A look at ID proofing: bootstrapping a digital ID using a mobile device and physical ID
For the moment, it’s more for B2C than for employees, but it’s poised to keep spreading.
Everyone in the industry is focused on moving past a reliance on usernames and passwords, so we like looking at all the different authentication models available right now, from hardware keys to biometrics and beyond. One we haven’t looked at before is ID proofing, something that Jack mentioned came up at Identiverse 2019.
There are a variety of vendors out there offering ID proofing solutions, such as Okta, Evident ID, Acuant, and more. I happened to speak with one such vendor earlier this summer called Jumio.
What is ID proofing?
At the highest level, identity proofing involves proving one’s identity by answering knowledge questions (“what street did you grow up on?” for one example) or scanning governmental documents (e.g., driver’s license, a bill, etc.) and even up to taking a selfie to compare against physical IDs. For businesses, the value of ID proofing is in validating user identities before allowing them to access or create an account that might involve access to sensitive data (e.g., banking, regulated industry).
Companies used to rely on having users provide information found on credit reports, but this isn’t as secure a method as it once was, as data breaches continue to be an everyday thing and so much private info is freely provided by people online anyway. So, with the advent of smartphones (and computer webcams), vendors stepped in with more secure authentication options.
Some common use cases where ID proofing can prove useful is employee/contractor onboarding, customer onboarding, account recovery, and proof of address.
Jumio ID proofing workflow
Jumio explained that users take a photo of their government ID and follow up with a selfie, so that someone can’t just use a stolen license. Jumio then reviews the document, such as examining a driver’s license for microprint, layout, font, image manipulation to ensure that it’s real. The vendor doesn’t currently check documents against any government database, but it is something they are looking at; they did say that it isn’t uncommon for vendors to connect with such databases. One aspect of Jumio is they do liveness checks, making it more difficult that someone who has a stolen license and a photograph of the person they’re imitating could access that person's account.
While their tech handles the initial ID proofing review, an actual person will step in if there is an issue that cannot be resolved, such as blurriness in the selfie.
Once the review is complete, which for Jumio takes about 30 seconds, they tell the bank or whatever the company is whether the user is approved or not.
Jumio ID proofing
Jumio currently provides ID proofing solutions for B2C organizations. Their tech is white labeled inside of B2C apps, such as HSBC’s.
For high-risk transactions, companies using Jumio could require a step-up authentication from the user, where the user takes a short video to provide the liveness detection to prevent spoofing. The use of a video instead of a selfie is due to that not all devices take great photos.
Jumio can also create 3-D face maps of users to help companies compare against future images users take. This can be something a company requires before a user can reset their password, reducing the likelihood of an account takeover.
I asked how Jumio handles customer data, given they get access to official government documents like IDs and user selfies. They explained that once a user is verified, they return the data to the company, which can then decide to simple delete the data since it’s not needed anymore or save it. For the 3-D facemap data, companies can decide to keep it on their servers or Jumio’s, since that needs to be retained in order to compare against future selfies.
While the verification process currently takes about 30 seconds, if there’s no issues with the user’s images, Jumio explained that one of their roadmap plans is to get this down to somewhere closer to five seconds given users aren’t known for being patient.
ID proofing for employees
Currently, ID proofing might lend itself most often in B2C use cases, but some IdP vendors do offer it as an option for more security-minded organizations looking for an option beyond username/password.
Okta, for example, provides ID proofing to help companies differentiate between employee access levels, which can help organizations that use a lot of contractors. They currently use knowledge questions, but also have the capability to incorporate selfies and document photos. Okta actually partners with a few different ID proofing-focused vendors like Jumio to customers, adding in additional features their solution might not normally have.
Evident ID is one such partner, and one I previously spoke with after they announced their integration with Okta earlier this year. They explained they provide different levels of verification, depending what a company may need (e.g., provide assurance to a healthcare organization that the user is a doctor like they claim). The partnership with Okta came about because Evident can scale up or down verification and Okta is still getting into ID proofing, which is where partner integrations can come into play. Like Jumio, Evident ID currently caters to B2C.
Other vendors are looking to add identity proofing into their offerings. One such example is MobileIron, which revealed they’re working with a partner to include ID proofing as part of their existing solutions.
So, ID proofing is a thing now! It’ll be interesting to see where it goes from here and how widely implemented it becomes.