In the second part of this series, I’ll cover five additional ways you can implement an identity verification system that’s robust against fraud without being inaccessible to the people it’s designed to serve.
- Stop using SSNs
Our personal data has been breached so many times that it’s downright irresponsible to use Social Security Numbers as a way to verify whether someone is who they claim to be. Criminals have lists of them in neatly formatted spreadsheets, which can sail through automated systems, while real humans who accidentally transpose two numbers get stuck in identity theft purgatory.
I have been proposing that the government publicly publish our Social Security numbers, similar to Estonia’s eID, to fully put a stop to treating them as private information. It’s fine to use an SSN as a unique identifier, but it’s not fine to use it as a form of identity verification. If your system is doing this, stop.
- Aim for same-day verification
Ideally, most of your end users would complete identity verification instantly, when they voluntarily opt-in to automated verification, the verification process has a good user experience, and it follows standards to keep fraud at bay. For some, as discussed earlier, they’ll need a higher touch. A good rule of thumb is that it should be possible for a user to get verified manually the same day, whether through a remote trusted referee or a nearby in-person location — even if some choose to complete the process in a longer timeframe.
I have seen some agencies tie themselves up in knots trying to meet metrics like “five minutes” or “one hour” for individuals who don’t want to or can’t use automated options. One day is still a great experience.
- Understand the risks and trade-offs for your service
Identity verification is not one size fits all. You need to factor in your user population, the other steps in your process, and the funds or services at stake, then take reasonable measures to protect against fraud and identity theft.
As a thought experiment, pretend you’re a criminal, trying to take advantage of your agency’s services. How would you do it? Could you do it at scale?
For example, large cash payments (like unemployment benefits) are much more attractive to criminals, and therefore more at risk, versus benefits that are less versatile like transit benefits or food benefits that can only be used in certain locations. If your process already requires an in-person interview, it would be extremely difficult for someone up to no good to send tens of thousands of fake people to in-person interviews; but if your only barrier is an online form asking for someone to verify their Social Security Number, then a criminal with a spreadsheet can commit huge fraud in a matter of minutes.
The more barriers you put up to protect against fraud, the harder you make it for real people to access your benefits — and delivering benefits is why we’re showing up to work every day. Don’t lose sight of the forest for the trees when designing the right level of identity verification for your service line.
- Mobile access
Your website analytics data likely shows that half or more of your users are accessing digital services from a mobile phone, regardless of whether the website is designed to work well on mobile. This can cause a huge accessibility barrier. Every digital service should be designed to work well on mobile devices.
- Re-use verified identities
As more and more government services adopt sophisticated digital identity solutions, agencies should start to trust one another’s equivalent verification systems. For example, if someone identity proofs with the DMV, they should be able to reuse that credential with other state agencies, without having to identity proof all over again. This is especially critical for people who struggled with the process the first time and needed manual assistance.
This doesn’t mean that agencies share private data — it means it only shares that an individual’s identity was verified, and to what level of assurance.
Marina Nitze, co-author of Hack Your Bureaucracy, is currently a partner at Layer Aleph, a crisis engineering firm that specializes in restoring complex software systems to service. Marina is also a fellow at New America’s New Practice Lab, where she works on improving America’s foster care system through the Resource Family Working Group and Child Welfare Playbook. Marina was the Chief Technology Officer of the U.S. Department of Veterans Affairs under President Obama, after serving as a Senior Advisor on technology in the Obama White House and as the first Entrepreneur-in-Residence at the U.S. Department of Education.
Leave a Reply
You must be logged in to post a comment.