Alternatives to face-to-face checks can save money, offer user convenience and deliver identity on a global scale
LexisNexis enables a multi-layered approach
Similarly, knowledge-based authentication is just one piece of the proofing solution LexisNexis offers its clients, says Kimberly Little, director of market planning for Identity Management Solutions at LexisNexis.
The first step for most clients is verification; checking name, address, date of birth and other demographic data against public records.
LexisNexis can filter through more than 36 billion public and proprietary records from more than 10,000 separate data sources. “The goal is to make sure we have seen the combination of data elements before,” Little explains.
The verification step makes sure the identity is valid and the steps that follow validate that the person answering the questions is who they claim to be, Little says. This is where dynamic knowledge-based authentication comes in; it asks questions and validates identity.
“Knowledge-based authentication remains one of the more effective ways to authenticate an identity the first time you see a customer,” Little explains. “The biggest challenge is that knowledge-based authentication is treated like one big bucket. There are so many analytics that can be built in, so many ways the questions can be delivered, and we give our customers the ability to figure out how strong to make that process.”
There are other protocols layered in as well. LexisNexis can check for fraudulent phone numbers and check the geolocation of IP addresses to make sure requests aren’t coming from suspicious areas, Little says.
The role of social media in identity proofing
Ask most people the role of social media in proving an identity and each will most likely give a different answer. At its core, a Facebook or LinkedIn profile is a level one, self-asserted identity, but groups are now looking at how this data can be used to better proof an identity.
Others are even considering ways to “level up” a social credential to a higher level of assurance.
LexisNexis says some of its customers are interested in seeing how social media data can be used, says Little. “We are seeing more customers who are interested in learning about or evaluating the effectiveness of non-traditional data sources, including social media and social networking data for identity proofing,” she explains. “As our physical and digital identities continue to intersect or even merge, I think we will see an increase in the need for and use of non-traditional data sources in the identity proofing process.”
The problem is the self-asserted nature of this data and its potential reliability. “There have been limited published studies on the applicability of these types of attributes in fraud or risk models, and it probably requires more analysis to determine their appropriate use in identity management processes,” Little adds.
Experian is another group that is employing a wait and see approach to determine how social media data can be used to proof an identity.
“At this point, that type of data still lacks enough certainty and consistent structure to warrant direct use in online identity authentication,” says Breitenfeld. “That said, we continue to look at social media data both on our own and with our clients to determine at what point social media footprints, for example, may play a weighted role in our overall identity authentication processes.”
The future of online proofing
Online identity vetting now consists of multi-layered techniques and the future will just keeping adding layers. Secure video chat is one of the obvious next steps, says SAFE-BioPharma’s Secrest. He’s not sure whether that could replace face-to-face identity verification, but it’s something that is going to emerge. “The techniques will continue to evolve and we will see new methods,” he adds.
As the need for strong online identities grows so too will the need for strong identity proofing. This will likely consist of different processes – public records, financial transactions, social media, etc. – so the user can apply for, receive and use a credential from the comfort of home while the issuer can have a high confidence that the user is who they claim to be.
An exercise in remote proofing: Checking Social Security benefits online
Experian provides online identity proofing to the U.S. Social Security Administration. For the uninitiated, here’s what happens.
I first entered my name as it appears on my Social Security card, my date of birth and address. If you want to enroll your mobile device to receive information you also have to enter the last eight digits of a credit card.
Next came the knowledge-based authentication in multiple-choice format. It asked for terms of my auto loan, a previous employer and the model of car owned. Then it provided a previous address and asked me to supply the city in which the address was located. The questions were not a problem.
The problem came next when it asked me to choose an eight-character password that had to contain one uppercase letter, one lowercase letter, one number and one symbol. I’ve already forgotten what I picked. Here’s hoping that efforts like NSTIC and the new Federal Cloud Credential Exchange will make logging on for online government services a little easier down the road.