1. THE FEDERAL GOVERNMENT SETS THE STANDARDS
The National Institute of Standards and Technology (NIST) establishes the technical requirements for identity verification at government agencies. Released in 2017, NIST 800-63-3 establishes guidelines for identity verification. NIST 800-63-3 is primarily concerned with ensuring that someone is who they say they are before granting them access to a digital service.
NIST 800-63-3 is divided into three components:
- Enrollment and Identity Proofing (NIST SP 800-63A)
- Authentication and Lifecycle Management (NIST SP 800-63B)
- Federation and Assertions (NIST SP 800-63C)
The higher the risk of someone accessing an account they shouldn’t, the more confidence the organization must have in the validity of the requester’s identity. Organizations garner increased confidence by adding further checks that an individual must pass before having their identity verified. Those checks are outlined in the levels of assurance defined by NIST: Identity Assurance Levels (IAL), Authenticator Assurance Levels (AAL) and Federation Assurance Levels (FAL).
During the pandemic, there was an enormous spike in state unemployment insurance claims across the U.S. The March 2020 Coronavirus Aid, Relief and Economic Security (CARES) Act authorized the Pandemic Unemployment Assistance (PUA) program, opening up relief to those who would not traditionally be eligible for unemployment. To apply for PUA, individuals only needed a name, date of birth, address and Social Security Number, and to self-certify as being unemployed due to COVID-19 — information that was readily available on the dark web. As a result, fraudulent claims skyrocketed.
States that implemented solutions that aligned to NIST IAL2 standards (where a user must submit evidence for identity proofing) saw a significant decrease in fraudulent claims.
2. CREDIT HISTORY USED TO BE THE DE FACTO REQUIREMENT FOR ONLINE IDENTITY VERIFICATION
A presence in records – usually credit history – was historically required for remote or online identity verification. The requirement for presence in the records left many communities behind, specifically international users, younger individuals, indigenous populations and the unhoused.
- Millennials and Generation Z: Younger individuals who do not have an established financial transactions history often do not have identities that can be referenced through data aggregators such as credit bureaus. Thus, even though younger individuals between the ages of 18 – 29 are digital natives with high cellphone ownership rates who are capable of securing their accounts with two-factor authentication, they often lack the means to prove their legal identity exists – a necessary step before they can begin to verify that they are the rightful owner of that identity.
- Seniors: Only 80 percent of Americans over the age of 65 years old own a cellphone. Additionally, Pew Research notes: “Many seniors remain largely unattached from online and mobile life – 41 percent do not use the Internet at all, 53 percent do not have broadband access at home, and 23 percent do not use cellphones.” Thus, while credit bureaus and utilities tend to have records of individuals in this group, it is relatively harder for seniors to navigate the user experience to prove their identity and to protect their account from takeover with two-factor authentication.
- Low Income: “Roughly three in 10 adults with household incomes below $30,000 a year don’t own a smartphone. Nearly half don’t have home broadband services or a traditional computer. And a majority of lower-income Americans are not tablet owners. By comparison, many of these devices are nearly ubiquitous among adults from households earning $100,000 or more a year.” Phone ownership and mobile network operator (MNO) data is useful for both identity proofing and authentication, so this demographic is particularly challenged when attempting to access high-value services online.
- New Immigrants: Similar to younger individuals, new immigrants often do not have identities that can be referenced through U.S.-based data aggregators like credit bureaus and utilities. Their credit and financial history in the U.S. is sparse due to their lack of tenure, and they are also more likely to use a prepaid phone. As a result, like younger individuals, they often lack the means to prove their legal identity exists.
3. TRADITIONAL VERIFICATION METHODS ARE INEFFECTIVE
The question-and-answer process of proving your identity – knowledge-based authentication (KBA) – is not effective at stopping identity theft and unauthorized access.
The clues that you would need to answer most of the dynamic KBA questions are available online, in many cases with a little research. You can find educational background, home values, mortgage payments, car registrations, birth dates and social security numbers on social media, public records and the dark web (thanks to earlier data breaches).
Automated bots can easily collect this information and rapidly respond to the questions. In fact, some financial institutions are now putting controls in place that identify when questions are being answered too quickly, as the speed might be indicative of a bot.
Systems that are solely reliant on KBA can’t adequately defend against access from unwanted sources. The average person can often guess the right answer to the multiple-choice questions using a simple web search and common sense. When so much personal data has already been exposed by previous data breaches and uploaded to the dark web, the hackers’ job only gets easier.
Additionally, KBA pass rates often don’t break the 70th percentile. As questions increase in difficulty, and therefore security, the pass rate from legitimate users drops. In other words, KBA does not allow for a secure path that all legitimate individuals can pass.
In 2019, the Government Accountability Office noted KBA is insufficient to prevent fraud. NIST formally downgraded KBA to make clear it cannot be used for identity verification with government agencies.
4. VERIFICATION SHOULD BE INCLUSIVE
Enabling access to everyone means meeting citizens and consumers “where they are.” The only way to do this is via an omnichannel identity verification experience that includes self-service online workflows, virtual in-person proofing (video chat) and in-person verification (kiosks or brick-and-mortar locations).
Additionally, the pathways in an omnichannel offering reinforce each other by acting as “relief valves.” In other words, when an individual has trouble verifying via self-serve, they can escalate to video chat or in person, depending on their specific situation.
This ensures that Americans with recent name or address changes or without access to smartphones and webcams can still verify their identity. These video call and in-person options can assist people even if they have an unreliable Internet connection. It also eliminates the concerns that some have around new technologies, such as facial recognition.
ID.me is the only company in the United States with NIST IAL2-compliant options to enable people to verify their identity through human agents online and in person. Those alternative pathways have allowed ID.me to verify more than 3 million people who would have likely been left behind with a credit bureau or data broker-centric approach to identity verification.
5. SINGLE SIGN-ON SOLUTIONS ARE DESIGNED TO PERMANENTLY BRIDGE THE GAP
Four in five users are bothered by traditional account registration, and 54 percent would rather leave a site than create a new account, says Blue Research.
Moreover, 88 percent of users report inputting false or incomplete information when registering for a new account in order to cut time. The bottom line: when users sign up for a site to achieve a specific goal, they’ll sacrifice accuracy and security to get the service they want faster.
Federated identity allows users to bypass account registration altogether by tying their attributes to a credential they already have. The convenience of clicking a single button to establish a new account can mean the difference between acquiring or losing a new user.
ID.me is a credential service provider offering a consumer single sign-on solution that enables people to transfer their verified identity across websites with a common login, allowing them to avoid re-proving their identity each time.
A digital identity system predicated on credit history alone is simply unacceptable. Bridging the gap for traditionally underserved communities will take significant time and effort. Given the stakes, the task is necessary. By making identity verification more inclusive and by empowering people to verify through a single login, we can make our society more just.
To learn more about best practices in digital identity, visit https://insights.id.me/featured-white-paper/eight-best-practices-government-agencies-should-require-from-digital-identity-providers/
