Identity Authentication — Are They Who They Say They Are?
How do you know if the person on the internet isn’t a dog? How do you know a person is who they say they are? As the online world evolves, the need for verifiable and trusted identities increases. While initially a fake identity might generally be a benign occurrence on online forums, now a fake identity can result in major loss of funds or be at the core of financial crimes.
Building the necessary framework of trust online requires an identity check to confirm that the person actually exists, checking the validity of the identity data they provide and verifying that data, also known as personal identifiable information (PII). These are not the same questions and represent three different types of checks:
- Identity authentication
- Identity validation
- Identity verification
The differences between the three causes confusion as each involves different information and has different legal ramifications and requirements. The terms are often used interchangeably, but have different meanings so it’s advisable to clarify their use. The level of identity checks depends on a company’s risk-mitigation strategy and, if it’s a covered institution such as a bank or money service business (MSB), what regulations they fall under.
Identity Verification and Validation
The identity journey starts at verification; does a record of this person exist? When a person supplies their identifying information such as name, address and date of birth, does that information match a record of a person? For regulatory compliance purposes, often this is enough.
For example, in the US the Patriot Act states:
(2) MINIMUM REQUIREMENTS — The regulations shall, at a minimum, require financial institutions to implement, and customers (after being given adequate notice) to comply with, reasonable procedures for —
‘‘(A) verifying the identity of any person seeking to open an account to the extent reasonable and practicable;
‘‘(B) maintaining records of the information used to verify a person’s identity, including name, address, and other identifying information;
Note though, these are minimum verification requirements. Depending on the type of account, expected volume and amount of transactions, location and other factors, additional identity information or procedures might be called for.
Identity validation checks if the information represents real data. While the identity information might match a record, without validation a record with inaccurate of fraudulent data would seem legitimate. An example is ensuring a social security number has been issued and the person is actually alive. Validating identity information adds an additional risk-mitigation layer.
Identity authentication determines if the person is who they say they are. Authentication relies on additional data that is difficult to produce, except by that specific person.
By adding an additional layer of identity information, authentication broadens the scope of identity information necessary to produce a positive match. Authentication further reduces the risk of fraud and build the level of trust to safely do business with that particular individual.
Traditionally, this level of identity data relied on Knowledge-Based Authentication (KBA), which uses questions that (supposedly) only that person knows. For example, Mothers maiden name or name of your first pet are common KBA questions. Biometrics offers another authentication process. Using the uniqueness of a human characteristics, such as a fingerprint, retina, face or voice, biometrics provides identity information about something you are.
As KBA information is collected on databases to check for a match, it is potentially hackable. Or, the KBA information could potentially be phished or disclosed by another person who knows that information. Therefore, in theory, biometrics offers a higher security standard than KBA. However, as with any technology, biometrics is not perfect and also has potential security loopholes and issues. Criminals have learned how to steal fingerprints, fool face recognition, record voices and use other techniques to bypass security.
If one biometric was the only identity data point, these security issues would be cause for concern. However, when layered in with numerous other data points, it’s not a single point of failure but rather just part of the overall security system.
Consider document verification, that uses identity document possession to provide authentication. Photos of driver’s licenses, passports or other primary ID documents are electronically examined to determine authenticity and legitimacy as well as ensuring a document is not forged or altered. While powerful information that indicates the person possesses the ID, what happens if a fraudster has those documents? To prevent that loophole, a live photo is compared to the photo on record for validation.
Other techniques rely on two factor authentication (2FA), which uses a second channel to authenticate the identity. For example, a text message is sent to a validated phone number with a one-time password (OTP). Entering that OTP into the identity check authenticates that the person possesses the device.
Using information from Mobile Network Operators — Mobile ID — offers another potential channel for authentication. These MNOs have deep sets of information on their customers such as name, mobile number, address, along with device information, geolocation, usage and billing data. While using these datasets for authentication is in the very early stages, the opportunities to connect various facets of this information with other data points can whole new authentication models.
Relying on a single data source is rife with potential trouble; systems with one data source have one point of failure, corrupted data can’t be offset and varying data sets can’t be analyzed and optimized for maximum insight and performance. Combining multiple data points and channels provides a method to triangulate true identity, enabling the information from different angles to better determine accuracy.
Authentication for AML/KYC
From a legal perspective, many countries don’t yet accept alternative methods for Anti-Money Laundering (AML) Know Your Customer (KYC) compliance checks. To do so will require legislative changes as well as building out the necessary safety and security protocols.
However, as stated by the FATF, “A growing number of countries are adopting innovative, technology-based means to verify customer identity” and increasingly these measures include biometrics. The Aadhaar system in India includes fingerprints, iris scans and ID photographs. New Zealand, Australia, Malawi, Columbia and Pakistan also include legal status of biometric information.
As biometric technology becomes more commonplace, consumers seem ready to accept their use. A recent Retail Banking Biometrics Confidence Report discovered that 79 percent of respondents stated they want the opportunity to use advanced biometrics for mobile banking or payment apps. Eighty-six percent thought that biometrics are easier than passwords and 82 percent think they are more secure.
While there are implementation issues such as security, privacy and control of the information, the ease of use and extra layer of security point to a future where more regulators will allow biometrics as part of the identity process.
Trusted identity verification combined with validation and effective authentication delivers identity checks that are reliable, secure and solidifies the trust relationship between parties. Through the interweaving of numerous data sources, types and channels, fraudsters are kept at bay, solid connections are made and a future of seamless trust of identity authentication becomes reality.