Payfone, a provider of mobile security solutions, is launching its new Identity Certainty platform for mobile authentication that leverages the security of mobile networks to deliver unique tokenized IDs to mobile users. The company also announced a partnership to integrate the platform into Early Warning's risk and fraud prevention systems to deliver the mobile authentication service to banks and their customers.
Payfone’s Identity Certainty platform assigns each individual a tokenized ID -- the Payfone signature -- based on that individual’s phone number, SIM card number, and account number with the mobile network operator. (Payfone has strategic partnerships with all four major US telcos.)
“We are taking the magic and security of the phone world -- if you make a call, AT&T knows it’s you without you needing to log in -- and using that so we have a way of resolving a login session back to your ID,” Rodger Desai, CEO of Payfone, tells us. “With our tokenized ID… you can log in to Bank of America on Monday, and then log in to Verizon on Tuesday, and we can port the ID over.”
[For more on mobile security, check out: Authentication Risks Tops Concerns Over Digital Payments.]
Each Payfone signature can persist through more than 400 different events -- if a user upgrades or loses his phone, the signature stays unique to that individual.
“The signature is indicative of the individual, not their device,” says Desai. “Say you move: We keep the ID unique to you. If you lose your phone, when you get a new one, the mobile network operators will kill your SIM card -- we can see that and break the token, so the bank doesn’t let someone in," using your stolen phone.
Payfone already has 300 million identities under management and will be piloting Identity Certainty with three of Early Warning’s partner banks early next year. The solution will allow banks to eliminate the use of PC-era authentication measures (like challenge questions) in mobile banking.
“The PC stuff doesn’t work on mobile. You can’t use the IP address [to authenticate a login]. There needs to be a mobile-first approach to security. For consumers to have confidence in mobile payments, you need to tie their ID to mobile, and use security techniques customized to mobile.”
Rather than present challenge questions after a login, banks would simply ask Payfone to verify that the customer account that is logging in is tied to the Payfone signature for that individual. It all happens in the background, so the customer doesn’t have to do anything, taking out “the human element” that can lead to costly mistakes in today’s cyber security environment, according to Desai. Customers are automatically enrolled in Payfone’s service and have the option to opt-out.
Payfone will house its systems in early Warning’s datacenters, and it does not store any personally identifiable information (PII) that can tie the Payfone signature back to the individual. “We’re vaulting this information, and we manage the ID, but nothing that we store is identifiable with anything,” says Desai. "We would bind your info to your bank ID, but we wouldn’t know anything about you."
Jonathan Camhi has been an associate editor with Bank Systems & Technology since 2012. He previously worked as a freelance journalist in New York City covering politics, health and immigration, and has a master's degree from the City University of New York's Graduate School ... View Full Bio