Tag: NIST

Across all levels of government, we are seeing a surge in digital modernization — transforming the delivery of traditional services into a contactless, digital environment. Whether it is with the Social Security Administration’s digital modernization effort, the state of California’s Vision 2023, or even at the local level with counties modernizing digital access to records for their citizens. This comes at a time when identity fraud in government services is growing at an alarming rate, with an increase of over 2,900 percent related to government benefits or document fraud in 2020 according to the FTC. A key challenge for any agency planning digital modernization is balancing access with security. This is particularly critical in an environment where over 1 billion records were exposed over a recent five-year span. Given the U.S. population is currently about 330 million, that means each citizen had an average of three breach exposures. Therefore, identity proofing must be a critical part of any agency modernization effort. National Institute of Standards and Technology Special Publication (NIST SP) 800-63 revision 3 lays out a risk assessment to help organizations determine the appropriate level of security to apply based on six areas of impact. However, identity proofing a new citizen through digital channels requires significant friction at levels above Identity Assurance Level 1 (IAL1). The stringent requirement for a biometric match in this standard at IAL2 presents a real challenge to the balance mentioned above, which has led agencies to seek alternatives that both combat the risk of fraud and identity theft and are operationally sound. Experian has been supporting the private sector in this endeavor for years, helping them effectively manage identity theft and fraud concerns while allowing seamless access to services for the vast majority of their consumers. This risk-based approach through our CrossCore® platform and multitude of options to identify and combat fraud allows agencies to deliver the security and accessibility expected by their citizens. CrossCore allows agencies to verify and identify citizens using multiple data points: Traditional personally identifiable information (name, address, Social Security number, date of birth) Email Phone number Device identification Biometrics CrossCore can instantly take the risk information from these risk signals above and initiate additional verification where there is a higher risk of identity theft or fraud, including knowledge-based verification (KBV), one-time passcode (OTP) to a trusted phone number linked to the identity being presented, or even remotely verifying identity documents (e.g., driver’s license, passport, etc.) through our new CrossCore Doc Capture solution. Just recently, Experian helped a state lottery agency implement an efficient identity proofing system to enable digital redemption of winning tickets, saving both the government and the citizens time and money. Experian’s identity, verification, and fraud solutions can help government agencies of all sizes on their journey to digital modernization. To learn more about the options available to your agency, visit us or request a call. CrossCore Doc Capture

Whenever someone checks in for a flight, airport security needs to establish their identity. Prior to boarding the plane, passengers are required to show a government-issued ID. Agents check IDs for validity and compare the ID picture to the face of the person standing in front of them. This identity proofing is about making sure that would-be flyers really are who they claim to be. But what about online identity proofing? That’s much more challenging. Online banks certainly want to make sure they know a person’s identity before giving them access to their account. But for other online services, it’s fine to remain anonymous. The amount of risk involved in the engagement directly ties to the amount of verification and assurance needed for the individual. Government agencies care very much about identity. They won’t — and shouldn’t — issue a tax refund, provide a driver’s license or allow someone to sign up for Social Security benefits before they’re certain that the claimant’s identity is verified. Since we increasingly expect the same online user experience from government service providers as from online banks, hotel websites and retailers, this poses a challenge. How do government agencies establish a sufficient level of assurance for an online identity without sending their customers to a government office for face-to-face identity verification? To answer this challenge, the National Institute of Standards and Technology (NIST) has developed Digital Identity Guidelines. In its latest publication, SP 800-63-3, NIST helps government agencies implement their digital services while still mitigating the identity risks that come with online service provision. The ability to safely sign up, transact and interact with a government agency online has many benefits. Applying for something like unemployment insurance online is faster, cheaper and more convenient than using paper and waiting in line at a government field office. And for government agencies themselves, providing online services means that they can improve customer satisfaction levels while reducing their costs and subsequent bureaucracy. CrossCore®, was recently recognized by the independent Kantara Initiative for its conformance with NIST’s Digital Identity Guidelines for Identity Assurance (IAL2). Our document verification solution combines authoritative sources, machine learning and facial recognition technology to identify people accurately using photo-based government identification like a driver’s license or passport. The best part? Users can verify their identity in about 60 seconds, at whatever location they prefer, using their personal smartphone.

June 2018 will mark the one-year anniversary of the National Institute of Standards and Technology (NIST) release of Special Publication 800-63-3, Digital Identity Guidelines. While federal agencies are the most directly impacted, this guidance signals a seismic shift in identity proofing across the entire ecosystem of consumers, private sector businesses and public sector agencies. It’s the clearest claim I’ve seen to date that traditional, and rather basic, personally identifiable information (PII) verification should no longer be trusted for remote user interaction. For those of us in the fraud and identity space, this isn’t a new revelation, but one we as an industry have been dealing with for years. As the data breach floodgates continue to be pushed further open, PII is a commodity for the fraudsters, evident in PII prices on the dark web, which are often lower than your favorite latte. Identity-related schemes have increased due to fraud attacks shifting away from card compromise (due to the U.S. rollout of chip-and-signature cards), double-digit growth in online and mobile consumer channels, and high-profile fraud events within both the public and private sector. It’s no shock that NIST has taken a sledgehammer to previous guidance around identity proofing and replaced it with an aggressive and rather challenging set of requirements seemingly founded in the assumption that all PII (names, addresses, dates of birth, Social Security numbers, etc.) is either compromised or easily can be compromised in the future. So where does this leave us? I applaud the pragmatic approach to the new NIST standards and consider it a signal to all of us in the identity marketplace. It’s aggressive and aspirational in raising the bar in identity proofing and management. I welcome the challenge in serving our public sector clients, as we have done for nearly a decade. Our innovative approach to layered levels of identity verification, validation, risk assessment and monitoring adhere to the recommendations of the new NIST standards. I do, however, recommend that any institution applying these standards to their own processes and applications ensure they place equal focus on comparable alternatives for those addressable populations and users who are likely to either opt out of, or fail, initial verification steps stringently aligned with the new requirements. While too early to accurately forecast, it’s relatively safe to assume that the percentage of the population “falling out of the process” may easily be counted in the double digits. It’s only through advanced analytics and technology reliant on a significant breadth and depth of identity data and observations that we can provide trust and confidence across such a diverse population in age, demographics, expectations and access.