Aflac, the brand known for its quacking duck and supplemental health insurance, is a winner of the 2024 CSO Award for its “Quackcess Granted” passkey authentication initiative using Transmit...
In the digital era, everyone uses cloud technologies. Employees use them for remote work. Contractors use them to meet contractual obligations. Customers use them for better experiences. All these changes have permanently shifted the perimeter to focus on identity.
Malicious actors know that companies struggle with user authentication, changing their tactics to leverage this attack vector. For example, the Verizon 2021 Data Breach Investigations Report noted that the top two attack action varieties were phishing and use of stolen credentials. To maintain a robust security posture, companies need to protect themselves at the identity perimeter.
Even more disconcerting, it’s not always just a matter of protecting sensitive information. Connectivity also means that it’s easier for criminals to steal identities and engage in online fraud. The statistics here don’t look any better than the cybersecurity ones, either. According to the Federal Trade Commission, the agency received 2.8 million fraud reports from consumers in 2021 totaling more than $5.8 billion in losses.
Whether to protect your company or your customers, identity proofing is a way to verify and authenticate legitimate users to secure data and mitigate fraud risk.
What is identity proofing?
The identity proofing process aggregates information about an individual’s actual identity to verify their digital identity as a way to mitigate security and fraud risks. Identity proofing solutions aggregate transaction evidence from public and proprietary data sources that can include:
Historically, identity proofing is nothing new. Passports have been around since the Middle Ages, and social security cards were first created during the Great Depression. Validating and verifying identities has been a regular practice for governments and businesses for a long time.
In today’s cloud-connected world, cybercriminals increasingly attempt to gain unauthorized access to systems and networks using user credentials. Today, criminals use brute force attacks and dictionary attacks, targeting weak passwords. They have also increased their use of phishing attacks as a way to steal credentials. These attacks place sensitive data at risk, especially when combined with lateral movement across networks.
Importance of improved identity proofing
Traditional identity proofing required someone to provide documentation in person. For example, most people are familiar with proving a government identification, in person, when:
Onboarding at a new job
Opening a bank account
In a digital world, organizations need technologies that enable remote identity proofing. For example, remote hires may not be able to travel to corporate offices, and customers want to open accounts online.
Remote identity proofing technologies give companies a way to confirm people’s identity attributes, mitigating the risk of false identity verification. Identity proofing service providers can:
digitize paper documents using a device’s camera
check this information to validate the source’s reliability
confirm authenticity
ensure data integrity and quality.
Finally, they bind the evidence provided relates to a unique person to ensure that the individual is who they say they are. Remote identity proofing technologies give companies a way to protect themselves, their employees, and their customers from fraud.
The cost of identity fraud
Over the last few years, identity fraud has become a larger proportion of fraud losses than ever before.
Banking
The banking industry has dealt with identity fraud for a long time. Stolen credit cards are nothing new to the industry. However, new banking and lending models are changing the impact.
According to research from LexisNexis Risk Solutions, identity verification is a top challenge for the industry across the entire customer journey. In 2021, Identity-related fraud accounted for:
35% of US financial services institution losses during the distribution of funds stage
34% of US financial services institution losses from account takeover
31% of US financial services institution losses at the point of new account creation
35% of US lending institution losses during the distribution of funds
35% of US lending institution losses from account takeover
30% of US lending institution losses at the point of new account creation
Most notably, US lending institutions saw a 6% increase in identity fraud at the point of new account creation.
Retail and e-commerce
With people purchasing more items through online platforms and using contactless payment systems, identity fraud has increased significantly.
According to research from LexisNexis Risk Solutions, identity fraud in 2021 accounted for:
25% of U.S retail losses
31% of U.S e-commerce losses
However, that’s not all. The research found that identity-related fraud occurred across:
Point of sale
Account takeover
Point of new account creation
Employee identity fraud
Cybercriminals have been stealing employee identities to perpetrate unemployment fraud. Over the last year, state unemployment insurance agencies have seen an uptick in fraudulent claims. The U.S Department of Labor estimated losses of more than $87 billion, most due to organized crime rings stealing data and applying for benefits in other people’s names.
While a company will be reimbursed, it still needs to detect that a filing has been made on behalf of a current employee and file the appropriate paperwork. Managing a fraudulent claim can be time-consuming, including:
Sending in an initial claim form
Responding to a fact-finding questionnaire
Continuing to receive ongoing, automatically generated paperwork from the original fraudulent claim
What does identity proofing look like in practice?
In practice, identity proofing is creating built-in layers of protection across authentication points.
Collecting and corroborating information
Many applications use self-registration, requiring only an email address or phone number. Since this information is easy for cybercriminals to steal or fake, identity proofing should include the collection of personally identifiable information (PII) and corroborate that data.
Password managers
Password managers make it easier for users to create a unique, secure password for each sign-in location, whether that’s an application, single sign-on, or network.
Multi-factor authentication (MFA)
MFA means using a combination of all three of the following:
Something you know (a password)
Something you have (a token, smartphone, or laptop)
Something you are (a biometric like fingerprint or face ID)
Registering users in a way that uses their device’s biometric reader to generate a private key
Verifying users by unlocking the private key using the biometric reader
By combining the “something you own” with the “something you are” when a user authenticates to the application, passwordless solutions eliminate the end-user frustration and security issues associated with things like:
Regulatory compliance mandates increasingly focus on identity and access management (IAM). Whether as part of privacy, security, or non-technology-focused mandates, identity proofing is critical to compliance for all organizations managing personally identifiable information (PII).
It’s important to understand where identity fraud, cybersecurity, and privacy connect to one another. Both security and privacy laws require that organizations prevent unauthorized access to sensitive data. Unauthorized access includes security incidents like brute force or stolen credential attacks. Even though these may not have traditionally been considered fraud, they are someone pretending to be another person to access information and systems.
For example, the following requirements highlight the ways in which fraud, identity proofing, cybersecurity, and privacy overlap:
Executive Order 14028 “Improving the Nation’s Cybersecurity”: requires MFA implementations for all federal agencies which is a way to authenticate and validate users.
General Data Protection Regulation (GDPR): limiting access to PII from both internal and external users who should not be able to access it which includes cyber attacks like credential theft
Bank Secrecy Act: establishing and maintaining customer due diligence policies and documentation which becomes more difficult as financial institutions collect this information digitally
While none of these use identity proofing specifically, they all lead back to the same place. Ultimately,
An organization needs to verify that users or customers are who they say they are, both digitally and physically, to maintain a compliant posture.
The National Institute of Technology (NIST) Special Publication (SP) 800-63-3A Digital Identity Guidelines: Enrollment and Identity Proofing, outline three different Identity Assurance Levels (IALs):
IAL1: no requirement to link applicant to a real-life identity
IAL2: evidence supporting real-world existence of claimed identity verifying that the applicant is associated with it
IAL3: requiring physical presence to verify identifying attributes
For appropriate identity proofing, organizations usually follow this flow:
Resolution: Collecting core attributes and evidence, supplied by the individual and proving that they are unique within the population or context
Validation: Validating the supplied evidence, ensuring authenticity, validity, and accuracy of information
Verification: Verifying evidence, linking claimed and real-life existence
Automating identity proofing
Identity proofing is a challenge for most organizations. In some cases, like when onboarding employees, the sheer amount of documents that the organization needs to store and maintain can be overwhelming. In other cases, like with consumer apps, companies are unable to collect this information at all.
Identity proofing services automate these processes, giving all organizations a scalable approach to ensuring that users really are who they say they are. Passwordless technologies verify users by combining their biometric information and devices so that when they access an app or website, the device uses the private key to eliminate fraud.
Transmit Security gives organizations a way to establish a passwordless experience for customers that reduces churn, with a seamless, omni-channel identity experience. Our CIAM platform applies these same functions for employees so that they have an effortless, secure workstation login to secure remote work. With identity as the perimeter, Transmit Security’s innovative technology reduces the security, privacy, and fraud risks associated with weak passwords.
A self-professed technology geek, content writer Alex Brown is the kind of person who actually reads the manual that comes with his smartphone from cover to cover. His experience evangelizing for the latest and greatest tech solutions gives him an energized perspective on the latest trends in the authentication industry. Alex most recently led the content team at Boston-based tech company Form.com.