The Office of Management and Budget (OMB) guidance, E-Authentication Guidance for Federal Agencies, promotes the concept of risk-based authentication by defining four progressive levels of authentication in terms of "the consequences of the authentication errors and misuse of credentials" or, in other words, "what's the worst that can happen if a bad guy gains credentialed access!"1 In combining two perspectives of risk – "What's the worst that can happen?" and "What's the likelihood that an individual is who he or she claims to be and also not the subject of victimization?" – a tiered approach to both levels of authentication or assurance and relevant identity proofing techniques and technologies emerges. The OMB guidance is further illuminated and solidified by The National Institute of Standards and Technology (NIST), in special publication 800-63, which defines electronic authentication (e-authentication) as "the process of establishing confidence in user identities electronically presented to an information system."2
This risk-based authentication guidance is an encouraging evolution from previous compliance-oriented authentication requirements such as the USA PATRIOT Act and the FACTA Red Flags Rule, in which resultant processes hinge heavily upon identity element (e.g., name, address, Social Security number, date of birth and phone number) validation and verification checks. Without minimizing the importance of performing such checks, the purpose of a more risk-based approach to authentication is to leverage other more predictive data sources and quantitative techniques to further assess the probability of fraudulent behavior while minimizing procedural false positives and false negatives.
This approach allows institutions to balance the following business drivers and often opposing forces associated with them:
Risk-based authentication is widely adopted as a best practice in account opening and account management processes in markets such as credit card issuance, personal lending, demand deposit accounts (DDAs) and mortgage. However, it continues to gain broader momentum and acceptance in markets such as ecommerce, health care, automotive lending, and telecommunications and utilities – and now, clearly, government services.
It is important to note that while the OMB and NIST guidelines currently are pointed toward government agencies and service providers, private-sector institutions should take notice that this same lens may soon be applied to their operational processes.
It is for this purpose that Experian and Symantec are working together to provide a comprehensive suite of identity proofing and authentication services that address the NIST's Electronic Authentication Guideline (Special Publication 800-63), which provides technical requirements for each of four authentication levels of assurance intended to parallel levels of transactional risk.
1OMB Memorandum M-04-04, E-Authentication Guidance for Federal Agencies, Dec. 16, 2003
2National Institute of Standards and Technology. Special Publication 800-63. Electronic Authentication Guideline.
Contact your Experian account executive or call 1 888 414 1120 for more information.