"How does the OneID solution work? What makes it so effective? What makes it the ideal solution for the digital age?" I often get these questions when I interact with peers from the industry. So, here it is. What's Under the OneID® Bonnet - a three-part blog series that'll take you behind the scenes, tell you the principles that guide it and the technology that runs it. I'm Stuart Kempster, Chief Product Officer at OneID®.
The OneID® team has years of experience building identity and payments infrastructures that run at scale and are highly secure transaction-processing systems. We have also worked in and learnt a lot from more advanced digital identity economies in northern Europe. We’ve brought these insights together to build a ‘best-in-class’, world-leading digital ID solution that offers more value than just identity verification – OneID®.
In part 1, I'll take you right to the heart of the solution — what’s at the centre of OneID®, and why?
Bank data: the foundations of a strong identity verification solution
Distributed bank data is at the core of the OneID® solution. ‘Why?’ Because it’s simply the best! It’s the most up-to-date source of verified identity data, contained in systems most resistant to fraud. That is why we chose it as the foundation on which OneID® is built.
Faces and documents are, by their very nature, vulnerable to deep fakes. Bank data is not. Banks have mature KYC processes to ensure that they comply with stringent money laundering regulations. They conduct continual surveillance, ensuring their customers' identities are vetted and ongoing financial activity is verified.
Banks also heavily invest in defences against cyber threats, using cutting-edge and mature technologies. At the forefront lies biometric authentication, which grants access with a touch or glance. Paired with sophisticated machine learning algorithms, banks can tell genuine users from imposters with unprecedented accuracy.
Further bolstering their defences are device intelligence tools and risk engines, discreet services that analyse subtle behavioural patterns to detect anomalies indicative of fraud. By scrutinising the nuances of user interactions, banks can pre-emptively identify suspicious activities.
We go further than bank data and correlate this with other trusted sources of verified identity data, such as mobile network operators, fraud networks and credit reference agencies. The platform design allows us to compare identity data and other indicators from different sources, meaning that our products provide the most comprehensive and accurate identity data available, anywhere.
We protect the security and privacy of our users by keeping data distributed and where it belongs, rather than copying it, creating a central ‘honey pot’. The principle is to keep your financial data with your bank, health data with NHS, comms data with your telco, government data with the government, and so on, but with the “key” to all this safely with the user.
Putting an individual perspective on this, we take identity data from trusted, authoritative sources in real time, with your consent, at your moment of need. We store a record of the data fields you have shared (e.g., Name, Address) but not the actual values of the data (e.g., ‘Jane Smith’, ‘ 123 Acacia Avenue’). Your bank stores and protects the actual identity data. This keeps the data as safe as possible, protected by several layers of technology and security provided by your bank.
After all, you trust your bank with your money, so why not trust them to store your identity data?
Leveraging open banking and bank security
For our own technology, we use Google Cloud Platform’s proven security model for protecting cloud services and our many certifications to ensure that we operate to the highest security standards.
To connect to other parties, we have secure certificates to operate from several ‘trusted registries’: the Financial Conduct Authority’s (FCA) register, the Open Banking Directory, and the Department for Science, Innovation and Technology’s (DSIT) Digital Verification Services (DVS) register. The Open Banking APIs are protected by a further security layer, Financial-grade API Security Profile (FAPI).
By building on top of bank security, we inherit security features from the industry that spends the most to make itself secure, such as:
- Secure APIs that only authorised parties can access
- Strong Customer Authentication to ensure only you can access your identity data
- Biometrics such as fingerprint, face and voice as ‘authenticators’
- Behavioural biometrics that run the in background (e.g., mouse movement or PIN entry speed monitoring)
- Device ID monitoring (e.g., looking for ‘rooted’ devices and malware)
- Location monitoring
- Real-time fraud scanning ‘engines’ on transactions
- Fraud signal-sharing networks that the banks connect to
- AI scanning systems that spot unusual activity across networks
A technology company at heart and a platform built for scale
We built OneID® on top of the Google Cloud Platform as a ‘cloud native’ platform, so it’s fully scaleable to ‘internet scale’ as transaction volumes inevitably increase.
Our services are built in a modern language called ‘Go’ (often referred to as Golang because of its former domain name, golang.org) because it is Fast. Go can compile directly to machine code without using an interpreter and is always one step ahead of Java regarding execution speed. Golang-based programs are lightning-fast, and compilation is quicker, speeding up development time.
In summary, OneID® is a ‘best-in-class’, world-leading digital ID solution. Our platform is cloud-native, fast, and infinitely scaleable, and the identity data we provide comes from the most up-to-date source of verified identity data available. What’s not to like?
