Risky Business with PaymentWorks: E6–Identification, Authentication, and Authorization
Identification, Authentication and Authorization featuring David GW Birch
Identification, Authentication and Authorization featuring David GW Birch
We initially published this blog in 2021. We updated the piece in March 2024 because vendor identification is a critical component of vendor onboarding – one that deserves more attention.
Vendor identification is more than just confirming a VIN (vendor identification number). It’s also more than finding vendors that can offer the products or services you need.
The vendor identification we’re talking about has to do with identity as a holistic concept. It’s not just “who are you doing business with?” but “are they really who you’re doing business with?” and “are they authorized to do business with you?”
Yes, there’s a bit of nuance. Yes, we’re going to dig into it all!
Episode Takeaways On Vendor Identification and Identity
#1. Vendor identification is expensive and inconvenient
#2. Authentication might be the least vexing part of identity
#3. Authorization: who’s allowed to do what?
#4. All three identity domains are important, though some more than others
#5. Inefficiencies need to be addressed
#6. Lackluster vendor identification processes can spell disaster
Get Ready For Vendor Management Appreciation Day 2024
Want Help Aligning Teams On Vendor Identification?
Interested in Tips On Vendor Identification?
Want Personalized Guidance On Vendor Identification?
Listen to the podcast here or below.
Welcome to Episode 6 of Risky Business with PaymentWorks! Our most recent podcast guest, David Birch, had many insights into the world of vendor identification and identity as a whole. Our conversation was wide-ranging and fascinating, but don’t just take our word for it!
Listen as David Birch, leader of 15Mb Ltd, sits down with us to discuss all things identification, authentication, and authorization.
David Birch is Global Ambassador for Consult Hyperion (the secure electronic transactions consultancy that he helped to found) as well as an author, advisor, and commentator on digital financial services and is regarded as a top expert on money and identity. David also serves as the Non-Executive Chairman of Digiseq Ltd, Ambassador for Jersey for Fintech, a member of the Governing Council of the Centre for the Study of Financial Innovation (the London-based think tank), and holds a number of board-level advisory roles.
He is an Honorary President of EEMA, the European e-ID Association. Before helping to found Consult Hyperion in 1986, he spent several years working as a consultant in Europe, the Far East, and North America.
David has also written three books. His most recent is titled The Currency Cold War: Cash and Cryptography, Hash Rates and Hegemony.
“People say identity means all sorts of different things,” Birch says. “But I have quite a structured model, which I’ve found is useful for facilitating conversations in business. So I tend to think of it in three related domains: identification, authentication, and authorization.”
Vendor identification is the first of Birch’s three domains. He defines it as connecting something in the virtual world to something in the physical world.
However, the problem Birch points out is that vendor identification during the onboarding process is expensive and time-consuming.
“It’s very easy for me to establish whether you are a real person,” he says. “If I can get your passport, send it to an expert in counterfeit passport and anti-terrorism, and then pass it on to credit checking agencies to make sure that you really exist — and you haven’t got the passport from somebody else — then I could check here and there and everywhere else.”
He continues, “So I can find out whether you’re a real person or not, but it’s an enormous expense and inconvenience. Getting that digital onboarding done properly was a problem that obsessed people like me, and it obsessed people in finance and payments. But because of the pandemic, of course, everybody has had to move to digital onboarding.”
Birch also highlights that the “who” is less important than the “what” when it comes to vendor identification. In other words, it’s less important to know who someone is and more important to know what they’re allowed to do. The question, then, is how do we discover the answer to those questions with security and privacy?
Birch refers to authentication as “essentially a solved problem,” but something that must still be a consideration as technology evolves.
Authentication is an identity domain that means you know that you are dealing with the person you think you’re dealing with.
Another way to put it is that authentication verifies a user is who they say they are before they can access a system. In this way, only those who are authorized through a valid authentication process can gain access.
Many organizations have long relied on passwords for authentication. But as cyber threats evolve, the best practice is to leverage more advanced authentication methods (like multi-factor authentication).
Birth adds that social networks have played a role in authentication – a role that may become bigger as fraudsters become more shrewd.
“As companies like (PaymentWorks) develop stronger and stronger networks with more and more data and more accurate identification, I can see a slightly different future where these third-party private solutions actually begin to scale,” he says. “I know it sounds very ridiculous to say it, I can easily imagine a future where your Facebook profile and your LinkedIn profile and your company LinkedIn profile actually become the basis for getting any business done. Simply on the grounds it’s actually much harder to fake a LinkedIn profile than you would think.”
Birch goes on to explain that “If I wanted to make a fake profile now because I wanted to conduct some sort of fraud I would have had to have started 10 years ago building up this profile and posting in it.” While today’s fraudster’s are patient, he finds it unlikely they are playing that long of a long con.
Authorization happens when a user is granted permission to access a system after being authenticated. True security requires authorization to follow authentication. In other words, an organization must prove that a person is who they say they are before granting access to the requested system (or resources or functions).
In its simplest form, authorization is knowing a person is allowed to do something, according to Birch. So, even if vendor identification and authentication is complete, you still need to understand that the vendor is authorized in a way that allows you to do business with it.
“Typically, the way we [solve authorization] at the moment is by taking the identity and using it as a lookup in a database, using it as a proxy for some other thing we want to get,” he says. “How you’re allowed into this building or you’re allowed to access this record, you’re allowed to send this payment. And we need to sort of toughen up on that side of things as well.”
Authorization is an important part of vendor onboarding and management in that it needs to happen continuously. In fact, each time a change or update request is made, organizations should have processes across vendor identification, authentication, and authorization.
For example, suppose a vendor requests a change to bank account information. In that case, you need to determine a) that this is a valid vendor, b) that the person making the request is truly associated with that vendor, and c) that they are authorized to make that request.
If that’s not always happening (and it’s not) with each change request over time, you’re opening yourself up to vulnerabilities that fraudsters can exploit. Tom Rogers of Vendor Centric adds context to this below:
While all three areas are essential in their own way, Birch explains that authentication is the linchpin upon which the others rest.
“Clearly, you’ve got to have the foundational identity,” he says. “But if you go to all the trouble of onboarding me but then there’s no authentication, anybody can just log in as me. That’s not terribly helpful. As a general point, we want to move all online interactions over into the authorization space. In fact, I actually don’t want to know who you are. I want to know what you’re allowed to do, and I think that’s a way of delivering both security and of course, privacy, which is becoming more and more important.”
Birch is optimistic that technology is making progress across each of the three domains — identification, authentication, and authorization — progress that will help companies to solve their own identity problems.
“It’s not perfect,” he said. “It’s not where we’d like it to be, but I think the pandemic has shown pretty starkly what the costs of not having that kind of infrastructure in place are. And so people are more aggressively now moving towards practical strategies across all three of those domains.
Whether we’re talking about vendor identification or some other domain of identity, inefficiencies run rampant.
Birch points out that there are differences between consumer identity and business identity. Many solutions focus on the former.
The solutions for identifying, authenticating, and authorizing business identities can get complex and are often error-prone.
Birch uses an anecdote from the pandemic to paint the picture, saying, “I’m an executive officer of the company. That company was due some pandemic assistance support delivered through the bank. And the bank, where I’ve had a bank account for years… had to request proof of my address in order to facilitate whatever they were doing, this ridiculous process.”
He continues, “So establishing that Consult Hyperion as a real company, establishing the I’m an executive officer of that company, establishing that I’m authorized to perform certain activities on behalf of that company and establishing that executive officer Dave Birch is me, Dave Birch, and not some other Dave Birch is complex and time-consuming. And that’s why it needs to be addressed.”
He adds that these types of processes go on thousands of times each day across the economy, adding up to considerable amounts of money and opening the door to all kinds of errors.
Our conversation turned to the connection between B2B payments and identity. Frankly, it’s still a bit of a mess.
On our side, we see folks tasked with making large (multi-million dollar) payments a daily basis. Unfortunately, vendor identification due diligence is often lacking. There is little scrutiny, identification, authentication, or authorization on the counterparty, aka the payment beneficiary.
David notes how painstaking those tasks can be, underscoring how time-consuming these tasks are. Moreover, these folks have plenty of other responsibilities on their plate.
He adds a story about how easy it is to check boxes around security and training in this area and still have fraud occur.
“[A company was] doing some security testing…and sent everybody in the finance department an email that purported to come from the head of finance,” Birch explains.
“But of course, it didn’t. It came from an external address…Everybody had been shown this video about security, and all ticked a box saying, ‘Yes, we understand. So they sent an email saying, “Please transfer some money to this guy.” You would be very surprised how many people just saw the name on the email and hit “Okay.”
Jim Vogt of the Fraud Protection Institute adds color to this mentality in the video below:
The reality is that vendor identification and verification is not always as straightforward as we’d like it to be. It requires the alignment of several moving pieces and a proactive approach toward fraud prevention.
In re-evaluating your vendor onboarding processes (which you should regularly do), ask yourself where and how vendor identification, authentication, and authorization is happening – and where there’s room for improvement.
If vendor identification, authentication, and authorization are top of mind, stick around. We’re going to be covering all that and more in the lead-up to Vendor Management Appreciation Day (VMAD) 2024.
What is VMAD? It’s our way of creating one giant love letter to our favorite people: vendor managers!
Why? Because we know it’s one of the most critical, under-recognized roles across industries.
VMAD is a brand-new holiday geared toward unifying vendor management professionals and celebrating innovation in the field.
We’ve released gifts each month to help you supercharge your vendor management efforts. We’re also planning some awesome events so everyone can connect and celebrate the important, strategic role of vendor management.
Learn more here, and grab some free vendor management goodies.
Explore our blogs below. They’re filled with action items you can implement right away.
Vendor Verification: How NOT to Do it and What to Do Instead
Will You Be My…Vendor Bank Account Verification Expert?
How to Avoid Love Letters From a Fraudster (and Social Engineering Scams)
Three Things You Don’t Know About Vendor Onboarding Platforms
Three Things Going Wrong With Your Vendor Onboarding Process
We’d love to walk through your process with you and talk about security, compliance, efficiency and sleeping better at night.