In May 2019, the Government Accountability Office (GAO), released the report “Federal Agencies Need to Strengthen Online Identity Verification Processes.” The report has far reaching implications for digital identity standards for both the public and private sectors. In this blog we analyze the report, how it influences the private sector and how to apply a risk-based approach to meet the overhauled digital identity guidelines.
This post is based on a BioCatch webinar with industry experts, Patrick Hearn, CEO, Endeavor Worldwide and Frances Zelazny, Chief Strategy & Marketing Officer, BioCatch. Click here to watch the webinar.
The Origins of the GAO Online Identity Report
GAO’s updated guidelines have their origins in the Equifax data breach of 2017, a major cybersecurity incident that resulted in significant changes to identity verification processes. Following the breach, The National Institute of Standards and Technology (NIST) released guidelines that required government agencies to stop using knowledge-based authentication (KBA) — including data based on the credit referencing agencies — in exchange for stronger alternatives. The GAO Online Identity Report provides us with a review of what practices the major federal agencies have had in place since the NIST report and where the weaknesses still lie.
All agencies reviewed in the report, except one, have moved away from KBA. The message from the GAO is clear; progress has been made but it’s not enough and more needs to be done to promote digital identity standards. To facilitate progress, the GAO has outlined alternatives that provide agencies with stronger techniques for identity proofing. These include:
- Remote assessment of credentials
- Verification of mobile phone device possession (location & device)
- SMS codes
- PIN distribution by mail
Why the Private Sector Needs to Pay Attention
The GAO Online Identity Report gives a significant message from the White House to government agencies and the private sector in the form of new digital identity standards. It’s time to move away from Level of Assurance (LoA) checks and move toward a risk-based process for identity proofing. This is important for the private sector for several reasons:
- Identity and access management is a critical pillar of cybersecurity and digital transformation.
- IoT usage opens the door to further risks.
- The private sector uses government standards to structure their own risk management posture, with many audited by the government.
- The Office of the Comptroller of the Currency and the Center for Medicare & Medicaid will update their rules and regulations. This will impact how $2 trillion dollars is spent.
- Mobile account takeover is up 78% year over year.
- The next generation of consumers have high security expectations.
Moving Toward a Risk-Based Approach
The GAO report makes it clear that a binary response is no longer enough for identity proofing. Risk-based authentication allows for a much-improved, layered approach, depending on the perceived exposure. There are three core layers that relate to digital identity and help an organization develop a risk-based approach. These three layers are:
- Something you know (Knowledge)
- Something you have (Hardware)
- Something you are (Biometrics)
Bringing these components together in the right way at the right time will verify a user’s identity in the digital realm. That might mean combining social media information, an email address, device location or buying patterns to build a digital user profile to which a risk-score is then applied.
The Role of Behavioral Biometrics for Identity Proofing
Behavioral biometrics adds an additional layer of security to the online identity proofing process, allowing organizations to develop a risk-based approach. The GAO guidelines outline the different elements, including behavior, that need to come together in order to improve identity proofing at federal agencies. There are three key behavioral parameters that can be utilized as part of this process:
- Application fluency: Fraudsters that repeatedly use compromised or synthetic identities demonstrate a high level of familiarity with the account opening process.
- Navigational fluency: Cybercriminals are often expert users and demonstrate a proficiency with keyboard shortcuts and function keys not typically seen with genuine users.
- Data familiarity: Criminals entering stolen personal information exhibit behaviors that suggest the information is not innate to them.
BioCatch's platform is uniquely able to extract over 2,000 elements of user parameters relating to behavioral or cognitive attributes. These are then analyzed in context using artificial intelligence and machine learning to connect the dots, closing out any information gaps or siloes and developing a holistic view of a user. The results then allow organizations to solve problems in the digital identity lifecycle in both the private and public sector in line with GAO’s recommendations.
To learn more about how BioCatch can help you move towards a frictionless, risk-based identity verification process with behavioral biometrics, contact us today.