By Dr. Sarbari Gupta, CEO, Electrosoft, Inc.
During the pandemic, many citizen-facing government services abruptly transitioned to online portals. The move enabled citizens to continue receiving medical, housing, educational and other benefits – with government personnel virtually supporting benefit delivery – all from the safety of their homes. Yet remote identity verification proved challenging. And it created an environment ripe for fraudsters.
Typically, remote identity verification requires the applicant to provide personal information (date of birth, last four digits of their Social Security number, address, etc.) and/or answer a series of questions regarding their personal life history to prove their identity. The latter type of approach is often called “knowledge-based verification” or KBV.
However, with the current state of the public internet and the dark web, personal information is easily accessible. So, it’s not difficult to masquerade as someone else over an online connection to a government service portal by successfully navigating the KBV questions and application forms with the necessary information.
Government is left to balance the need for strong identity proofing for online applicants with the cost, ease of use, accessibility and inclusion of citizens. Here are seven challenges – and possible resolutions – for government.
Online portals only use KBV techniques to verify the identity claimed by the applicant. Such portals are easy for fraudsters to penetrate.
- Supplement KBV techniques with the upload of identity documents, such as driver’s license, passport, voter ID card – validated by the government agencies – to raise the bar for possible fraudsters.
Online portals require applicants to submit photos of their driver’s license. Firstly, obtaining a fake license is easy. College kids have done this for decades! It’s even easier to falsify an electronic image of a license.
- Use online services such as the Driver’s License Data Verification Service offered by the American Association of Motor Vehicle Administrators, which allow government agencies to look up the submitted license number to confirm related details. This approach makes it easy to spot fake licenses for fictitious persons.
- Add a live capture photo or video of the applicant to the identity-proofing process and compare with the license through facial recognition technology.
For the determined, it’s possible to spoof a live photo or video capture using a well-made mask or using deepfake technologies.
- Employ liveness detection technologies for facial image live capture scenarios to detect whether the facial image is from a living human being at the time of verification.
Fraudsters thrive in an environment where benefits applications are submitted and fulfilled rapidly through online mechanisms only.
- Add an address verification step to a confirmed physical address (not email address) of record, such as a mailing to a residential address or sending a message to a mobile phone number registered in the person’s name. This raises the security bar for fraudsters, making the attempt more difficult and less tempting.
Many citizens who need government benefits are from disadvantaged circumstances and may not have a home address, credit history or bank accounts. Applicants may not have access to computers or the ability to operate them. It is very difficult to verify identities of such persons through purely online mechanisms. Yet, government agencies must be inclusive across populations and provide access to all without lowering the security bar.
- Provide alternative pathways to undergo strong identity verification through the use of trusted intermediaries, such as notaries, local registrars and identity proofing of parents or caregivers of minor recipients.
- Offer in-person registration events with government personnel or intermediaries who can physically inspect the required documents and information.
Identity verification solutions can be difficult and expensive. Government organizations often implement their own solutions as they stand up and refine their online portals for services.
- Leverage existing identity verification solutions such as Login.gov, run by the General Services Administration, and other commercial solutions with similar services.
- Use identity federation technologies such as Security Assertion Markup Language, or SAML, rather than building their own identity verification solution. Such solutions need to be standards-based and offer interoperable integration options for agency applications.
Each government agency that collects, stores and processes personally identifiable information (PII) also has a responsibility to protect that PII and maintain the privacy of applicants. Applicants are frequently unwilling to provide personal information through online portals for fear of privacy compromise.
- Implement transparency, recourse and consent mechanisms that allow applicants the ability to view, flag and request corrections to the PII gathered against their name.
- Provide applicants the ability to explicitly consent to any sharing of their PII with other organizations.
The National Institute of Standards and Technology (NIST) Special Publication 800-63 provides guidelines for digital identity authentication systems and is mandatory for federal agencies. The requirements in SP 800-63, if implemented correctly, provide a strong level of defense against online identity fraud.
Whether performed in person or online, identity proofing is a challenging activity. By thinking – and acting – differently in the face of the key challenges outlined above, government agencies can implement strong identity verification mechanisms without compromising accessibility, ease of use and cost-effectiveness for citizens.
Dr. Sarbari Gupta leads one of the fastest-growing government IT services companies in the Washington, D.C. area. Her extensive experience spans software development and professional services in cybersecurity, risk management, privacy and cryptographic solutions. She is a frequent international speaker and has authored over 20 technical papers/presentations. Dr. Gupta has also co-authored multiple NIST Special Publications in Electronic Authentication, Security Configuration Management and Mobile Credentials. Dr. Gupta holds four patents in cryptography.