Context-based Identity Proofing
What is identity? Is your identity created when you register for school and build an academic record…in kindergarten, seventh grade, high school? What about your identity when you get your drivers permit? Do you tie your identity to your first bank accounts, your employment, your social networking? Thinking about these questions brings to mind that what makes identity useful depends on why the identity is needed. Additionally, the context and the level of risk associated with the wrong person getting to the data or systems being protected determine the appropriate level of verifying that an identity is real and tying it to a particular individual, i.e., identity proofing.
Context-based identity proofing acknowledges how an identity will be used and is tailored to meet the levels of risk associated with the identity and the transaction. It builds from existing levels of trust already established within an industry vertical or a group within a circle of trust.
To conduct a remote identity proofing using context, an organization needs:
- Basic biographic information – This information is used to resolve identity or create a unique identity – typically it should be: name, address, date of birth, and, in some cases, an additional identifier like a Social Security number. This information should not be assumed to be secret; it isn’t. However, it does establish uniqueness to drive the next steps of the process.
- Knowledge-Based Authentication – This is the information used to reduce the risk that the person on the other end of the transaction is falsely claiming the identity, and includes demographic, financial, or other personal information from the individual’s life. There is certainly risk in using this data, as by definition, it is known by somebody and aggregated somewhere. Risk is reduced by maximizing the diversity of the data sources and the types of questions presented.
- Context-based Authentication – This is the information that is specific to the context of the enterprise using the identity. It can be derived from health history, banking history, or service history with the particular enterprise. The information is usually contained within the enterprise, but also might be held or tracked as part of the industry (insurance, real estate, etc).
In a context-based identity proofing scheme, when a person—Joe Smith—calls a taxation agency on the telephone to ask for information related to his tax return, the representative on the phone will ask a few questions to ascertain if Joe Smith is the person the representative is reviewing in her system. She may ask for an address, date of birth, and also specific questions about the context, such as adjusted gross income for the prior year. If the caller answers the questions correctly, the agency will provide personal and sensitive tax information about Joe Smith to the person on the phone.
Several people may legitimately have all the information used to proof the identity of Joe Smith in this context—his spouse, accountant, banker, loan officer. In this situation, someone who attempts to impersonate Joe Smith may have the data in order to do so, but only within a limited context and therefore their access is limited only to things to which they already have contextual knowledge. Nevertheless, the number of people who may be expected to know this information is much smaller than the number of people who might be expected to know the information in public databases.
A fraudster who gets access to financial information about Joe Smith would not be able to contact a healthcare provider and get Joe’s sensitive healthcare information because they would not have the contextual knowledge used to proof the identity within the healthcare context. And the reverse is true as well; someone with information from his medical records to get access to his bank account, even though he or she knows basic biographical data about Joe.
The combination of biographical data, general KBA, and the specific context-based knowledge limits the number of people who have all the necessary information, and hampers those who are maliciously trying to gain access to another’s identity. Context-based identity proofing can be another risk management tool for the enterprise. The processes of establishing initial trust with an individual – whether face-to-face or electronically – is complex and depends upon the acceptance of risks that are impossible to fully mitigate in today’s society.
Recommended For You
Online consumers can make their purchase with various payment options, like credit card, Apple Pay or PayPal. As a result, […]
As an HR professional, it’s your priority to protect employee data. You may not realize it, but responding to employment […]
The CERCA Spring Conference, held on May 16, capped a broadly successful 2018 filing season that saw tax identity theft reduced by […]
Fraudulent account activity and identity fraud are both significant drains to today’s business resources. In the era of online and mobile commerce, […]