Blog post

Can you prove someone’s identity online?

By Akif Khan | April 29, 2021 | 2 Comments

Security and Risk Management Leaders

It’s a good question. In addition to fraud detection, I also cover online identity proofing. I take hundreds of calls a year from clients who need to gain confidence in the identity of a user online. The Gartner definition of identity proofing is pretty rigid. To paraphrase, if you want to bring an identity claim within your organizational risk tolerance, you need evidence that:

  1. The real-world identity exists.
  2. The person claiming that identity is the right person, and that they are genuinely present on the other end of that internet connection.

It thus follows that the often-used and longstanding technique of asking a user to enter their PII data (name, address, date of birth, government ID number etc.) and then checking that data against various sources (credit bureaus, postal data, government databases where available, etc.) doesn’t meet the Gartner definition of identity proofing. We call this technique data-centric identity affirmation – it can support identity proofing, but it isn’t identity proofing. After all, anyone could be typing in that PII data, right? You can mitigate this risk by layering in other techniques to give you more risk and trust signals (device ID, behavioural analytics, location signals) but you’re always going to have that nagging doubt about whether the user is really who they say they are.

The only mainstream game in town that meets the Gartner definition of identity proofing is document-centric identity proofing. I like to refer to this as the ID+selfie process. You take a picture of your photo ID document, which is then assessed for signs of tampering or being a fake (ticking definition box 1), and you then take a selfie of yourself which is biometrically compared to the picture in the ID document (ticking definition box 2).  A crucial aspect of that second step is presentation attack detection (commonly called liveness detection), which checks for genuine presence – in other words, it makes sure that the user isn’t wearing a mask, or taking a selfie of a picture.

During the pandemic period, I’ve taken a huge uptick in calls about online identity proofing. If people want to open a bank account with you and they can’t go to your local bank branch and show their ID in-person, you need to let them do it online. If you’re letting people register for COVID-related payments and support online, you need to make sure that criminals aren’t abusing the process.

The techniques that clients choose depend on their use case and what level of risk they’re willing to take. Cost, UX, level of assurance, integration complexity………all of these factor into the decision.

Check out my latest research note Buyer’s Guide for Identity Proofing for detail on how to choose an appropriate vendor. I’ll be touching on different aspects of that in some upcoming blog posts.

Leave a Comment

2 Comments

  • Looks like a good report. You should check out technology from TECH5 who have a very unique offering in ID proofing, issuance of a decentralized identity and then using it to verify identity offline in a secure and private manner

  • Barry says:

    Perfect overview