Move Past Secrets to Real Identity Verification
Prior to the burst of social media sharing, little known facts about our lives were widely used for authentication before we were permitted access to sensitive information. For example, if someone called a retail bank to check a balance or question a DDA fee, she would provide identifying information for herself and her account, and then would be asked a question for security purposes. Quite often the question was, “What was your mother’s maiden name?” This was a “shared secret” model of authentication. The caller had provided a little-known fact about herself to the credit card company, and the credit card company used that fact to make sure that the caller was who she claimed to be.
Over time, as more organizations use the same facts in various contexts, “shared secrets” become much less secret. As a result, security questions started covering more and different facts. “Who is your favorite historical figure?” “Where was your father born?” “What was the make of your first car?” — the answers previously provided by the account holder. These types of security questions are still used by many organizations for authentication for sensitive transactions such as password resets on e-mail accounts.
Now, with the proliferation of social networks, genealogy sites, blogs, and other ways for people to disclose more personal information about themselves in more different contexts, there are many fewer secrets than there used to be. Secret questions are no longer good enough as sole means to secure sensitive information. Something more is required. It could be knowledge based authentication (KBA) or a one-time passcode issued to a particular individual and has a limited lifetime.
Such a passcode is randomly or pseudo-randomly generated, so it contains no information about an individual and has no connection to such information. As a result, one-time passcodes can be used for authentication as often as needed without in any way increasing the chances that the next authentication transaction might be weakened because of the data disclosed in an earlier one. Of course, nothing is infallible, particularly in information security. Identity verification works best when combining dynamic KBA for identity proofing when a credential is issued with a one-time passcode that authenticates the holder of the credential in transactions that follow. This strategy minimizes the disclosure of “secret” information and increases its usefulness for verifying identity in sensitive environments.
If you want to learn more about identity proofing and other fraud prevention solutions, let us know.
Recommended For You
Approximately $12 billion has been stolen by identity thieves over the past six years[i], and consumers are increasingly aware of […]
The CERCA Spring Conference, held on May 16, capped a broadly successful 2018 filing season that saw tax identity theft reduced by […]
Fraudulent account activity and identity fraud are both significant drains to today’s business resources. In the era of online and mobile commerce, […]
Fraudsters are a smart group. With each fraud prevention method that’s introduced, they figure out ways to work around it. […]