What Is Identity Proofing?
Every day, we engage with an ever-growing number of applications and digital services—and each of them wants to know (and validate) that we are who we say we are. As companies try to combat the prevalence of large-scale data breaches, the adage ‘on the internet, nobody knows you’re a dog’ is losing its validity. In fact, it’s getting more and more difficult to access the tools you need without first proving your identity.
Data breaches can lead to identity theft and false claims or transactions—all of which are expensive and hard to repair. According to Javelin Study & Research, 2017 saw each person that suffered from an account takeover invest an average of $290 and 16 hours to resolve it. Security threats due to identity fraud are on the rise as the world becomes increasingly reliant on the cloud. In addition, a growing dependence on online financial transactions and social networks also means that more sensitive information is at risk if an account becomes compromised.
Traditionally, online identity has been managed with usernames, email addresses, and passwords. Today, the concept of a user identity is much more complex and involves layers of information and verification, including physical identification documents, knowledge-based security questions, biometrics, and more. Together, these layers of identity allow for organisations to implement verification and authentication practices—like identity proofing—to effectively secure users and their data.
What is identity proofing?
At its core, identity proofing is an approach for verifying and authenticating the identity of individuals accessing an application. It uses knowledge-based user attributes, document verification, wallet-based factors, ID verification, and national identity systems to confirm that a person logging in is who they say they are. This allows for users to self-verify, making for a secure authentication process that doesn’t compromise user experience.
What does identity proofing look like in practice?
The National Institute of Standards and Technology (NIST) has a comprehensive guideline document for validating a person’s identity. Here, they define three key components for matching a person’s claimed identity to their actual identity. While these terms are often used interchangeably, NIST sets them out as three distinct parts of the complete identity proofing process:
- Identity resolution: uniquely distinguishing a person’s identity in the context of the population or system.
- Identity validation: collecting evidence from the person and checking if it is authentic, valid, and accurate.
- Identity verification: confirming the individual is truly who they claim they are.
Contributing to the global identity proofing discussion, the UK government has similarly developed a guideline document that outlines five steps to be taken while validating and authenticating an identity:
- Strength: get evidence of the person’s identity in the form of documentation. Documents that are internationally recognised and have security features are considered stronger.
- Validity: confirm that the evidence provided is genuine.
- Activity: confirm that the identity has existed over time with bills or other records.
- Identity fraud: check if the identity is at risk of being fraudulent by checking a national fraud database or a similar source.
- Verification: verify that the identity belongs to the person claiming it. Knowledge-based tasks and questions can help with this step.
At the end of an identity proofing process, an organisation can be certain that the person’s claimed identity is unique, correct, and accurate—or not.
Why identity proofing is important
The process of identity proofing is critical to help organisations protect themselves—and their users—from existing security threats. For instance, by opting to validate an identity before issuing an account, or by incorporating an added layer of authentication at every login, organisations can ensure they’re only allowing trusted individuals to access their data.
Meanwhile, for instances where the user is trying to claim an account, reset a credential, enrol into an MFA solution, or access content or services designated for people above a certain age threshold, identity proofing can help validate the user’s age. The approach can also be used to verify identity in online transactions, e-commerce site registrations, and remote account access services, as well as establish accountabilities in large projects, and more.
Identity proofing as a “journey”
It’s worth noting that Identity verification is a “journey.” Throughout the user’s experience with your site or app, it’s prudent to prompt the user with different levels of identity checking depending on what they are trying to do.
For example, many consumer sites will offer discounts or store credit to new users who submit some basic contact information. If you are a gaming company, for example, you may want to offer some complimentary in-game currency to users making new accounts within your app. But you’d hate for players to cheat the system by making multiple dummy accounts to rake in a bunch of free in-game currency. This is where a low-level identity check comes in handy—to make sure that those “new” users really are new.
Further along in the user experience—perhaps when the user needs to reset their password—it’s important to implement a stronger identity check to ensure that the user really is who they claim to be.
By making identity proofing part of the user journey, your organisation can build a trust model around the user identity, empowering the user to make major account changes with reduced risk of user fraud.
Automating identity proofing: Where to start
For any system or website with a lot of access requests, manual identity proofing is hard to scale and can negatively impact the customer experience. If users have too many barriers to entry, it’s likely they’ll just abandon the website or application. This is why it’s important to implement a system in which users can self-verify their identity.
An identity proofing system can automatically gather information, inform downstream access and information systems, and trigger access approvals. This ultimately reduces the manual effort required and speeds up the process of performing secure digital transactions for the end user.
By implementing identity proofing, organisations can set themselves up to offer secure systems to their users and employees, making security a seamless part of accessing the tools they need. It’s another step in the path of protecting users from bad actors targeting weak identity and access management practices.