By Rebecca Mayo, J.D.
The GAO found that federal agencies need to strengthen online identity verification processes, but they need further guidance from the National Institute of Standards and Technology to determine what processes to use and how to implement them.
The recent Equifax data breach have increased concerns about the security of remote identity proofing processes used by many federal agencies and the likelihood of potential fraud using the breached data. The Government Accountability Office (GAO) reviewed six agencies that used remote identity proofing practices and compared their practices to the National Institute of Standards and Technology (NIST) remote identity proofing guidance to assess the sufficiency of the guidance. The GAO found that the guidance needed to provide more direction for agencies to find alternative methods of verification and how to implement these new processes (GAO Report, GAO-19-288, June 14, 2019).
Identity proofing. Identity proofing is the process of verifying that the person who is attempting to interact for the first time with an organization, is the individual he or she claims to be. When conducting business in person, a trained professional can verify an individual’s driver’s license or other credential. However, as more transactions are taking place online, remote identity proofing has become necessary for many organizations to conduct business. Remote identity proofing usually involves an applicant providing identifying information through a web-based form, which is then electronically compared with electronic records that the organization has in its databases or with records maintained by a third-party source such as a consumer reporting agency (CRA). Steps are then taken to verify the identity of the person applying.
Knowledge-based verification involves asking applicants detailed and personal questions that theoretically only the real person would know the answers to. Often organizations use CRAs to perform these knowledge-based verifications by integrating the CRAs service into the organization’s website. The CRA service provides multiple choice questions about the individual based on information the CRAs have aggregated about the individual.
Alternatives. The NIST issued guidance on remote identity proofing that stated that the agency no longer recommends using knowledge-based verification. The guidance provided examples of alternative methods for verifying identity. Recently developed technology allows an individual to capture an image of a physical credential, such as a driver’s license or passport, using their mobile device and send the image to the agency to review and verify. An organization can also query records maintained by cell phone carriers to verify the identity of an individual who is in possession of a specific mobile device and phone number. These records can be used to determine if the location matches the individual’s billing information. Verification codes may also be sent to an individual’s mobile device or even through postal mail.
Shift in verification. The NIST guidance effectively prohibits agencies from using knowledge-based questions as part of their processes and are now required to find ways to eliminate the use of knowledge-based verification. The General Services Agency (GSA), and Internal Revenue Service (IRS) have eliminated knowledge-based verification. The Veterans Administration (VA) has implemented alternative methods as a supplement to the continued use of knowledge-based verification. The Social Security Administration (SSA) and United States Postal Services (USPS) are investigating alternative methods and stated that they intend to reduce or eliminate their use of knowledge-based verification sometime in the near future but have not created specific plans. CMS has no plans to reduce or eliminate knowledge-based verification.
The agencies cite barriers to implementing new forms of verification such as cost, legal and regulatory restrictions on sharing data, projected ability to reduce fraud, projected extent to the population that could be covered, and the burden on customers to complete the process. The GAO noted that each of the alternatives proposed by NIST has limitations, including implementation challenges. In person identity proofing requires offices and staff and applicants must get to these locations. Not all applicants have mobile devices to upload images of their identification. Finally, sending verification codes through the mail can result in delays.
Recommendations. The GAO recommends that NIST supplement the guidance to assist federal agencies in determining and implementing alternatives to knowledge-based verification that are most suitable for their applications. The Office of Management and Budget should issue guidance requiring federal agencies to report on their progress in adopting secure identity proofing processes. CMS, SSA, USPS, and the VA should develop a plan to discontinue knowledge-based verification, such as using Login.gov or other alternative verification techniques.
MainStory: TopStory GAOReports CMSNews CyberPrivacyFeed DataBreach ProgramIntegrityNews
Interested in submitting an article?
Submit your information to us today!Learn More
Health Law Daily: Breaking legal news at your fingertips
Sign up today for your free trial to this daily reporting service created by attorneys, for attorneys. Stay up to date on health legal matters with same-day coverage of breaking news, court decisions, legislation, and regulatory activity with easy access through email or mobile app.