Remote Identity Proofing for Digital Identity

By Peter Steiner, The New Yorker, July 5, 1993.

In 1993, Peter Steiner, a cartoonist and a novelist, submitted his doodle of two dogs sitting in front of a computer to The New Yorker. Little did he know that this cartoon was far ahead of its time and would later become the most reproduced New Yorker cartoon in the magazine’s history. Almost 30 years after its publication, we now live in the digital age where one can connect to the other side of the world in less than a second. “On the Internet, Nobody Knows You’re a Dog” remains just as relevant or perhaps becomes even more relevant than ever.

Identity Theft and Cybercrime

According to Javelin report, that identity fraud hits new victim every two seconds. In the United States, for example, 1 in 3 adults reported that they have experienced identity theft. More than 160,000 people also reported that fraudulent credit card accounts were opened with their information.

Top 5 types of identity theft in 2018, Federal Trade Commission, Consumer Sentinel Network, USA.

Identity theft has become commonplace due to the prevalence of large-scale data breaches and the massive amount of digital footprint that we regularly leave on the internet. To combat the rise of identity theft and cybercrime, organizations and corporates must determine “Is the customer actually the customer?” and require the means to verify the identity of their legitimate customers. Such means are called Identity Proofing.

Is the customer actually the customer?

Photo from fingera

Remote Identity Proofing

Identity proofing ensures that users attempting to access services are actually authorized to do so. It also prevents fraudsters from gaining an access to sensitive data of legitimate customers. Some businesses, such as those in the financial sector, are required by law to verify the identities of their customers. This is known as a know-your-customer (KYC) process that aims to counter money laundering and other illegal financial activities.

The most primitive form of identity proofing requires a face-to-face verification. This is inapplicable for most of online transactions and communications that could take place at the opposite side of the world. A remote alternative is the German model that replaces in-person meetings with two-way video calls. However, video call verification is still time-consuming and expensive.

In recent years, many modern approaches for remote identity proofing have been developed. These approaches provide fast and inexpensive identity verification. Below, we review different methods for remote identity proofing.

Methods for Remote Identity Proofing

1. Document-centric methods involve uploading pictures of physical documents, such as national ID cards and passports. Taking selfie is often required for comparison with a photo ID to ensure that a genuine holder of the ID is present. Anti-spoofing mechanisms such as liveness detection are also crucial although they could erode customer experience. In most organizations, uploaded documents are reviewed manually by humans whereas automation with machine learning can be utilized at the cost of lowered security.
2. Data-centric methods use data from public records and trusted entities such as the credit bureaus. Alternatively, publicly available data can be used, such as those from social media. Recorded data of existing customers can also be used. However, this method could be fooled by identity theft and synthetic identity.
3. Digital-attribute methods use device data such as time zone setting or device ID numbers such as MAC addresses and IMEI numbers. Mobile phone numbers and email addresses also are used as persistent evidence of identity. Near-field communication (NFC) could also be used for identity proofing.
4. Behavioral biometrics methods track how users use their device, including mouse movement, screen swipe, typing cadence and device orientation. Several behaviors of users can be combined to form their behavioral signature, which is recognized by a machine learning program.

Orchestration

An individual proofing method is unlikely to serve as a reliable and definite evidence of identity. Orchestration of several identity proofing techniques can be used to provide more secure services to customers. Data from different methods above could also be combined, linked and analyzed by a machine learning program.

Photo by Manuel Nägeli on Unsplash

Security vs Customer Experience

In identity proofing, there is always a tradeoff between security and customer experience. An identity proofing process that is too elaborate could drive customers away. Hence, modern organization must not only meet the compliance regulations but also provide user-friendly services and great customer experience.

Identity Proofing and Digital Identity

Our previous blog posts discuss decentralized digital identity and how this emerging technology could drastically change our society. With verifiable credentials, digital documents can be made tamper-evident since they can be verified by using digital signature. However, such a verifiable process assumes that credentials are issued to legitimate users from the beginning. If an issuer is deceived by a fraudulent user, valid digital credential could be issued with invalid information inside. Hence, it is essential for credential issuers to perform identity proofing and verify the identity of their users.

For example, a user may be required to provide a document-centric evidence of their identity to gain an access to a service for the first time. Once the evidence is provided to the service provider, the user can then use his/her private key to authenticate. Another use case is when the private key is lost or stolen. Automated identity proofing could then be used to identify the real owner of the key, preventing hackers from revoking the old key and obtaining the new key themselves.

In summary, identity proofing will be increasingly important in the current technology landscape where every aspect of our lives is becoming digitized. In the near future, people, organizations, electronic devices and even pets will be given identities in digital forms. To stay competitive in this every changing world, modern organizations must decide the right tradoff between achieving an appropriate level of security and providing smooth customer experience.

References

Karen Lewison and Francisco Corella, Rich Credentials for Remote Identity Proofing, Pomcor (2017).

Paul A. Grassi et al., Digital Identity Guidelines: Enrollment and Identity Proofing, NIST Special Publication 800–63A (2017).

Jonathan Care and Akif Khan, Market Guide for Identity Proofing and Corroboration, Gartner (2019).