Identity proofing – how to verify and authenticate online
Combining identity verification and identity authentication, identity proofing helps establish trust online.
On the Internet, nobody knows you’re a dog — a fraudster, schemer, money launderer, terrorist or a bully. These nefarious individuals are a major impediment to creating trust and hinder the advancement of online transactions. There is a strong need to prove identity online, some way to mitigate online risk.
Luckily for the future of digital transactions, there are ways to accurately assess an individual and determine their likelihood of being that person. What steps should businesses take to mitigate risks? Each organization needs to decide their level of risk tolerance, the match rate accuracy that they need, and the standards and technology they deploy.
There are two steps involved in identity proofing: a public aspect and a private aspect. The public aspect, identity verification, relies on data in the public sphere. For example: name, address, and date of birth, are all on record, and provides information to match against. The private aspect is a layer of data that authenticates that the person is who they say they are, based on information that (theoretically) only they can provide.
I am someone
Identity verification takes information an individual provides, then compares it to records from government agencies, utilities or various other sources to see if that identity information is accurate. The more data that is collected, and the more data sources that information is matched against, the higher the verification accuracy.
Increasing the likelihood of a positive ID verification, then, is a matter of gathering more data from the person and gathering more data sources. Fortunately, in today’s data-rich world, there are many more sources of identity information. For example, mobile data, social media information and geolocation all provide additional parameters to match against.
While increasing the match rate reduces risk, it can cause extra friction for the user and increase costs of acquiring and checking the data. Therefore, the organization has to balance the risk against the costs and user considerations.
I am who I say I am
Identity verification validates that the individual does indeed exist. However, there remains the question, is that person who they say they are? This question requires private information, which only THAT user would know. This process of analyzing confidential information for identity proofing is known as identity authentication, also known as knowledge-based authentication (KBA).
If you’ve ever signed up for an online account that has higher security requirements, you’ve no doubt come across this. For example, when you are signing up for a bank account, they’ll ask for security questions: What was your first car? What was the name of your first pet? Who’s your favorite sports team? Later, if the bank wants to authenticate you, they can ask that question and check that you know the answer.
A security question is a static KBA technique; it relies on specific, stored questions. While static KBA provides an extra layer of security, a hacker can still bypass it if they can answer that question. A more advanced technique, dynamic KBA, employs security questions created on the fly. For example, if a bank asks, “What was your last bank transaction?” the person will be able to recall, but a hacker would have a difficult time researching that specific detail.
Another KBA technique relies on out-of-band (OOB) proofing. OOB relies on another channel, besides online, to authenticate the individual, for example, an online form asking for a code sent by text message. OOB is an example of two-form authentication, and it increases security as it requires the person having more than one piece of the authentication puzzle.
One authentication method that is rapidly gaining traction is biometrics. Biometrics rely on individual physical traits that are difficult to fake in order to authenticate an individual. For example, fingerprints, a voiceprint or a retina scan are all biometric techniques. Long in use by the sectors that have the highest security requirements, these techniques are now in the latest smartphones. Biometrics provides another identity layer to draw upon when considering an effective identity proofing solution.
New threats to identity
Unfortunately, the sophistication and scalability of identity theft and fraud techniques are increasing. Widespread data breaches and other techniques provide ammunition for fraudsters to create synthetic identities. Artificial intelligence (AI) capabilities can produce deep fakes for these identities, making them appear that much more real, both in appearance and in action.
The threat is staggering; in 2018, identity-related fraud accounted for almost $15 billion in theft from American consumers. Beyond fraud, there’s risk of compliance failures and fines, as criminal organizations use fraudulent identity techniques to launder money and otherwise circumvent financial controls.
To protect consumers, businesses and governments, new approaches to identity proofing are being introduced. Web Authentication (WebAuthn) is a new internet protocol designed to help deploy simpler yet stronger web authentication methods to users around the world. New consumer data protection laws are clarifying data use standards and enabling consumers more control over their information. Digital identity initiatives aim to increase security while offering ease of use and widespread adoption.
The critical element is having effective identity verification in the first place. According to Jeremy Grant, managing director of technology business strategy at Venable, “authentication is getting easier, and identity proving is getting harder … the real frontier these days, in terms of where more work is needed, is on identity proving.”
There is rapid progress being made. Rather than relying on one technique, a multi-layered approach to identity verification maximizes security and increases confidence. Organizations can vary their approach depending on the risk level and circumstances. With the addition of sophisticated data profiling, which can help gauge specific risk situations, identity proofing can reduce risk, smooth user experience and enable effective implementation of online and mobile transactions. New identity proofing models and technologies are at the center of building trust for the ongoing, dizzying expansion of the digital economy.
This post was originally published September 20, 2016, updated to reflect the latest industry news, trends and insights.