Every year in the United States, more than 40 million people move and approximately 3 million women change their last name. More than 13 million Americans share one of 10 common surnames, tens of millions of consumers use nicknames or initials, and 57 million males have one of 10 first names.
These realities pose complex challenges to the electronic authentication (e-authentication) process, which establishes confidence in user identities presented to an information system, for both the public and private sectors. The private sector spends more than $2 billion per year on fraud detection and prevention efforts, and government agencies must work to keep pace to ensure that their constituents and customers are protected against cyber-security threats.
Despite e-authentication challenges, government agencies must offer a variety of online services based on e-government directives, public demand and the need for greater operational efficiencies. Given the growing threat of fraud against government agencies — and the wide array of sensitive information in play — e-government is potentially a data supermarket for fraud. This means government agencies must be best-in-class in identity proofing and fraud prevention.
While the private sector faces compliance-oriented pressures, such as the Patriot Act and the Fair and Accurate Credit Transactions Act (FACTA) Red Flags Rule requirements, it has done a good job of adopting risk-mitigation capabilities and implementing processes that strike the right balance between regulatory checks, customer experience, fraud risk mitigation and cost. Given the need for citizen confidence in the security of highly sensitive information, the public sector also has the opportunity to adopt a risk-based and proportional approach to authentication — an approach which is clearly articulated in the National Institute of Standards and Technology levels of assurance and the Office of Management and Budget’s (OMB) E-Authentication Guidance for Federal Agencies.
The business drivers differ substantially between industry and government, but one can argue that public agencies benefit from adopting the private-sector’s bottom-line driven approach to identity authentication and fraud prevention. That’s simply because these institutions — and specifically fraud managers — are in the business of adopting the most risk-predictive and cost-effective capabilities and technologies.
The OMB’s E-Authentication Guidance for Federal Agencies promotes risk-based authentication by defining four authentication levels tied to consequences of authentication errors and misuse of credentials. More simply, the guidance asks, “What’s the worst that can happen if a bad guy gains credentialed access?” In combining two perspectives of risk — “What’s the worst that can happen?” and “What’s the likelihood this individual is who he or she claims to be?” — a tiered authentication approach emerges:
Level 1 — Little or no confidence in the asserted identity’s validity
- Identity proofing is not required at this level, but the authentication tool should provide some assurance that the same person is accessing protected transactions or data.
- Relevant industry tools include the use of a user identification, personal identification number, password or secret questions.
Level 2 — Requires confidence that the asserted identity is accurate
- Provides for single-factor remote network authentication, including identity-proofing requirements.
- Relevant industry tools include the use of more formal identity proofing: identity element verification, authentication and fraud risk scores.
Level 3 — Provides multifactor remote network authentication
- At this level, identity proofing procedures require verification of identifying materials and information, ideally online.
- Relevant industry tools include out-of-wallet questions, financial instrument verification and one-time passwords.
Level 4 — Provides the highest practical assurance of remote network authentication
- Authentication is based on an individual proving possession of a key through a cryptographic protocol and requires personal presence.
- Relevant industry tools include the use of public key infrastructure, digital signature, biometrics and multifactor identity elements.
These guidelines require that agencies review new and existing electronic transactions to ensure that authentication processes provide the appropriate level of assurance. So how do you determine what level of identity authentication assurance your agency needs?
1. Conduct a risk assessment of the e-government system.
2. Map identified risks to the applicable assurance level.
3. Select technology based on e-authentication technical guidance.
4. Verify that the implemented system has achieved the required assurance level.
5. Periodically reassess the system to determine technology refresh requirements.
To illustrate the potential complexities of e-authentication, consider the following scenario:
Mary Smith takes out a student loan using her Social Security number and college address under the name Mary J. Smith. Then, using her father’s Social Security number and her parent’s address, Mary takes out a credit card loan under Mary Smith. Mary gets married and takes her husband’s last name, Johnson, and uses his Social Security number to take out a mortgage using their new home address. She then takes out a second mortgage under her maiden name and a different home address while using her Social Security number. Later she files for bankruptcy under a new first name, Margaret, while using a different address.
Given these life events, how can an online government site verify that Mary Smith is really who she asserts to be? Many compliance-oriented authentication requirements (e.g., the Patriot Act and FACTA Red Flags Rule) and their processes hinge upon verification checks and validating identity elements, such as name, address, Social Security number and phone number.
While address verification, for example, is an important element in identity proofing, it should also be taken in context from a fraud risk perspective. Credit information company Experian has shown in recent data validations that the fraud rate associated with non-address-verified identities is less than 1 percent higher than the fraud rate associated with address-verified identities. So while such verification is important, binary conditional checks like this are not the best way to accurately predict identity and fraud risk.
Without minimizing the importance of performing such checks, there are more robust authentication tools that strengthen the process and validate identities. As you assess your organization’s risk and the level of protection needed, consider the following best practices that have been proven to boost protection and prevent fraud during e-authentication:
Identity proofing — Use accurate and comprehensive public and private data sources to validate identity elements, such as name, address, date of birth, phone number and Social Security number. Employ these validated elements to verify individual identities.
Risk-based authentication — Incorporate analytics in the form of identity risk scores and a holistic assessment of a subject and transaction with the goal of applying effective but not overly intrusive or costly authentication treatments.
Out-of-wallet data — Provide consumers and constituents dynamically generated questions that are designed to segment true name individuals from fraudulent ones. This process incorporates knowledge-based authentication with an overall authentication strategy to provide an additional layer of verification.