The Rising Importance of Identity Proofing

Learn why Top Industry Analysts consistently name Okta and Auth0 as the Identity Leader
Read more
Updated: 04/21/2022 - 12:27
Time to read: 7 minutes

Identity proofing uses biometrics, security questions, documents, and other information to verify one’s identity. Standard identity proofing questions you might be familiar with include the name of your first pet or your birthday. When this information is stolen, it means hackers not only have access to your details, but they can easily get details of other customers or patients from the company they hack into. This personally identifiable information (PII) can include payment details, date of birth, and social security number or driver’s license number, which can all be exploited for fraudulent transactions. Finding simple, effective, and secure methods for identity proofing is extremely important for modern organizations. Checking passports, drivers’ licenses, or other physical forms of ID on every login is not scalable. However, having that level of comfort in these safety measures is important.

Why identity proofing matters

Data breaches are, frustratingly, a common occurrence. Although research shows that fewer people were impacted by data breaches in 2021 compared to 2016, millions of people still have their personal information compromised by hackers on a routine basis. It still takes as long as six months for most data breaches to be detected. By then, all kinds of personal information can be bought and sold on the dark web. The regularity of data breaches shows how important it is for companies to take identity proofing seriously.

Definition of identity proofing

In short, identity proofing is the process in which a computer verifies that you are who you say you are, based on provided information. This may go beyond a simple login name and password. It is the equivalent of someone at the desk at the airport checking your identity documents before you get on an international flight. Your identity might seem like an obvious concept, but for institutions that use computer databases (which, nowadays, is all of them), your identity is a different set of information than what you believe your identity to be. To a computer database, your identity is a collection of records or attributes associated with that organization. One single attribute, like your eye color, is usually not enough to identify you against other individuals who are customers of an organization. Proper identity proofing can require multiple pieces of evidence to prove a customer’s identity. Once that information is entered in the first stages of a customer’s lifecycle with a company, it should be easy enough to refer to those documents when the customer returns later. The National Institute of Standards and Technology’s (NIST) Special Publication 800-63-3, Digital Identity Guidelines states the importance of collecting and assessing more than one type of identification document or related biometric information to conclusively determine a new user’s identity. The changes to these standards have been instituted for many organizations, including signing up for bank accounts, educational institutions, or similar services, because the ubiquitous use of name, physical address, phone number, and social security number mean that several data breaches have leaked this information, and it is no longer considered secure. Adequate identity proofing should be able to:

  • Gather evidence from strong identity documents.
  • Confirm these documents are legitimate.
  • Track the prevalence of this identity over institutional records.
  • Assess the risk of identity fraud with this information.
  • Assure the identity belongs to the person claiming it.

The purpose of identity proofing is to ensure that someone logging into customer information is the customer and not fraud.

The cost of identity fraud

According to the US Federal Trade Commission (FTC), there were 4,720,743 reports of fraud and identity theft in 2020. Almost a third of those reports involved identity theft alone, suggesting that identity proofing must be taken seriously by organizations. Identity theft included: 

  • 14,086 reports involving email and social media.
  • 45,558 involving medical services.
  • 14,779 reports from online shopping or payments.

Most fraud reports involve small amounts of money lost: 526,000 reports of fraud or identity theft involved losses of $1,000 or less, with a median loss of $311 across all types of fraud and identity theft reports. However, losing this amount of money as an individual can mean the difference between paying your bills on time or not. The FTC reported that, between 2019 and 2020, the number of identity theft cases in the United States doubled.

How identity proofing works with your IP address

One way to manage identity proofing is to verify every device that attempts to log into the system using the device’s IP address. When any device connects to the internet, it does so through an internet service provider (ISP), which assigns your device a totally unique IP address, which is a set of numbers. Cloud computing programs and services, including websites that host login pages, are hosted on devices that also have IP addresses. When these two devices recognize each other, they are able to share information. Restricting connections from devices with IP addresses that are associated with fraudulent activity is one way to ensure data security. Similarly, a company may restrict which IP addresses can access their data. To find your IP address and use it with identity proofing, you should consider whether your computer runs on a Windows or Mac operating system. 

  • Windows: Microsoft’s Azure AD uses W3C standard verifiable credentials for users, so that containers of identity information can be used to issue verifiable statements about people, organizations, and things. Credentials can be created quickly and easily, including providing a QR code to access the website; information is validated using Microsoft Authenticator; and this information can be kept by the user in Microsoft Authenticator or another similar wallet. To find your IP address in Windows 10:  
    • Go to the Windows logo in the lower left bar on your screen, right-click it, and then, click Settings.
    • Click “Network and Internet.”
    • Select “WiFi and Ethernet” in the left-hand menu, depending on which you are connected to. It is likely you are connected to WiFi.
    • Click “Network” in the center column, and find the “IPv4 address” entry.  
  • Mac: Apple’s identity management allows users to sign into Apple ID, Managed Apple ID, iCloud, iMessage, or FaceTime, allowing for seamless, secure communication between users, document creation and storage, and personal data backups. Apple not only provides secure identity authorization and authentication across its own programs and devices, but it has also created identity federation partnerships with organizations like Microsoft to ensure secure data transmission, access, and storage between systems. To find your Mac IP address:
    • Pull down the Apple menu and select “System Preferences.”
    • Pull down the View menu, and select “Network” (or double-click the Network icon).
    • In the left column, click the network connection (either Ethernet or WiFi, although you are probably on WiFi).
    • For WiFi, click “Advanced” in the lower right corner, then “TCP/IP” in the top of the window.  

Where identity proofing is implemented

With more businesses conducting important meetings or transactions online, identity proofing is more vital for security than ever. You likely need strong identity proofing infrastructure for these things: 

  • Banking and third-party payment apps
  • Telemedicine, therapy, and health care apps
  • Job applications and candidates within your HR system
  • School from primary to tertiary education
  • Any eCommerce application
  • Travel documents

Identity proofing businesses & the future of identity proofing

The importance of digital IDs will likely continue to grow, so it is important to get strong identity proofing for your business now. Governments are already trying to break away from physical forms of identification. For example, Canada has created the Digital Identification and Authentication Council of Canada (DIACC) to develop a digital identity infrastructure for the nation. The United Kingdom is using biometrics data for ID cards that includes a certain level of digital identity proofing. Although decentralized identity models and more behavioral-based models might replace identification that is based on physical information like fingerprints, pictures, signatures, and numbers, it is important to have a strong security system that can identify your users, from employees to customers, quickly and securely. Learn how Okta can help you enable identity proofing to improve identity confidence and approve access for authorized individuals. Contact us to get a personalized demo.

References

The 10 Biggest Data Breaches of 2021 (So Far). (July 2021). CRN.

Most Companies Take Over Six Months to Detect Data Breaches. (May 2015). ZDNet.

How to Prove and Verify Someone’s Identity. (February 2021). Government of the United Kingdom (Gov.uk).

Identity Proofing. Experian.

Consumer Sentinel Network Data Book 2020. (February 2021). US Federal Trade Commission (FTC).

Pandemic Proves to be Fertile Ground for Identity Thieves. (February 2021). AARP.

How Can IP Address Verification Help Prevent Fraud? Fraud.

Verify Once, Use Everywhere. Microsoft Security.

Intro to Identity Management. Apple.

The Future of Identity: Looking Ahead to the 2020s. (March 2020). Forbes.