Traditionally, when you sign up for an online service youâ€™re nearly always asked do some form of identity verification. Depending on the organisation, or the service being requested, this can range from an email with a link to click on, to a one-time passcode over SMS, or even the requirement to upload official documents. The reason for this verification process can depend on a number of factors, but is often for one of the following purposes:
- To limit the abuse of referral schemes or free offers â€“ at a basic level, if someone can take the time to wait for an email to arrive and click on the link in it then you have at least verified that they have entered a valid email address that they have access to.
- To satisfy AML or KYC requirements â€“ businesses need to ensure they arenâ€™t onboarding politically exposed persons or terrorists (or at least if they are, then theyâ€™re aware of it!)
- To enable the ability for external lookups â€“ for example credit checks.
- To check eligibility, limit or enable access to certain online services â€“ for example to check for continued eligibility for single person discount for tax credits.
- To ensure customer databases are up-to-date and complete â€“ these databases are often the source for analytical models that can be used to predict churn, upsell, cross-sell or segment the customer base. Having up-to-date data is critical for businesses to get the most from these models.
For businesses and commercial organisations who are typically further along the digital transformation journey than public sector organisations, the methods and uses of ID&V are generally better understood. Government departments, however, are not only further behind in this journey but, due to the services they offer (for example, offering benefits and issuing important documents etc.), it is arguably much more important that they take the time to consistently and accurately verify the identity of their users.
Currently, when accessing these types of services, traditional forms of identification are used to varying degrees. These range from just entering document numbers on an online form, to scanning and uploading documents for human verification. However, these traditional forms of identification and checking are no longer really compatible with the digital world in which we now live. Passports may have biometrics that can be read by machines at airports, but using passport numbers or social security numbers as a form of ID online is not that secure, and uploading for a manual check adds a time-consuming and a costly overhead in the overall process.
As we move to an increasingly digital world, and with the added benefit of reducing the cost of customer contact centres, government agencies are making more and more services available online through self-service portals. In order to avoid adding unnecessary friction into customer journeys, and to realise the true potential of this type of offering, they need to realise the strength of an individualâ€™s digital identity: my email account, laptop or smart phone are probably more securely linked to me as an individual than my passport number or identifiers such as National Insurance or Social Security numbers.
Time for a New Way of Looking at Identity Verification
In the same way that we have various physical identity documents such as a passport and driving licences, we also have several online digital identifiers. Digital identifiers include the devices, email addresses, online accounts, identity credentials and the geo-locations we typically transact from. In some cases, it could be argued that these are even more strongly linked to a physical identity than some of the traditional methods: consider a phone for example, the vast majority now have biometric hardware that requires facial identification or a fingerprint to unlock. No such security is required to type a passport number into an online form. It could also be argued that hardware facial recognition would be harder to crack than human comparison of two images.
By utilising these aspects of an individualâ€™s digital identity alongside the more traditional physical attributes, the level of certainty that this person is who they claim to be is much greater. For example, by recognising that they are using a device with which they have a strong historical relationship history with (from previous online interactions), and that this device has no negative associations or connections to previous frauds (both local to the organisation, and at a global level), this user could be passed down a low-friction customer journey. Conversely, if an application for a government service is received using legitimate traditional identifiers or documents, however this is the first time we have connected this device with this identity, and there are other anomalous characteristics (e.g. itâ€™s a mobile device that has been jailbroken or rooted, or they are using a proxy to disguise their true location), then we could resort to a step-up challenge for this application.
Clearly, in the current digital world, thinking about identity and identification as solely verification of paper documents is insufficient. Utilising digital identity intelligence that is custom-fit for the digital age goes hand in hand with the digital transformation of government services that we are seeing today.
The post Can I see your ID Please? Identity Verification for the Public Sector appeared first on ThreatMetrix.