Written in collaboration with Kolin Whitley, Director of Fraud and Identity Solutions, Experian Public Sector
Picture a novice internet user logging on to a government portal for the first time. He’s using a desktop computer, and the process takes him a few minutes because he isn’t very tech-savvy. He also doesn’t have any details from prior interactions with the portal to verify his new user identity.
Now, picture a tech-savvy young professional accessing the same government portal, but for the 50th time. She’s an avid user of the online platform, and she accesses it from a variety of mobile devices with speed and ease. Her access is made even more efficient because she has an extensive user profile with the government service that can be used to quickly verify her identity and intentions.
While both of these users are leveraging the same online portal to access the same government services, these are two very different access scenarios. Accordingly, the credentialing and verification protocols deployed need to be different. Yet many agencies deploy heavy one-size-fits-all authentication procedures across their various portals.
To understand why adaptive identity management is crucial to agency success, we spoke with Kolin Whitley, Director of Fraud and Identity Solutions at Experian, an information services firm that provides a suite of identity-proofing tools to the public sector. Whitley also explained how agencies can create an identity management system that fits user needs.
User Identities vs. User Relationships
Identity management is traditionally a case of creating a standard verification process that is applied to any access scenario. “But now we’re starting to see it evolve into what we call identity relationship management,” said Whitley. “It’s not just knowing who a person might be at one point in time. It’s considering the risks associated with the entire identity profile and being able to manage those risks throughout the consumer lifecycle.”
The reasoning for this evolution in identity management is three-fold. First, deploying a heavy credentialing process across all access scenarios is unnecessarily costly for an agency. While stringent verification is necessary to protect highly sensitive information, it is not worth the investment to equally protect less valuable data. As Whitley said, “It doesn’t make a lot of sense to have a user go through an expensive and, in some cases, perceived invasive form of identity verification just to access basic information.”
Second, cumbersome credentialing processes can impede users from accessing your services. Consumers are unlikely to consistently answer multiple, intrusive questions in order to access basic information. Similarly, asking for personal information that may have already been compromised elsewhere limits the effectiveness of the process.
Finally, an inflexible verification process for all users will detract from a successful consumer-agency relationship. It is key to evolve your security interactions as confidence and routines are built. Otherwise, you risk severing trust and making your agency appear detached from consumer needs and preferences.
Creating a Dynamic Identity Management System
So how do you ensure that you’re safeguarding your agency resources without impeding user access or overspending on security? The first step is to recognize that there is no one-size-fits-all template for identity and access management. Instead, you should consider the unique characteristics of your user base, agency mission, regulatory environment, and risk-tolerance level. Each of these dynamics should alter your identity management system processes.
User base: The first step is to understand who your users are. “It’s important for us to consult with agencies to make sure they understand the demographic they’re dealing with, and that there may be certain challenges based on that unique demographic,” Whitley said. Demographic information such as the age, location and the existing data footprint of your users can come from a range of sources. In some cases, getting to this information may require collaborating with a data provider like Experian.
Once you’ve analyzed your audience, adjust your credentialing process to accommodate them. For example, if the majority of your users are millennials, you need to consider their potentially limited experience with personal finances. You may want to minimize questions that rely on credit history for authentication. You may also need to streamline credentialing processes across multiple platforms, as younger users are likely to use a variety of mobile devices.
Agency mission: “Every agency has a slightly different mandate that they’re trying to meet,” Whitley explained. “You need a customized approach that helps agencies as they work through that mandate.” In many instances, your mission is best served by encouraging as many users as possible to access your service. In those scenarios, a lighter yet effective credentialing process is most appropriate to avoid impeding users from engaging with your agency. In other cases, advancing your agency’s cause may require strictly securing data to ensure that only those users who can and should appropriately use it have access to it.
Regulatory environment: Regulatory standards can safeguard or inhibit your ability to service these users. “An agency has a directive requiring them to strongly authenticate users accessing their applications,” said Whitley. “But at the same time, they are trying to balance the fact that these users ultimately require access to those applications.”
Regulations may require stricter credentialing processes than you might otherwise find appropriate for a specific user action. However, leveraging user data in unique ways can help alleviate regulatory burden while remaining compliant. Consider ways to validate the same user information, but in less intrusive or resource intensive ways.
Risk-tolerance: Every agency has security concerns, but even the most private agencies offer services that can be less heavily safeguarded. The ideal identity management strategy will reflect not only the risk tolerance of your organization-at-large, but also the unique risks associated with particular access scenarios. Again, less sensitive information should be made more easily accessible and consistent users can, in many cases, be credentialed with less scrutiny.
A dynamic identity management system that accommodates the specific needs of each user-agency relationship is crucial to agency success. However, creating such a system is not a one-time, easy set-up. As your user base, agency mission, and other dynamics shift, your system will also have to continually evolve. Partners like Experian can help by providing modular authentication protocols that can be added, altered, and removed as needed.
Whitley concluded, “We must evolve from an identity access management position to an identity relationship management position, where the linking of people, places and things enables a dynamic context-based strategy that extends beyond a point in time to throughout the customer lifecycle.