Combining identity verification and authentication procedures, identity proofing helps establish that someone is who they say they are.
As the cartoon suggests, on the internet, you never really know who the other person is. They could be a fraudster, schemer, money launderer, terrorist or a bully. These nefarious individuals are a significant impediment to creating trust and hinder the advancement of transacting with businesses online. There is a strong need to verify identity online to mitigate risk.
Luckily for the future of digital transactions, there are ways to accurately assess an individual and determine if they truly are who they say they are. So, what steps should businesses take? Each organization needs to decide on their level of risk tolerance, match rate accuracy, and what standards and technology they will need to adopt.
There are two steps involved in identity proofing: a public aspect and a private aspect. The public aspect, identity verification, relies on data in the public sphere. For example, details like name, address and date of birth are all on record and provide information to match against. The private aspect is a layer of data that authenticates a person based on information that (theoretically) only they can provide.
I am someone — proving you exist
Identity verification takes the information somebody provides, then compares it to records from government agencies, utilities or various other sources to see if that identity information is accurate. The more data that is collected and the more data sources that information is matched against, and the higher the verification accuracy.
Increasing the likelihood of a positive ID verification is a matter of gathering more data from the person and increasing available data sources. Fortunately, in today’s data-rich world, there are many more sources of identity information. For example, mobile data, social media information and geolocation all provide additional parameters to match against.
While increasing the match rate reduces risk, it can cause extra friction for the user and increase the costs of acquiring and checking the data. Therefore, the organization has to balance the risk against the costs and user considerations.
I am who I say I am — proving you are that person
Identity verification validates that the individual does indeed exist. However, there remains the question, is that person really who they say they are? This question requires private information, which only that person should know. This process of analyzing confidential information for identity proofing is known as identity authentication.
Knowledge-based authentication — what you know
If you’ve ever signed up for an online account that has high security requirements, you’ve no doubt come across this. For example, when you sign up for a bank account, they’ll ask for security questions: What brand was your first car? What was the name of your first pet? What is your favorite sports team? Later, if the bank wants to authenticate you, they can ask that question and check that you know the answer.
A security question is a static KBA technique; it relies on specific, stored questions. While static KBA provides an extra layer of security, a hacker can still bypass it if they can answer that question. A more advanced technique, dynamic KBA, employs security questions created on the fly. For example, if a bank asks, “What was your last bank transaction?” the person will be able to recall, but a hacker would have a difficult time researching or accessing that specific detail.
Out-of-band proofing — what you have
Another authentication technique relies on out-of-band (OOB) proofing. OOB relies on another channel, besides online, to authenticate the individual, for example, an online form asking for a code sent by text message. OOB is an example of two-factor authentication, and it increases security as it requires the person to have possession of the authentication device.
Biometrics — what you are
One authentication method that is rapidly gaining traction is biometrics. Biometrics rely on individual physical traits that are difficult to fake in order to authenticate an individual. For example, fingerprints, a voiceprint or a retina scan are all biometric techniques. Long in use by the sectors with the most stringent security requirements, these techniques are now also included in the latest smartphones. Biometrics provides another identity layer to draw upon when considering an effective identity proofing solution.
New threats to identity
Unfortunately, the sophistication and scalability of identity theft and fraud techniques are increasing. Widespread data breaches and other methods provide ammunition for fraudsters to create synthetic identities. Artificial intelligence (AI) capabilities can produce deep fakes for these identities, making them appear that much more real, both in appearance and in action.
The threat is staggering; in 2020 identity-related fraud accounted for $56 billion in losses. Beyond fraud, there’s the risk of compliance failures and fines, as criminal organizations use fraudulent identity techniques to launder money and circumvent financial controls.
New approaches to identity proofing are becoming available to protect consumers, businesses and governments. Web Authentication (WebAuthn) is a new internet protocol designed to help deploy simpler yet more robust web authentication methods worldwide. New consumer data protection laws are clarifying data use standards and enabling consumers more control over their information. Digital identity initiatives aim to increase security while offering ease of use and widespread adoption.
The critical element is to have effective identity verification in the first place. According to Jeremy Grant, managing director of technology business strategy at Venable:
Authentication is getting easier, and identity proving is getting harder … the real frontier these days, in terms of where more work is needed, is on identity proving.
Remote ID proofing
In the EU, electronic identification is seen as a key lever for the development of a singe digital market across member states. The EU has enacted eIDAS (Electronic Identification, Authentication and Trust Services). The European Union Agency for Cybersecurity has provided guidance for implementing compliant remote ID proofing and a practical approach to apply risk management.
The guidance notes several trends and state-of-the-art approaches:
Best of breed method
This practice is based on the combination of different actors, components or techniques, where each offers its advantages to the different parts of the identity proofing process; at the same time, fellow actors, components or techniques compensate for its weaknesses.
This practice is based on building the technological, organizational and human resources which will allow several implementations targeted for the needs, circumstances and regulatory requirements of customers in different sectors or countries.
Using a digital identity network reflects these approaches to online identity proofing. There’s no one best approach as there are multiple use cases, regulatory requirements, and risk scenarios. Instead, a layered approach addresses the gap that individual digital identity services can’t fulfill. The network is a marketplace of hundreds of data sources, verification processes and tools that work together to identify who a person is — no matter their unique set of identity attributes or risk profile.
The identity industry is making rapid progress. Rather than relying on one technique, a multi-layered approach to identity verification maximizes security and increases confidence. Organizations can vary their approaches depending on individual risk levels and circumstances. With the addition of sophisticated data profiling, which can help gauge specific risk situations, identity proofing can reduce risk, smooth the user experience, and enable effective implementation of online and mobile transactions. New identity proofing models and technologies are at the center of building trust for the ongoing, dizzying expansion of the digital economy.
This post was originally published September 20, 2016, updated to reflect the latest industry news, trends and insights.