As driver licenses, passports and bank cards enable the virtual, is secure identity within reach?
When travelers go to the airport they show a driver license or passport to get through the security checkpoint and agents make sure the information on the boarding pass matches the identity document. From there, the bar code on the boarding pass is scanned and the identity document might be passed under a ultra-violet light, both of which further ensure sure that documents are valid.
In the digital world there isn’t an equivalent to this process. There is no Internet driver license or passport that individuals can show to access online services. High-assurance digital credentials are limited to enterprises that issue them to employees and rarely are they useful outside of that enterprise.
This all may be changing, however, as new initiatives could finally bring strong identity to the masses. A number of projects are making real strides to enable individuals to use documents they already have for high-assurance access, in essence using IDs already in the wallet as the DNA for future identity.
Vetting in the dark
One of the more difficult aspects of issuing high-assurance digital credentials is that moving the vetting process entirely online has proven problematic. Yet consumers don’t want to go somewhere with documentation and to enroll for and receive a token. Rather they want to be able to apply for a credential online and use it immediately with as little friction as possible.
To date, the primary remote online vetting method used by identity providers has been knowledge-based authentication, or KBA. These are the quizzes that ask so-called out-of-wallet questions such as where the user lived in years past, the amount of their mortgage payment or what bank holds their car loan.
These KBA systems have never been perfect, but after the 2015 IRS breach – where hackers used data gathered from other breaches to access more than 300,000 records and in many cases break the KBA system – the stakes have been raised. Experts are now in virtually unanimous agreement that KBA alone is insufficient for remote identity proofing.
“Given where we are today with all the breaches – Anthem, the U.S. Office of Professional Management and others – we have to assume that our data has been compromised in one way or another,” says Doc Vaidhyanathan, vice president of product management for CA Advanced Authentication. “Nobody should rely on a system that says ‘if you know these three or four things, then it’s you.’ KBA should just be one layer in verifying an identity.”
Some projects are starting to link real world credentials – driver licenses, passports and payment cards – to add assurance to digital identities. In the UK, the Verify project has a different take on online identity verification. At a base level Verify is the UK’s version of the U.S. government’s Connect.Gov offering. Each enables citizens to create an online identity that can be used in various ways to interact with the government and potentially other relaying parties in the future.
The difference between Verify and Connect.Gov, however, is that there is a stronger level of assurance behind a Verify identity. Citizens must pass a KBA quiz and also provide a driver license or passport number to be verified.
Systems like this that authenticate physical identity documents online are becoming more common, says Emma Lindley, founder of Innovate Identity, a UK-based consultancy. Mobile phones can take photos of documents to send for verification, and handset are of sufficient quality to even allow for verification of the document’s visual security features. In the future handsets with NFC could read the chips on a contactless passport and other identity documents as an additional factor.
Many of these systems will also use facial recognition as the final factor. After the initial identity document is scanned and verified, the individual will take a selfie that will be checked against the photo originally captured by the document provider. Combine the identity document verification with facial recognition and you have a fairly high assurance credential, Lindley says.
Layer in a KBA check and you have remote three-factor authentication prior to credential issuance – something you have via the driver license, something you know through KBA and something you are from the facial recognition biometric check.
The key here is that this level of scrutiny is only required prior to a credential’s issuance. In the future, the actual credential or token – in whatever form it may take – can be trusted because it was tied to the individual in an assured manner at the start.
Building blocks forming in U.S.
MorphoTrust has been piloting a system that uses state-issued driver license information to create a high-assurance credential. The project has been running for about a year in North Carolina and is expanding to Georgia.
The company also rolled out Identix – an identity platform that extends this service to any enterprise. The platform delivers the ability to build strong identity vetting and credentialing into any app or web site, says Benji Hutchinson, senior director at MorphoTrust.
The platform relies on information accessed from state driver license systems, Hutchinson says. “The primary way U.S. citizens establish identity is with the driver license, and with that physical token you can establish your identity anywhere,” he explains. “In any aspect of your life where you want to establish identity, you need the driver license. We are linking to the license to create a digital credential that will enable multiple new layers of identification.”
There are a number of ways this may work in practice. Citizens may opt for it when they renew or apply for a driver license or they might be enrolled by a third party, says Mark DiFraia, senior director of solutions strategy at the company.
For example, an insurance company could build the Identix functionality into its mobile app. Someone applying for new car insurance could take a photo of their driver license and submit it along with a headshot or selfie via the app. The license would be checked for validity against the issuing state’s DMV data and then facial recognition software would match the submitted headshot with the image captured when the license was issued.
“If I type in my information it’s not terribly trustworthy, but if I scan my driver license and it is authenticated that adds far more trust,” DiFraia explains.
MorphoTrust is offering Identix as a white label product so enterprises can just add the functionality to their existing systems and apps. Consumers wont have to download an additional app, enterprises will enable the functionality on their end. “Rather than having to build a whole new authentication piece, developers can add that ability from us,” DiFraia says.