Moving identity proofing online
Alternatives to face-to-face checks can save money, offer user convenience and deliver identity on a global scale
25 February, 2014
category: Corporate, Digital ID, Government, Health
Exostar pushes online vetting for aerospace and defense
Providing a business-to-business exchange portal for some of the largest manufacturers in the world poses an interesting identity management issue. Since launching in 2000, Exostar has expanded its service offerings and extended its supply chain to identity management and collaboration.
Exostar now on-boards individuals for access to the supply portals and various applications, says Vijay Takanti, vice president of Security and Collaboration at Exostar.
Boeing, for example, has a supply portal with different applications ranging from purchase order processing to design specification management. “There are thousands of apps in the portal and 150,000 users who need access,” Takanti says. “Part of identity management is to prove the assurance of the identity, and we assure that they are who they say they are and that they have proper access.”
It’s Exostar’s responsibility to vet the identity of those who want access to the portal, Takanti says. “Depending on the levels of assurance required – some want a level four check – we send someone out to physically check a passport and then provide the credential,” he explains.
For users requiring level three credentials, the entire process occurs online.
Scoring identity with Experian
Exostar contracts with Experian to conduct online identity vetting. Remote identity proofing services reduce the time needed to on-board individuals into a community while balancing identity-proofing requirements.
The service includes online credit bureau-based identity vetting options. Through Experian, Exostar conducts a knowledge-based verification process wherein an individual must answer questions drawn from the credit-related information maintained in the Experian databases.
If the individual passes through the Experian vetting successfully, they are then sent a one-time passcode token in the mail or can download an app for use on their smart phone, Takanti says. Start to finish, the process takes 72 hours if the token is being shipped.
Exostar chose Experian because it has provided similar services to the Social Security Administration and other U.S. federal agencies, says Keir Breitenfeld, vice president of fraud and identity solutions of Experian’s Decision Analytics.
Exostar uses the Experian’s Precise ID platform that has achieved Federal Identity Credential Access Management recognition at assurance level 3 for identity proofing.
Experian launched it service in 2006 and uses credit profiles, along with millions of other records associated with consumers, to create a risk-based identity score that is similar to a credit score. “We’re checking against 200 million identity transactions to piece together a more holistic view of identity and deliver a score back,” Breitenfeld says. “We’re scoring the confidence of an identity in a non face-to-face environment.”
These identity transactions include anything from credit inquiries to authentication inquiries and an array of queries in between. This enables Experian to develop a strong idea of how an identity is being used, Breitenfeld explains.
For example, if Experian sees the same name, address or Social Security number six times in three weeks they can be confident of an identity. If, on the other hand, they see a name, address and different Social Security numbers coming from that address, they would be less confident, Breitenfeld explains.
Experian is also using device identification as part of the identity score, Breitenfeld says. The company acquired 41st Parameter, which tracks web fraud origination. If Experian notices that an identity request is coming from an area where fraud is high, it can use that to help determine an identity score.
Records of these identity transactions along with knowledge-based authentication questions are two parts that make up the final identity score, Breitenfeld says.
Knowledge-based authentication – the use of questions derived from information in an individual’s credit report and other public records – has come under criticism for not being secure or secret.
Following several highly publicized breaches of these service providers, information once thought to be secret may no longer be secret. Experian counters this by explaining that knowledge-based authentication is just one part of the identity score. “There’s a perception that we just use knowledge-based authentication or that it’s heavily weighted in a positive or negative way because it’s what the consumer or analyst sees,” Breitenfeld says.
But that is not the case, he says. Additional information is always used to deliver an accurate identity score. “If you’re basing an identity claim on knowledge-based questions alone, it’s not good enough,” Breitenfeld explains.
Breitenfeld argues that online identity verification can actually be better than in-person checks. Face-to-face checks typically rely on documents – such as a passport or driver license – but these documents can be altered. It also relies on the capability and attention of the human verifier.
Online verification, on the other hand, offers dynamic checks of an individual’s data because the individual doesn’t know what questions will be asked and there’s a time limit to answer. It also eliminates the vagaries involved with human checking.