Identity Proofing

In the digital era, everyone uses cloud technologies. Employees use them for remote work. Contractors use them to meet contractual obligations. Customers use them for better experiences. All these changes have permanently shifted the perimeter to focus on identity.

Malicious actors know that companies struggle with user authentication, changing their tactics to leverage this attack vector. For example, the Verizon 2021 Data Breach Investigations Report noted that the top two attack action varieties were phishing and use of stolen credentials. To maintain a robust security posture, companies need to protect themselves at the identity perimeter.

Even more disconcerting, it’s not always just a matter of protecting sensitive information. Connectivity also means that it’s easier for criminals to steal identities and engage in online fraud. The statistics here don’t look any better than the cybersecurity ones, either. According to the Federal Trade Commission, the agency received 2.8 million fraud reports from consumers in 2021 totaling more than $5.8 billion in losses.

Whether to protect your company or your customers, identity proofing is a way to verify and authenticate legitimate users to secure data and mitigate fraud risk.

What is identity proofing?

The identity proofing process aggregates information about an individual’s actual identity to verify their digital identity as a way to mitigate security and fraud risks. Identity proofing solutions aggregate transaction evidence from public and proprietary data sources that can include:

• Personal documents
• User attributes
• Identity verification
• National identity systems
• IAM and CIAM solutions
• Wallet-based factors

As organizations adopt cloud-based solutions, they need continuous authentication as part of their cybersecurity initiatives.

Why identity proofing matters

Historically, identity proofing is nothing new. Passports have been around since the Middle Ages, and social security cards were first created during the Great Depression. Validating and verifying identities has been a regular practice for governments and businesses for a long time.

In today’s cloud-connected world, cybercriminals increasingly attempt to gain unauthorized access to systems and networks using user credentials. Today, criminals use brute force attacks and dictionary attacks, targeting weak passwords. They have also increased their use of phishing attacks as a way to steal credentials. These attacks place sensitive data at risk, especially when combined with lateral movement across networks.

Importance of improved identity proofing

Traditional identity proofing required someone to provide documentation in person. For example, most people are familiar with proving a government identification, in person, when:

• Onboarding at a new job
• Opening a bank account

In a digital world, organizations need technologies that enable remote identity proofing. For example, remote hires may not be able to travel to corporate offices, and customers want to open accounts online.

Remote identity proofing technologies give companies a way to confirm people’s identity attributes, mitigating the risk of false identity verification. Identity proofing service providers can:

• digitize paper documents using a device’s camera
• check this information to validate the source’s reliability
• confirm authenticity
• ensure data integrity and quality.

Finally, they bind the evidence provided relates to a unique person to ensure that the individual is who they say they are. Remote identity proofing technologies give companies a way to protect themselves, their employees, and their customers from fraud.

The cost of identity fraud

Over the last few years, identity fraud has become a larger proportion of fraud losses than ever before.

Banking

The banking industry has dealt with identity fraud for a long time. Stolen credit cards are nothing new to the industry. However, new banking and lending models are changing the impact.

According to research from LexisNexis Risk Solutions, identity verification is a top challenge for the industry across the entire customer journey. In 2021, Identity-related fraud accounted for:

• 35% of US financial services institution losses during the distribution of funds stage
• 34% of US financial services institution losses from account takeover
• 31% of US financial services institution losses at the point of new account creation
• 35% of US lending institution losses during the distribution of funds
• 35% of US lending institution losses from account takeover
• 30% of US lending institution losses at the point of new account creation

Most notably, US lending institutions saw a 6% increase in identity fraud at the point of new account creation.

Retail and e-commerce

With people purchasing more items through online platforms and using contactless payment systems, identity fraud has increased significantly.

According to research from LexisNexis Risk Solutions, identity fraud in 2021 accounted for:

• 25% of U.S retail losses
• 31% of U.S e-commerce losses

However, that’s not all. The research found that identity-related fraud occurred across:

• Point of sale
• Account takeover
• Point of new account creation

Employee identity fraud

Cybercriminals have been stealing employee identities to perpetrate unemployment fraud. Over the last year, state unemployment insurance agencies have seen an uptick in fraudulent claims. The U.S Department of Labor estimated losses of more than $87 billion, most due to organized crime rings stealing data and applying for benefits in other people’s names.

While a company will be reimbursed, it still needs to detect that a filing has been made on behalf of a current employee and file the appropriate paperwork. Managing a fraudulent claim can be time-consuming, including:

• Sending in an initial claim form
• Responding to a fact-finding questionnaire
• Continuing to receive ongoing, automatically generated paperwork from the original fraudulent claim

What does identity proofing look like in practice?

In practice, identity proofing is creating built-in layers of protection across authentication points.

Collecting and corroborating information

Many applications use self-registration, requiring only an email address or phone number. Since this information is easy for cybercriminals to steal or fake, identity proofing should include the collection of personally identifiable information (PII) and corroborate that data.

Password managers

Password managers make it easier for users to create a unique, secure password for each sign-in location, whether that’s an application, single sign-on, or network.

Multi-factor authentication (MFA)

MFA means using a combination of all three of the following:

• Something you know (a password)
• Something you have (a token, smartphone, or laptop)
• Something you are (a biometric like fingerprint or face ID)

Passwordless authentication

Passwordless authentication solutions take a multi-pronged approach to identity verification that includes:

• Registering users in a way that uses their device’s biometric reader to generate a private key
• Verifying users by unlocking the private key using the biometric reader

By combining the “something you own” with the “something you are” when a user authenticates to the application, passwordless solutions eliminate the end-user frustration and security issues associated with things like:

• One-time passcodes (OTP)
• Email magic links
• Authenticator apps

Regulations, compliance, and identity proofing

Regulatory compliance mandates increasingly focus on identity and access management (IAM). Whether as part of privacy, security, or non-technology-focused mandates, identity proofing is critical to compliance for all organizations managing personally identifiable information (PII).

It’s important to understand where identity fraud, cybersecurity, and privacy connect to one another. Both security and privacy laws require that organizations prevent unauthorized access to sensitive data. Unauthorized access includes security incidents like brute force or stolen credential attacks. Even though these may not have traditionally been considered fraud, they are someone pretending to be another person to access information and systems.

For example, the following requirements highlight the ways in which fraud, identity proofing, cybersecurity, and privacy overlap:

• Executive Order 14028 “Improving the Nation’s Cybersecurity”: requires MFA implementations for all federal agencies which is a way to authenticate and validate users.
• General Data Protection Regulation (GDPR): limiting access to PII from both internal and external users who should not be able to access it which includes cyber attacks like credential theft
• Bank Secrecy Act: establishing and maintaining customer due diligence policies and documentation which becomes more difficult as financial institutions collect this information digitally

While none of these use identity proofing specifically, they all lead back to the same place. Ultimately,

An organization needs to verify that users or customers are who they say they are, both digitally and physically, to maintain a compliant posture.

The National Institute of Technology (NIST) Special Publication (SP) 800-63-3A Digital Identity Guidelines: Enrollment and Identity Proofing, outline three different Identity Assurance Levels (IALs):

• IAL1: no requirement to link applicant to a real-life identity
• IAL2: evidence supporting real-world existence of claimed identity verifying that the applicant is associated with it
• IAL3: requiring physical presence to verify identifying attributes

For appropriate identity proofing, organizations usually follow this flow:

• Resolution: Collecting core attributes and evidence, supplied by the individual and proving that they are unique within the population or context
• Validation: Validating the supplied evidence, ensuring authenticity, validity, and accuracy of information
• Verification: Verifying evidence, linking claimed and real-life existence

Automating identity proofing

Identity proofing is a challenge for most organizations. In some cases, like when onboarding employees, the sheer amount of documents that the organization needs to store and maintain can be overwhelming. In other cases, like with consumer apps, companies are unable to collect this information at all. 

Identity proofing services automate these processes, giving all organizations a scalable approach to ensuring that users really are who they say they are. Passwordless technologies verify users by combining their biometric information and devices so that when they access an app or website, the device uses the private key to eliminate fraud.

Transmit Security gives organizations a way to establish a passwordless experience for customers that reduces churn, with a seamless, omni-channel identity experience. Our CIAM platform applies these same functions for employees so that they have an effortless, secure workstation login to secure remote work. With identity as the perimeter, Transmit Security’s innovative technology reduces the security, privacy, and fraud risks associated with weak passwords.