Trials and Tribulations of Verifying Identity
What is Identity Verification and Why Is It Important?
Proving the age-old assertion “I am who I say I am” has become vitally important in a world where digital has become the rule rather than the exception. Back in the day, proving your identity was part of the enterprise directory system. Administrators would set up your system access and roles once you started working for an organization and would (hopefully) remove access once you left.
But the happy and heady days of the enterprise perimeter have long gone. Identity Access Management (IAM) is also long gone, having been replaced by a more amorphous IAM which is fuzzy around the edges of employee, customer and extended vendor ecosystem.
Proving identity ownership outside of your employee base is tricky, to say the least. But identity verification is a necessary component of a usable and secure identity system. Knowing who you are dealing with adds a dimension to an identity system that allows the system to apply assurance to online transactions and digital tasks.
For example, banks use the concept of Know Your Customer (KYC) to perform checks against a person when they open a bank account. Many of these checks have to be performed offline and in-person, costing money and time. To complicate matters, KYC checks differ across the world and what constitutes a KYC check in one country can be very different in another.
Banking across the globe is now looking heavily into ways to onboard online customers but retain the levels of identity assurance that offline checks can offer. Other online services which depend on knowing their customers are also moving towards a commercial version of KYC, both for security reasons and to build better relationships with their customers.
The F in KYC: Identity Fraud
In 2017, 1.66 billion people made online purchases, which is fantastic for the global economy. But the person behind that purchase needs to be verified as being who they say they are to add assurance and weight to the transaction, and, online fraud just keeps getting worse.
In a 2018 survey into online fraud, Experian found that in the past 12 months, 72 percent of executives had growing concerns about fraud. The same survey demonstrated that this concern is extending to the customer, as 27 percent of us are dropping out of a transaction because of security concerns.
We need to bottom this out by giving the user a good experience while ensuring that trust is built into the service using online verification and KYC.
Ways That Verification Can Be Done
Assurance in the identity equation is the operative word. Assurance is all about the probability that digital identity truly represents an individual, and the issue been looked at quite extensively by organizations like NIST and the UK government.
The original premise of identity assurance was to apply integers in the form of “levels” to an identity. So, for example, a level 0 may represent the lowest possible assurance, whereas a level 4 might be an identity that is as close to being “this is definitely who they say they are” as possible.
This fixed integer approach to identity assurance is now, however, being called into question, with NIST revising their view on levels of assurance. And the probability of identity assurance needs to be seen as more multifaceted than a single number.
Verifying a person online is performed using a number of methods. Typically, a user would need to go through a series of tests to prove their identity. These tests usually involve supplying something that shows your identity: for example, a passport. The user may have to supply a number of these items. In addition, a general check that personal details like name and address are real is done in the background, often using a credit reference agency check (CRA). Fraud checks are also carried out, again, usually using a CRA check.
Then come the dreaded and contentious “KBV” or knowledge-based questions. KBV questions are generally related to financial transactions, e.g. “What is your monthly mortgage payment” – multiple choice answers being offered to the user. The combination of all of the above usually ends in a specific LOA being issued.
Issues of Verifying People
The problem with all of this is the user experience which as you imagine can be onerous. Going through a process to fill in your personal details, supply your passport and other identifying documents, then answer a series of questions about your finances takes time and can be very annoying (especially if you can’t remember a loan you took out 10 years ago). There are also many moving parts, increasing the points of weakness and fallibility in the system.
The poor UX of some identity verification services has led to high dropout rates during registration; worse still, low match rates are often an issue for anyone who does manage to get through the process. In the previously mentioned Experian survey, 42 percent of millennials would do more online transactions if the security barriers were less onerous.
Any service which requires data and/or money from an individual has to apply the ethos of KYC. However, how to do this successfully is another matter.
How Can We Make Identity Assurance Better for Everyone?
Things are afoot in the world of customer IAM. There is a definite change in attitude towards what constitutes assurance of “I am who I say I am.” A movement away from the binary “levels of assurance” (LOA) approach to identity is happening. Instead, a more probability-based or “degree of truth” system is being designed into the more modern digital identity platforms. These systems use a more dynamic, flexible and tailored approach to verifying a person’s identity.
The on/off approach to verifying a user needs to stop. Instead, registration for an identity should be multi-staged and probability-driven. Identity systems show poor match rates and/or high dropout rates because they are hard to register with. To remedy this, they need to have “Trust by Design” as a starting point.
This can be achieved by building up assurance over time. Identity platforms can allow users to create an identity account first without onerous verification stages and then encourage the addition of verified attributes (data) as they use the system — building up an assured profile over time. It is less painful, and it creates a two-way relationship between the identity owner and the service. Instead of an LOA-based system of identity assurance, a more granular approach is created. This can be based on individual attributes, such as the presentation of relevant data for a given service. Use of smart data from a variety of non-traditional sources can also help build up the trust level of a user’s identity profile.
Data Analytics in Identity Verification
One way of improving an identity system is to use data analytics smartly. Using banks as an example, the act of “Smurfing” control can be applied. Smurfing is where a fraudster breaks up large transactions that would normally trigger an anti-money laundering check into smaller ones. To prevent it, geolocation checks are used to aggregate multiple smaller transactions and analytics then alerts the bank. This sort of approach can also be applied to identity verification – aggregation of data and cross-checking against known location(s) of domicile.
Going forward, we need to use intelligence to build better, more usable and more secure identity systems. We are now starting to build a great stack of technologies to allow us to do this. Data sources from a variety of non-traditional areas such as government big data and social data can feed into an identity profile over time. Other technologies such as machine learning can add insight to these data. When designing systems that human beings use we need to make sure we add value, usability, trust and security.
The thorny issue of verifying humans, CSO Online
The new frontier in anti-money laundering, McKinsey & Company