption for about a decade at this point. And, things have really ramped up with the identity verification explosion that we’ve seen over the past six years. My question for you now is: how have the demands of the financial sector changed, and what is Prove doing to keep up with the evolution of the market?
Ryan Alexander VP, Global Head of Identity & Fraud, Prove: Financial services companies really feel the pain when they get it wrong. When I say pain, I’m speaking to the fact that there’s a lot of financial loss that comes along with getting it wrong. This loss can be big, and it can be immediate, so it’s important to learn the ways to get anti-fraud right going forward. On top of that, over the last two to three years we’ve seen a large shift towards digital banking that has really highlighted how important it is for financial services companies to strongly know their customer while remaining compliant with digital regulations and minimizing friction on the customer’s part. More and more, in our digital-focused world, customers are coming to expect to get through online processes quickly and with minimal friction.
Additionally, with regulations like CCPA and GDPR, there’s been a movement towards focusing on privacy and stronger authentication. At Prove, we’ve focused on that from a token perspective. So we have identity and phone tokens that can preserve the privacy so we’re not passing identity data back and forth, but instead rely on these tokens for authentication. For stronger, more secure authentication we use cryptographic keys in both the identity proofing account open process, as well as for ongoing authentication. And while we do use SMS and SIM authentication, there is a large push for a reduction in reliance on the mobile network as an authenticator.
At Prove, we’ve been focused on device authentication, launching a product called Prove Auth, that works both from an app perspective and a web perspective, where it can use FIDO2 and WebAuthn. We’re also preparing for the future to follow certain standards too, so, when we do share proofing events, we’re also following common open standards – things like Open ID – so that we can all communicate following the same standards when it comes to identity and proofing.
Peter Counter, Editor, FindBiometrics: Absolutely, that interoperability aspect is very important when we’re talking about addressing the problems, not just for target regions, but actually the whole world. At the core of everything we’re talking about, fraud is the major driver here when it comes to digital identity technologies. Not just in financial services, but all over the place. Why does the modern fraud landscape of today demand a platform-based solution like what you folks have?
Ryan Alexander VP, Global Head of Identity & Fraud, Prove: I guess it’s simple, because you need to carry the intelligence into every aspect of a customer journey, whether it’s starting at account onboarding, ongoing customer servicing, or authentication. And then beyond that, with ongoing customer identity management monitoring for identity changes.
For our customer on onboarding it’s really important to make sure we’re identity proofing the customer, verifying that they are who they say they are, while following all compliance and regulatory needs required by the industry. When you do that, you want to then bind that identity to the device authenticator, and then carry that device authenticator forward into the customer servicing and ongoing authentication processes when they go to make a payment. You want to be authenticating them in this modern way, without passwords, and not reliant on the carrier network. Also, using strong authentication for account recovery is important, because you’re only as strong as your weakest link.
Another advantage is ongoing customer identity management; using tokens to monitor for identity changes, phone changes, contact information changes, and the like. There are also compliance requirements that are coming out in these payments networks that will, for example, make it a requirement to monitor that you have a mobile phone and that it’s active. But I question how it’s going to be possible to monitor those changes every day – are you going to be validating those phones every day, and validating the identity changes every day, paying that money?
This is something where you need to have the identity management as part of the ongoing compliance for even some of these payments networks, which is really important. Sometimes these compliance requirements will require the bank to have a process to solve for it. So, it’s becoming more and more important to have a platform-based solution that that looks across the customer journey, rather than just a point solution that focuses on one part of the customer journey to avoid those gaps in fraud prevention.
Peter Counter, Editor, FindBiometrics: I want to dig a little bit deeper into some of these fraud threats. You mentioned synthetic identity fraud earlier on in our conversation, and that’s something that’s really been focused on in our industry because of this IDV boom that we’ve seen. What are the key differentiators in identity platforms that make them effective when it comes to thwarting synthetic identity fraud?
Ryan Alexander VP, Global Head of Identity & Fraud, Prove: That’s a great question. I think it really starts at the front door. I’ve been in fraud prevention at banks where, specifically an account open, I would have battles with the sales folks that drive the account growth – which is at a really important part of the business. They would say, “Let’s just delay those type of controls until they get to the payment,” all the while relaxing on some of the controls to make sure that we’re identity proofing the person at the front door. If you don’t identity proof them at the front door, then you become more vulnerable when they get to the payments, and now you’re letting a payment go through that is a synthetic identity.
It’s really important to get it right at the start, to not rely on down downstream controls that don’t solve for identity proofing. Because there’s an assumption that you’ve got the identity right by the time they’re going through the payment. You have to get it right at the front door, and that starts with strong proofing.
Our approach to this proofing is through a phone, using this concept of having possession of your phone, looking at the reputation of your phone, and also, looking at the ownership. Who’s the rightful owner of that phone? Or who’s an authorized user of that phone? Synthetic detection is also important to validate against the golden source of record in terms of the social security administration.
That’s another way that synthetic identities are created and most often proliferated, in the bureaus, where you’ll see someone else’s name or information associated to a different social security number. If you can validate it directly with the Social Security Administration, I think that goes a long way to battling it.
I’ve been mentioning tokens, but I’ll introduce this concept of looking at heartbeats. With synthetic identities, they’ll be used here and there, and then they’ll go quiet for a while, right? But for a real person that is using their phone on a daily basis, there’s this concept of a heartbeat, where they’re always authenticating every week, every day, every month. And because of that you have this ongoing heartbeat of validation.
For example: Peter is using his phone every single day, so you connect Peter to his phone and you monitor those “heartbeats” of activity. And that shows you a non-synthetic identity. So the concept of heartbeats can also be used to prevent against synthetic identity because these synthetic identities are just used for a little bit of time, and then they go quiet. So, to summarize: I think the differentiators are: strong authentication at the front door, combined with validating against golden sources of records, as well as monitoring for heartbeats.
Peter Counter, Editor, FindBiometrics: I really love the term you gave it there: heartbeat. I don’t think I’ve heard that before. I really love that, especially given that we’re so focused on liveness in our industry. Speaking of synthetic identities, I don’t think the average person really realizes that fraud, by its nature, occurs mostly within authenticated sessions. So it’s, it’s refreshing to hear you say that we have to have it at the front door and then carry it all the way through.
Perhaps the most frightening type of fraud from a victim’s perspective is SIM Swap. This may be partially due to some fear mongering via the media; I know I’ve heard about it in podcasts, these horror stories of people losing their houses and cars, et cetera, but in the end it’s a very common, very successful form of fraud. What makes SIM Swap so difficult to address, and how can modern identity technologies address it?
Ryan Alexander VP, Global Head of Identity & Fraud, Prove: I think the frightening thing about SIM Swaps is that they’re just so personal. You feel helpless. Both your personal and business text messages go to a bad actor or some unknown person, and if you’re traveling, you feel stranded and unable to alert your carrier. That’s the frightening aspect of it. And SIM authentication can be very hard to address because there are just so many vulnerabilities, that allow fraudsters the opportunity to beat it. As you mentioned, SIM Swap is one major type of fraud that’s reoccurring, and people don’t realize sometimes that you can do a SIM Swap at the carrier.
For example, let’s say you’re at Verizon— some fraudster can go to Verizon and SIM Swap your phone there. Or a fraudster could also go to a separate carrier – let’s say AT&T – and they could convince AT&T that they’re you, and they’d like to port your number away from Verizon. That is also classified as another type of SIM Swap, but it’s a port. These are just examples of one type of vulnerability in what I’ll call SIM authentication, but there are a number of other vulnerabilities that can crop up but then get suppressed.
Some of these vulnerabilities have to do with network infrastructure, like message duplication services. An example of this was something called “T-Mobile Digits”. I’m not trying to pick on anyone carrier, but T-Mobile had a customer friendly way to duplicate messages on other devices, so if a customer was using their iPad or some other device they could see the text messages when they come in. Fraudsters exploited that system and it almost worked like SIM cloning, which is a relatively recent type of attack.
And then there are just different security practices by each carrier. You know: one carrier might have stronger authentication and fraud prevention measures than another one. And then, even if you get everything right, you still are vulnerable to the social engineering aspect of the SIM authentication. SIM Swap scams are just one area. And it’s funny that with all these vulnerabilities out there, SMS authentication is still very common in today’s world, and while it’s stronger than the traditional, knowledge-based authentication – or what some people might call the out-of-wallet questions – it’s not enough to stop these threats.
The way Prove addresses this is that we’ve moved to device authentication. SIM authentication is good and we can help make it strong, but you don’t want to be reliant on that for every single authentication event. That’s identity proofing at the front door, and then issuing device credentials – things like a cryptographic key, FIDO2, WebAuthn, and PKI device authentication that’s reliant solely on the device – and is not reliant at all on the SIM card. You could turn off your phone signal carrier altogether and it would still work as long as you’re on Wi-Fi, connecting to the bank. That’s been our focus: moving towards device authentication and we have a product called Prove Auth that does that.
Peter Counter, Editor, FindBiometrics: Right there, again – that’s exactly the reason to move away from dependence on the carriers. I recently spoke with your colleague, Tim Brown, on our ID Talk podcast. He brought up something that I think is quite often overlooked: first party fraud, a scenario where an authenticated user makes fraudulent claims of their own authorized purchases. That to me seems like a unique puzzle for an identity technology because you’re trying to catch a truly authenticated fraudster. How can identity technologies address first party fraud?
Ryan Alexander VP, Global Head of Identity & Fraud, Prove: I think this really goes back to that platform play. If you strongly identity proof that customer at account open, and then at that point you bind that identity to a device with strong device authentication – say FIDO2 or PKI – and then you monitor those heartbeats and see that person is using this same device for authentication over time, when you see that same device be used with that strong authentication, the customer can’t just say “I didn’t do that transaction on my device.” It becomes a harder story for them to sell.
If they had a fun late night, and they decide they’re doing to buy a TV, and then they wake up in the morning, hungover or something, and are now like, “Oh, shoot, I regret buying that tv, I don’t really want it,” they might claim fraud and say they didn’t do that transaction. But when they actually make that transaction on their device with a strong authentication, the transaction can even have a watermark that shows that this is certified to have been done on the customer’s device. They can’t really just say that this was completely fraud and that they had nothing to do with the transaction.
Peter Counter, Editor, FindBiometrics: Right, we see this a lot in other industries as well. Having a strong audit trail is important in time and attendance, medical safes, and things like that. It’s really helpful to just have that assurance that it actually was an authenticated transaction. You keep mentioning that we have to start by proving somebody’s identity at the front door, and there are so many identity verification solutions in the market right now that are trying to do that because of the digital shift that we saw during the early days of the pandemic. What are the crucial aspects or differentiators that set an onboarding solution apart from its competition?
Ryan Alexander VP, Global Head of Identity & Fraud, Prove: I would say strong identity proofing, unique human checks to mitigate bots (which is another aspect of this), and having strong fraud prevention measures.
For strong identity proofing, having two-factor authentication and not just relying on knowledge-based authentication – which historically has been a weak point, and I know a lot of financial institutions getting better at this – but having ‘something you know’ and perhaps ‘something you have’ to proof customers. And then also having cryptographic key authentication, which we do with the SIM card. The SIM card is a cryptographic key, and we focus on that cryptographic key over these risk-based authentication (RBA) solutions. So, having a probabilistic idea of that we think this is right versus, “No, this is 100 percent the key.”
Our CEO tells a story that I just love: If telephone companies took a risk-based approach to authentication – an RBA approach to connecting calls – they might say, “When Peter dials his mom, if he’s in a weird location, I’m not going to connect this call.” And you would say: “No, connect my call, I’m calling my mom with my phone, connect my call!”
There is no risk-based authentication approach with the carriers. If you show up with that key, your call is connected because it is a deterministic way to prove your identity. So again, strong identity proofing with some two-factor authentication – something you and have something, you know, along with using a cryptographic key for authentication.
When you’re doing that, that will automatically mitigate bots because it’s hard to compromise a mass number of phone numbers with these cryptographic keys at scale. Just having that type of authentication is a natural bot-mitigator. But then, also having strong fraud prevention measures on top of that. Whether it’s like looking at short identity tenure, high velocity, impossible travel, or having some sort of burner phone – there are a lot of different fraud prevention measures that are important to have as part of this process, too.
Peter Counter, Editor, FindBiometrics: I love that story because it really also helps to illustrate what’s at risk here, which is the customer experience. If you’ve ever been on the wrong end of risk-based authentication, you know that it’s never at a convenient time.
We talked about the importance of a platform-based approach. You mentioned the trust chain and you’re only as strong as your weakest link. Obviously, that is a very true in the identity space, but we’re talking quite a bit within this interview about essentially two identity transactions: verification and authentication. I’m wondering, from your perspective, how do these two transactions overlap? And maybe also how are they distinct?
Ryan Alexander VP, Global Head of Identity & Fraud, Prove: I have a friend that left banking after several years and went over to work at Amazon who had a slide that I just loved. I’ve adopted it ever since (but I can’t take credit for his idea). It showed the life cycle of customer authentication and verification, and it really starts with verifying the human at the front door; verifying the human and all of their PII, so you know that the identity is real, and all of the information belongs together. Banks will refer to this as CIP, or the Customer Identification Program. So just number one: you know if the person’s identity is a real identity and not synthetic, and if all this information belongs together.
Then you must authenticate that person. And how we do that is by connecting the phone to that person and authenticating them through that SIM, that cryptographic key, and so that you know that you’re truly interacting with that person. After that, you issue ongoing credentials that they can use to show up on authenticate so they don’t have to go through that more rigorous proofing process. And you can streamline the customer experience going forward, but then as things go awry, the customer may need to go through the account recovery process, which should take you to the very beginning.
So, it’s really a circular process that starts with identity proofing issues, credentials, ongoing authentication, and then the account recovery process, and it just keeps on going in a circle.
Peter Counter, Editor, FindBiometrics: It’s very self-supporting, and really elegant. But again, it really does require that full platform approach. You do need to reference each of these scenarios.
You mentioned the customer experience. When digital onboarding first emerged, it was positioned as a way to prevent customer abandonment in account creation, which is obviously where you see the most customer friction. How important is the frictionless signup feature in today’s very hyper digital landscape?
Ryan Alexander VP, Global Head of Identity & Fraud, Prove: I think it’s paramount. I always say that fraud should be managed and not prevented. There’s always a business case behind every decision you make, and customer experience should always be prioritized ahead of fraud prevention. Because if you don’t have a customer, then there’s no fraud to manage. From that standpoint, having a frictionless way to sign up is crucial because it’s going to attract more customers.
At Prove, we have a product called Mobile Auth and it’s a way to passively authenticate the customer through SIM card authentication, and it avoids the ability for a bad actor to socially engineer the one-time passcode via an SMS code. When that’s paired in this process, it’s actually a rare case when the experience and fraud prevention actually converge and come together. That’s through one of our other products, called Proof Prefill.
Proof Prefill allows a customer to identify and authenticate users up front, and if they’re on a mobile phone they don’t have to go through the many keystrokes of an address, or their name and all that, and it speeds up the onboarding process. And we’ve actually seen an abandonment reduction by about 12 percent, even going as high as 30 percent in some extreme cases. This frictionless process is leading these companies to large growth, and allowing them to attract a lot more customers in that aspect.
Peter Counter, Editor, FindBiometrics: It really does come down to conversion rate when people are looking for ROI, but you really don’t want to have that at the expense of just letting a whole bunch of bots and synthetic identities into your space.
We’re still at the beginning of 2023, and we’re looking forward at the road ahead for biometrics and digital identity. How do you see the financial space evolving in the next few years when it comes to identity, and what challenges and opportunities do you see playing a role in shaping the FinTech space over the next five years?
Ryan Alexander VP, Global Head of Identity & Fraud, Prove: In the identity space, I think there are a lot of players there, so I see consolidation continuing to occur. And I think preference is going to be given to those companies that are consumer-focused and privacy preserving. If you’re not on the right side of that, then you might be one of the companies that gets consolidated. I also think that these companies that are platform-based, as opposed to point-solution based, will end up being the consolidators, as well as companies that have a global reach and aren’t just focused on the US.
There also needs to be more flexibility depending on the industry, because some of these industries have different requirements, and these companies should be adopting new standards and new technologies to make them more customer friendly. However, the most important thing that I see out of all of this is that the companies need to be friendly for consumers to adopt their service. If no one adopts the identity service, it doesn’t matter how cool or special it is, it’s just going to be a memorial thing to hang on the wall to look back on. I think that whoever gets the consumer adoption element right, and has the broadest coverage, will be the winner in this space.
I love this area right now. It’s hot, and I think it’s sorely needed. We’ve had that dog cartoon – you know the one: nobody knows that you’re a dog on the internet – since 1996. We still need to do more in the identity space. It’s been over 25 years and we still have a lot more work we need to do, so I’m excited for the future and to work in this area.