Creating new accounts on websites is so simple a bot can do it. It is so easy for anyone or anything to impersonate someone else that organizations need a surefire way to determine the user behind the account is who they claim to be.
Tying an account to a specific person may not seem important when signing up for Twitter, but what about for the IRS website? The agency needs to be sure it is interacting with the genuine person before depositing refunds into their bank account.
One way companies can verify users is a process known as digital identity proofing. This approach, for which NIST released guidelines, provides a higher confidence that the correct person created the account and is accessing it.
What is identity proofing?
Identity proofing enables users to verify they are who they say they are by answering knowledge-based questions, providing physical documentation and taking a video or image. The authentication method is most often employed during account creation. Once the account owner is verified, the user authenticates through traditional methods, such as passwords, two-factor or biometrics, to log in. Identity proofing may also be used after an account has been created if the organization determines a transaction or activity is suspicious or risky.
Knowledge-based questions may include the user confirming one or multiple previous addresses or their mother's maiden name. This information, however, isn't difficult for attackers to collect and use.
"Someone hacks one site for your date of birth, then gets your name and address from another and then your Social Security number and credit report from a third site," said Jack Poller, analyst at Enterprise Strategy Group, a division of TechTarget. "It becomes harder and harder to use these hidden pieces of information for identity proofing."
To combat this, digital identity proofing combines knowledge-based authentication with stronger verification methods using physical documentation. For example, users may be asked to fax or email documents such as utility bills or their passport.
The third verification method involves users recording a video or sharing an image of themselves. For example, users may need to appear live on camera during the identity proofing process or upload a selfie. Products have different methods of determining the legitimacy of images or videos. Some have users perform simple actions, such as lifting a hand or turning their face a certain direction, while other products may flash colored lights to see reactions, Gartner analyst Jonathan Care said.
Where to use identity proofing
Digital identity proofing isn't ideal for all authentication situations -- at least not yet.
"There's the old concept in security that you only put a lock strong enough to protect the value of the assets you're protecting," Poller said. "You don't use a $10,000 padlock to protect a piggy bank with $5 in it."
Today, identity proofing works best for employees and customers during initial account setup and account recovery. Finance and legal companies and government institutions are showing the most interest in identity proofing, Poller said, often due to compliance reasons and to combat fraud.
"Many countries say, if you're going to start offering financial services or to represent someone in a legal capacity, then you need to prove they are who they say they are," Care said.
Users may also experience identity proofing should they attempt to do something unusual or inherently riskier.
"If I'm doing something that requires a trust elevation, proofing may be deployed," Care said. "For example, if I'm applying for a mortgage or signing off on a purchase order. There are advantages to proving that this is really the right person."
Identity proofing also helps companies onboard new employees remotely, as well as those that have third-party employees or contractors accessing company networks or data.
Identity proofing concerns
One major concern is identity proofing isn't yet mature. Companies have hurdles to clear before wider acceptance is possible.
First, the current process is friction-filled for users. Providing documents and following commands live on camera can be tedious.
Additionally, digital identity proofing requires users provide private information upfront before the organizations requiring the info have "earned the right to ask for that," Care said. This creates many concerns: The company asking for the private information hasn't necessarily proved it should have that data in the first place, and there's also the question of what the company does with that data. Does it destroy the data? Keep it? If so, where is it stored, and how secure is it?
Another concern is vendors or companies may have wider access to data, including biometrics from facial recognition software or fingerprint scanners. Data privacy also is a hot-button issue when it comes to identity proofing. In one example, the IRS announced in late 2021 that taxpayers needed to create an account with the vendor ID.me before applying for certain agency services. Criticism focused around the collection of biometric data resulted in the IRS allowing taxpayers to access accounts. ID.me remains available to use, if they wish.
Companies must address how to handle, secure and keep private the increase in personally identifiable information before adopting identity proofing.
Lastly, with a wide rollout of digital identity proofing, it is important to consider if any customer population will be inconvenienced or unable to fulfill identity proofing methods.
"There are always people who are perfectly legitimate customers that may not use social media or have a credit report on file," said Andras Cser, analyst at Forrester. "Coverage for geographic and social groups is always a problem."
The future of identity proofing
Identity proofing products have been available for a few years from companies, including Okta, Acuant and Evident ID. Automated digital identity proofing products are also available to reduce the need for manual review and enable speedier approvals.
In the future, companies must reduce friction for users and create seamless UX. Care suggested using technologies end users are familiar with. For example, use Apple Wallet to verify users' identities instead of having them share documents. In the Apple Wallet app, users can add a driver's license or state ID. Integrating this with identity proofing could speed up the process.
Another option is to use machine-readable documents that have a smart chip. When presenting the document to the camera, the software would scan the document and receive a digital certificate.
"This method is much harder to fake," Care said. "It's better than a picture of a photo in a passport. The digital certificate would be signed by a government authority."
Due to a slow and cumbersome process, identity proofing isn't currently ideal for everyday authentication. That could change in the future, but for now, it is proving its worth during account creation verification.