Bringing verification into the 21st century
This is a guest post by David Thomas, CEO and founder of Evident ID Inc.
The Government Accountability Office (GAO) recently released a report that expressed concern about how the federal government verifies the identities of people who apply for benefits online. It came as quite a shock to individual applicants and cybersecurity pros who learned that several prominent government agencies are still relying on knowledge-based verification (KBV) methods using data from credit agencies, despite the fact that the National Institute of Standards and Technology (NIST) no longer endorses this verification method.
KBV was once an effective way for businesses to verify an individual’s identity, but this method is now wholly insufficient, as credit agencies have fallen victim to major data breaches, exposing massive amounts of sensitive personal information. All of a sudden, cybercriminals or imposters could find the answers to KBV questions like “What is your mother’s maiden name” or “What was the name of your high school” through a simple Google search, or through an inexpensive purchase on the Dark Web. This turn of events has prompted individuals to game the verification system by entering false data in lieu of accurate facts, or by replicating the same response for every KBV question.
The GAO report acknowledges that there are alternative methods to verify identity, including in-person authentication or remotely with a mobile device to capture a selfie for comparison with the individual’s government-issued ID. Federal agencies have not had much success with implementing these methods––for one, in-person authentication generates frustration for the individual, resulting in them abandoning the agency’s very expensive, time-consuming manual verification process. Secondly, not all users have access to a cell phone, which is a basic requirement for any remote identity verification process.
GAO sought guidance from NIST with regard to how federal agencies should go about implementing alternative verification methods. However, even with a solid recommendation based on an evaluation of the pros and cons of different technologies, federal agencies are still likely to push back, citing technology, convenience, and financial constraints as their reason for being unable to sunset KBV practices.
Government agencies must find a way to get on board with eliminating KBV methods, and need to move quickly, or else the individuals they serve will become increasingly vulnerable to identity fraud. Current technology makes it possible for both government agencies and private sector organizations to remotely verify their users’ identities and credentials faster, safer, and with a greater level of assurance, so they can confidently determine their access to (or denial from) a platform.
In addition to providing organizations with answers based on the most current and accurate data possible, verification technology solutions should also be able to protect the personal data that’s collected to authenticate a user. Data encryption and distribution in the cloud helps to ensure compliance with global data protection regulations. Respecting a user’s privacy by protecting their data is equally as important as using an updated verification method, especially for federal agencies and businesses in government-regulated industries.
Federal agencies and any other type of organization should ask the following questions to determine the aptitude of a remote identity verification technology solution:
1. Does the solution decrease friction with good user experience?
2. Does it automate identity proofing?
3. Does the solution increase turnaround time (e.g. onboarding, account creation, password resets, etc.)?
4. Does the solution allow me to receive as much or as little data as I need to make important business decisions?
5. Does it enable compliance with data protection, cybersecurity, and other similar regulations?
6. Is the verified data secure? How it is protected?
Transitioning away from KBV security methods doesn’t have to be painful, and in fact, can be seamless for organizations that are armed with the right technology.
About the author
David Thomas, CEO and Founder of Evident ID Inc., is an accomplished cybersecurity entrepreneur. He has a history of introducing innovative technologies, establishing them in the market, and driving their growth—with each early-stage company emerging as the market leader. Today, he and his co-founders at Evident help businesses quickly and accurately verify individuals’ identities and credentials without the risk and liability of handling sensitive personal data.
DISCLAIMER: BiometricUpdate.com blogs are submitted content. The views expressed in this blog are that of the author, and don’t necessarily reflect the views of BiometricUpdate.com.
biometrics | cybersecurity | data protection | Evident ID | identity verification | NIST | online authentication | standards | U.S. Government