Two-factor authentication – the practice of adding a one-time code to a phone or a native app like Google Authenticator on top of a password — is a relatively well-known term to consumers. Less well known is the term “identity proofing:” the process of establishing trust in the relationship between a legal identity and the user controlling the online account. This post explains the three steps of identity proofing: validating that the identity is real, that it is unique, and that the user claiming the identity is, in fact, that person.
Think about your drivers license for a moment. Everyone who lives in your state has the exact same drivers license issued to them. But what distinguishes your drivers license from the others is your face printed on the document, your name, date of birth, and address, and the unique drivers license number the state DMV issued you. Even though much of the data is public – name, date of birth, address, your face, even – the reason that the TSA can trust that you are you when you go to board an airplane is because you possess a credential, issued by a trusted third party, that has bound your legal identity and face to the credential.
In crude terms, your visit to the DMV — when you brought your utility bills, birth certificate, passport and social security card — constituted identity proofing. Once the DMV knew you were in fact you, they issued you a physical credential with the equivalent of two-factor authentication: your face printed on the card along with the security features and holograms specific to the template that provides third parties with a high degree of confidence the credential is legitimate and that you are you.
Everyone who has been to your house for your birthday party knows your name, date of birth, and address. But those people can’t walk into a bank to open up an account with a piece of notebook paper that has your personal information listed on it in order to claim that they are you. That’s silly. But that’s how digital identity works today. No wonder there is so much fraud. Of course, the bank employee will want to see a credential – a drivers license, a passport, or a military ID – because they need the credential issuer to act as a reference for your claim.
Creating a Network of Credential Service Providers with SSN
Credentials ensure that third parties can trust that the user is the legitimate owner of the identity – even if the identifiers printed on the credential are public.
For this reason, the social security number still plays a vital role in establish identity online. It is important to know that a name, date of birth, social security number combination represents one specific person. And, indeed, those identifiers play the same critical role in identity today, even after Equifax, to establish your identity as real and unique so organizations know a given transaction concerns you – your name, date of birth, and social security number are still the same, they just aren’t secret anymore.
What is missing in the United States is a connected network of trusted credential service providers – fancy speak for Single Sign On providers – that work together to ensure that only one digital credential is issued to one unique identity. Once such a network is widely adopted across government, financial services, healthcare, and payments, identity will work for people and for organizations again because the prevalence of credentials prevent the misuse of compromised static identifiers.
Fortunately, we have built that network at ID.me, and we’re hooked into seven federal agencies, a few state governments, and several hundred retailers and counting. But, unfortunately, establishing trust in identity doesn’t end with establishing a network of connected credential providers. The entire point of an ID card is to provide utility to the bearer so that they can perform an action with the ID card, whether that be boarding an airplane or opening up a bank account.
For online transactions, the data provided by the credential service provider must match the data on file at government agencies, healthcare organizations, and financial services companies or the organization will be unable to match the credentialed user to the specific user file in their database. For people with common names like John Smith, the problem is particularly bad for there are thousands of other people who share the same name and date of birth – making it next to impossible for government agencies to take the risk of revealing one person’s sensitive information or entitled benefits without understanding which unique user came to them.
Social security numbers are still important and vital to empower individuals to control and user their own digital identity. America needs strong digital credentials to combat the public nature of our national, unique identifiers. In part three, I write about how credit cards provide an interesting model to represent a legal identity with a meaningless string of numbers for payment purposes – and how certain improvements to that basic concept could shut down fraud and advance a user controlled model of personal data.
ID.me is the next-generation digital identity platform that provides for trusted and convenient
interactions between individuals and organizations. Government agencies and commercial
partners use ID.me for online identity proofing and authentication to ensure their platforms and
users are protected from fraud and identity theft.
All media inquiries can reach out to Laura Cruz at firstname.lastname@example.org.