researchHQ’s Key Takeaways:
- Identity fraud cost businesses a total of nearly $17 billion in 2019 through a combination of compromised data, lost resources and fines under privacy laws.
- Identity proofing is the process of verifying a user’s identity (using life history, biometrics and other factors) before providing them with any login credentials.
- Identity proofing involves distinguishing a user’s identity in the context of the system, collecting and examining information that can identify the user, and finally verifying if the user is who they claim to be.
- While proofing user identities helps bolster a company’s security posture, it may not be necessary for every situation and should be implemented contextually.
Identity proofing is a crucial part of your security infrastructure.
Why Identity Proofing Matters
The total cost of identity fraud reached nearly $17 billion (USD) in 2019, according to Javelin’s 2020 Identity Fraud Survey. That cost comes in the form of compromised data, lost resources, and fines under privacy regulations like the GDPR and CCPA in the case of a preventable data breach. Because of these very real risks, the ability to reliably verify a user’s identity is a critical component of your security infrastructure.
In many contexts, users self-register to an identity and access management (IAM) system: that is, they sign themselves up. With self-registration, identity verification is often based only on an email address or phone number — two pieces of information that tell you very little about the user’s actual identity in the real world. Especially in certain contexts, it’s wise to go beyond email/phone number verification and employ identity proofing services to accurately identify your users.
What Is Identity Proofing?
Identity proofing is the process of verifying a user’s identity: confirming that they are who they say they are. This may sound like ordinary authentication, the kind based on a username/password combination, but identity proofing actually comes into play before users get their credentials to access an application or alongside the traditional authentication process.
Let’s consider two definitions put forth by the National Institute of Standards and Technology (NIST) in its Digital Identity Guidelines:
- Claimed identity: Data about the identity a user declares when they register with an IAM system (who they claim to be).
- Actual identity: Data proving the authenticity of a user’s identity (who they actually are).
The ultimate goal of identity proofing is to ensure that a user’s claimed identity matches their actual identity: in other words, that their identity is real and not fictitious. That’s why identity proofing is a first-line defense against today’s attacks on the identity perimeter.
The cost of identity fraud
Identity fraud costs individuals and companies a significant amount every year. According to the Consumer Sentinel Network, maintained by the US Federal Trade Commission (FTC), 3.2 million identity theft and fraud reports were received by law enforcement and private organizations in 2019. Of these, 1.7 million were fraud-related, while roughly 651,000 (about 20%) were identity theft complaints.
Identity fraud will likely prove even more expensive in 2020: the COVID-19 pandemic, along with social and economic disruption on a global scale, has led to a spike in fraudulent activity. In July 2020, the FTC warned that Americans had already lost more than $77 million to fraudulent COVID-19 schemes — and those are just the reported losses. Actual losses are likely to be significantly higher
How Identity Proofing Works
Identity proofing allows you to verify a user’s identity based on life history (a credit report), biometrics (a facial scan), and other factors before granting them access to your system.
Of course, you can manually verify your users’ identities by requiring them to provide paper documentation (a copy of their passport) or performing an interactive check via online meeting tools like Zoom. As you might expect, these time-consuming manual processes don’t scale effectively, and they inevitably detract from your user experience.
In its Digital Identity Guidelines, the National Institute of Standards and Technology (NIST) defines three crucial steps in the identity proofing process:
- Resolution: Distinguishing a person’s identity in the context of the system.
- Validation: Collecting identifying information from the user (username, password, answers to security questions) and confirming the accuracy of that information.
- Verification: Verifying that the user is who they claim to be.
The right identity proofing system can automatically perform this work: gather information about the user, verify whether their claimed identity matches their actual identity, and approve their registration or access request. All of this happens in real time, without human intervention, creating a secure authentication function that doesn’t compromise user experience. Investing in identity proofing services allows you to realize these benefits without having to divert resources away from your core competencies.
Know where to implement identity proofing
Identity proofing bolsters your security posture by ensuring that your applications trust only verified users. That said, identity proofing isn’t necessary or even desirable in every scenario. If the users managed by your IAM system are well-known to you in a business context (for instance, your users are your employees accessing internal systems), you may not need identity proofing.
When it’s essential to be sure of user identity across a large user base, identity proofing is critical. For example, identity proofing is necessary to securely onboard patients in telemedicine, register job candidates in an HR system, allow students to sign in for an online exam, and manage online banking and eCommerce transactions. These are all application types that can benefit from identity proofing.
Meet the Identity Proofing Experts
Auth0 Marketplace is an ecosystem of third-party integrations that empower developers to build better identity solutions with superior discovery and installation experiences. You can add identity proofing to your applications with partner integrations from Auth0 Marketplace. Let’s take a look at our launch partners who specialize in identity proofing:
Onfido uses a photo ID and facial biometrics to verify identity digitally, so users can prove their identity anytime, anywhere. As a digital identity proofing leader, Onfido employs a hybrid approach based on machine learning and human experts to eliminate fraud.
ID DataWeb’s Attribute Exchange Network (AXN) ties identity verification, multi-factor authentication (MFA), and login services together in a single cloud interface. An easy-to-use dashboard empowers you to create custom verification and authentication policies to establish trust with your users.
Vouched uses machine learning to guarantee fast, accurate identity verification. With Vouched, companies can instantly verify identity for contractors and customers, gather financial and insurance information, and automate the handling of unverified users.
Caisson’s ID Check integration validates and extracts information from drivers’ licenses and passports using machine learning and advanced facial comparison algorithms. ID Check can process hundreds of different photo ID types, and verification typically takes less than 45 seconds.
Next-Generation Identity Proofing
Identity proofing is a foundational piece of the digital trust relationship you want to establish with your users. Auth0 Marketplace is recruiting the best identity proofing experts to innovate on our platform, so we’re ready to help you solve the identity challenges of today and tomorrow — including the challenges that have yet to arise.