Treasury’s Financial Crimes Enforcement Network (FinCEN) recently announced that $212 billion dollars of financial transactions in 2021 tied to suspected fraud and money laundering were a result of failures in the identity verification process. This comes on the heels of a Government Accountability Office (GAO) report that estimated $100 – $135 billion dollars of fraud tied to unemployment benefits during the pandemic. Considering that Michigan alone paid up to $8.5 billion dollars to fraudsters, getting identity verification right is a national imperative.
We assembled this brief guide to digital identity to help IT officials assess identity vendors:
Frictionless Login & Identity Verification:
In European countries like Estonia, Sweden, and Norway, residents of those countries can use the same login credentials to access their government, healthcare, and financial services. America’s national policy, which is set forth in OMB M-19-17, calls for a similar approach with a significant twist. Instead of a national ID managed by the federal government, OMB policy calls for agencies to allow Americans to select from federally and commercially provided (like ID.me) shared services for login and ID verification that meet the NIST 800-63 requirements for privacy and security. This approach envisions a login ecosystem that functions like digital payment wallets like PayPal and Venmo that expedite checkout.
When comparing shared service vendors to data brokers and component solutions for government ID authentication, the relevant questions to compare performance are:
- Can ID verification at one agency enable frictionless access to another agency?
- What is your pass rate net of fraud?
- How much time does it take people to verify?
- How many languages does your solution support?
Identity Resolution Integrity:
There are billions of people who live in this world, but there is only one you. The technical process of separating one unique person from all other persons is known as identity resolution. For Americans, the primary way to perform identity resolution is by using a Name, Date of Birth, and Social Security Number. This is particularly true because most government agencies do not have driver’s license numbers or current address or phone information on file to match to a unique person.
Identity resolution techniques should also be in place for individuals who have an Individual Taxpayer Identification Number (ITIN) and for overseas individuals who don’t have an SSN. In a shared services model, agencies should be careful to ensure federated login providers don’t allow multiple logins to represent a single, unique identity simultaneously. Poor internal identity resolution can open the door to fraud and ID theft.
Critical questions for identity verification evaluation include:
- For shared service providers, do you allow multiple different logins and accounts to represent the same unique identity (e.g. the same Name, DOB, SSN)?
- For first-time ID verification, how do you perform identity resolution for individuals who have an SSN?
- For first-time ID verification, how do you perform identity resolution for individuals without an SSN?
Account Recovery & Consumer Fraud Protections:
Maintaining the evidence used for identity verification (e.g. photo ID and other forms of evidence) is critical to audit the performance of technology systems, provide for account recovery, deliver recourse to the victims of scams and fraud, and for regulatory compliance. For these reasons, the Kantara Initiative, a non-profit auditing body that assesses NIST 800-63 compliance, requires that shared service login providers retain the evidence used during proofing for non-repudiation. This audit trail provides vital consumer protections and also enables agencies to protect taxpayer funds and their constituents from identity theft and fraud.
Scams are a serious threat to consumers. In 2022, the FBI reported 32 million fake accounts on LinkedIn and the New York Times published accounts of fraud on Zelle, a bank-run payments system. If a shared service login provider cannot see the login and ID verification activity associated with an account, they may be unable to help victims.
If a shared services provider cannot see what happened during proofing, then victims of fraud may not have recourse to quickly prove fraud. Similarly, government agencies that detect fraud may not have the ability to understand how the attacker got through. Such a state of affairs strips vital consumer protections away from consumers. For example, banks are able to see your credit card activity to protect you and merchants from fraud.
Critical questions for identity verification evaluation include:
- Do you retain the evidence used for ID proofing in accordance with NIST 800-63?
- NIST 800-63-3 Identity Assurance Level 2 requires a “physical” or “biometric” comparison of the user to the photo ID – see Table 5-3 Verifying Identity Evidence under the Strong category.
- If an individual reports identity theft or a scam, is your help desk able to investigate the identity verification evidence used to verify an account?
- Is your solution able to integrate signals tied to login and Multi-Factor Authentication with identity proofing to prevent social engineering scams?
- Do you retain the evidence used for ID proofing in accordance with NIST 800-63?
Alternative Identity Verification Pathways:
Domestic data brokers and credit bureaus often lack coverage for overseas populations and Americans who recently moved, are unhoused, or changed their name. According to the Association of American Residents Overseas, there are 8.7 million Americans, excluding the military, who live abroad. Taken together, overseas users would represent the 12th largest state in the country – about the size of New Jersey or Virginia. Since 2018, ID.me pioneered the first NIST 800-63-3 IAL2 compliant pathway to create a path for these users to access government services.
Keep in mind there are potential national security issues tied to data brokers. From allegedly selling military service personnel data to overseas entities to foreign ownership, there are many questionable business practices that merit further scrutiny.
From an inclusion lens, here are the critical questions to ask vendors:
- What recourse do individuals have if their personal information doesn’t match your records? Do you offer alternative pathways or do you shift the burden to the agency?
- What is your data coverage for persons living in international countries?
- What are your pass rates by zip code, income, and age?
-
Inclusive In-Person Identity Verification Features:
Offering in-person identity verification is critical to fighting the digital divide. At the same time, the maturity of an in-person identity verification offering is critical to truly increasing access. To that end, the following questions can help access the effectiveness of in-person verification:
- Can individuals without a phone utilize in-person identity verification?
- Is in-person verification available to all users or do users need to match data in a data broker before they are offered the option to go to an in-person location?
- What types of documents are accepted for in-person verification i.e. driver’s license only or all of the types of photo ID accepted on the Form I-9 like a permanent resident card?
- Does the help desk have visibility as to the documents used for in-person verification?
These evaluation areas will help government officials understand the capabilities of various authentication systems. With literally hundreds of billions at stake, it is critical to get this right.
