- Who the person is
- What they possess
- What they know
A result of the identity being verified provides applicable access and privileges to secure systems. While an identity needs to be authenticated and authorized before accessing any system, the identity must first be verified before it is created in a system and utilized for authorization. This process of verification prior to creation of an identity is called identity proofing. This primarily addresses the question of ‘You are who you say you are’ before a user identity or credential is created.
Identity Proofing Techniques
There are four types of identity proofing techniques with varying degrees of verification strengths in each approach. These techniques are listed below from the weakest to the most promising and secure method.
This is the most commonly used and weakest methodology. In a classic knowledge based authentication, verification information is collected from the end user and presented in a future challenge/ response authentication session on demand. Examples of this technique are security questions such as, ‘What is your mother’s maiden name?’ The response to such questions is stored securely and recalled at a later date to verify an end user’s identity. This is the weakest identity proofing method as fraudsters can easily guess the answer to these questions by knowing a little bit about the end user.
Dynamic Knowledge Based Authentication
A dynamic knowledge based authentication method is a huge improvement over the classic method. This method usually produces questions on-the-fly based on the user’s public records or financial records history. Several data aggregators offer services for an out-of-wallet quiz and generate questions for an end user dynamically. Answers to these questions are difficult to guess by a fraudster since these are based on a user’s personal history. However this method is not rock solid and is still susceptible to breaches if the data sources themselves are infiltrated or get compromised. The ChoicePoint data breach in 2004 is a case in point, where personal information on several hundred thousand people was stolen including name, addresses and identification numbers. The other glaring issue with this approach is the reliance on the data aggregator’s ability to source various types of data and ensure verity when coalescing acquired data in relation to each identity. Poor quality data may lead to too many false positives devaluing this method and rendering it unusable.
Out Of Band
Out of band identity proofing (also known as OOB) involves the use of a verification channel that is not part of the active user authentication session. This method provides the user with either a One Time Password (OTP) or verification of a biometric identifier (For example: Voice). An example of this type of authentication is one time security text or password sent by SMS to the user that they can then use in their authentication session. Another method utilizes biometric identifiers; the system calls the end user on their designated number and verifies their voice against a previously stored voice print. The Out of Band technique is promising as it cannot be emulated easily by fraudsters and usually requires multi- factor authentication.
Risk and Behavior based Identity Proofing
Risk and behavior based identity proofing is based on the assessment of risk and needed assurance to refine decisions about whether identities should be allowed or denied access to a system or resources within a system.
The use of risk-based metrics to evaluate identity fraud is not a new concept. Risk and behavioral based analytics on credit and purchasing behavior have been used extensively since the 1980’s to reduce fraud in the financial sector. For instance, a well-known financial services fraud solution (FALCON) is currently used to evaluate a large percentage of all domestic credit card transactions. This solution has shown to cut financial industry losses in half since its launch.
Which method is better?
Rather than depending exclusively on any one method of identity proofing, a combination of factors should be considered.
These factors include but are not limited to:
- The risk to the asset
- Level of assurance needed
- Compliance of required controls.
Depending on these factors, an organization may determine to apply a layered methods approach to verify an identity. The goal here is not only to verify the identity but also to ensure that the identity proofing requirement does not impede an end user’s system performance experience. It would be overkill if the system interrupts the work flow at each step and causes disruption to verify a user’s identity when there is no apparent risk assessed. Identity proofing should not be limited to the initial setup of an identity credential. The ideal implementation assesses risk and behavioral parameters throughout the user’s access lifecycle to determine the level of assurance required to authenticate an identity. For example, a certain user usually accesses their system between 8am and 5pm every day, but on a particular day logs in at 7am. This may not be an apparent threat to the system but the risk level is elevated as the event is an anomaly from the user’s historical behavioral pattern. In this instance, as the assessed risk is low, a challenge / response session would help confirm the user’s identity. However, if the user’s log in at 7am exhibits access behavior that is clearly an outlier to normal access patterns, then this indicates a high level of risk to the system and needs to be mitigated by a more stringent form of identity proofing or by locking out access to the user account.
As the risks of cyber threats and fraud have increased in recent years, identity management is now a mission-critical program requirement for many Federal agencies to incorporate trusted identity verification systems to protect access to online systems and services.
Unissant understands the stringent requirements for an online government identity proofing solution and has the experience in the methodology, technology and processes to provide a mission-critical identity proofing system that utilizes a layered risk and behavior based approach to verify identities in government information systems.