Protecting critical interactions

Businesses run on transactions and agreements, and they need to be secure across the entire customer journey.

Whether signing contracts for high-value transactions or conducting business by video, you need solutions that are fundamentally secure from start to finish. Verifying the identities of people you’re interacting with and ensuring the authenticity of documents you’re signing is critical in a threat environment that includes AI and increasingly realistic deepfakes. In this interview with Matt Moynahan, CEO of OneSpan—a leader in providing high-assurance identity proofing, authentication and secure electronic signature solutions—we discuss the company’s unique positioning in the digital identity and security market, its perspective on emerging threats and technologies, and the need for businesses to maintain a trusted relationship with their customers.

Q: Can you elaborate on OneSpan’s vision of trusted digital interactions and agreements?

Matt Moynahan: OneSpan focuses on secure digital agreements between businesses and their customers. Another way to think about it would be secure consent. Businesses run on legally binding relationships—between customers, partners or employees—and they need to hold up in a court of law and stand the test of time. These relationships begin with a digital handshake called an e-signature but this is the first step in a much larger process. Each transaction needs to be secured at the business process level and throughout the customer journey. It’s no longer adequate to simply secure point A to point B because we’ve seen hackers impersonate legitimate users as well as modify contracts after the transaction has been completed. Brands, customer relationships and financial assets are now at risk.

OneSpan is in a unique situation given its 30 years in cybersecurity and having one of the leading e-signature solutions. We’re bringing these together to help organizations with the digital verification of entities doing business with them. We’re able to leverage our extensive experience in highly regulated industries, such as banking and finance, as a foundation for us going forward.

Q: How does OneSpan assure businesses they’re interacting with authentic individuals and documents? How is this different from what other providers do?

Moynahan: Unlike other e-signature companies focused on documents, we prioritize people. Our primary unit of analysis and protection is the end user. We’ve developed best practices rooted in customer knowledge for both security and regulatory compliance. With the emergence of Web3, the attack surface has shifted dramatically. We’re no longer securing endpoints; we’re securing digital processes and customer interactions that require continuous authentication and identity verification no matter where that interaction takes place.

Solutions like multifactor authentication, biometrics and token-based authentication have emerged to do some of this, but they’re not woven throughout the entire customer journey. That’s where OneSpan comes into play. Our security model follows the customer throughout the entire digital transaction lifecycle without disrupting the user experience, ensuring that any resulting documents or artifacts are safeguarded against threats and can withstand the test of time.

We’ve integrated all of our solutions. This extends from the beginning of identity verification to the signing of a document, all the way to the ability to secure an artifact to an immutable quantum-safe blockchain to make sure that it can’t be hacked or tampered with throughout the lifespan of the agreement.

Another key differentiator for us is we private label everything. This is incredibly important. If you go to one of the major banks using our e-signature products, you’d never know we were there. You shouldn’t know we’re there. We don’t want to get involved in our customers’ brand for several reasons. One is that the trust should live with businesses and their customers, and you also don’t want to become an attack vector. Some of our more brand-forward competitors have seen their products attacked and used as a platform for phishing scams. We believe in a world of trust and authenticity so businesses and consumers can be confident the person they’re interacting with in online agreements and transactions is who they claim to be.

Q: What are some of the unique challenges of identity verification in the digital world?

Moynahan: We all have multiple identities. Some people have a work identity, some have a home identity, some have a banking identity. In the multiverse, you could even have an avatar that looks like a penguin. You’re going to have to stitch these together to protect them and you.

And that’s the challenge: How do you allow someone with multiple identities to securely transact in the medium of their choice and give businesses the comfort that they are who they say they are, even if they have a digital persona that doesn’t look like their passport photo? And do that in a way that enables commerce while accommodating privacy laws.

Q: How has the growth of AI changed the security environment?

Moynahan: The arms race in AI has profoundly altered the cybersecurity landscape, exponentially increasing the attack surface aimed at end users. While AI brings many positive capabilities, it has also made it extremely difficult to distinguish between real and fake content. There was a time when these technologies were strictly used by people with advanced degrees and highly technical skills. But it’s much simpler now. Anyone can do it. Deepfakes are something we have to watch very closely, and it’s getting more complicated every day as they become almost indistinguishable from real people.

In my view, in five to 10 years, every single application in the world will be powered by AI. You’re going to see a whole new application ecosystem develop on top of AI, and that’s going to bring huge benefits to business productivity—but also open up new types of cyber risk that haven’t really been thought of yet.

The Wall Street Journal Advertising Department. The Wall Street Journal news organization was not involved in the creation of this content.