Most of those who worked with me know, that I love to draw lines between identity terms and I am somewhat of a semantics freak. But hey, when it comes to architecture it’s really important to make sure that we do the right things in the right places. Many mix authentication with proofing, so let’s start with… drawing a line between those two terms.
Authentication vs Proofing
When you authenticate, you confirm that you are who you say you are, mainly as a function of security. You fulfil the first of three A’s (Authentication, Authorisation, Accounting) by utilising factors. Username and password being the most widely used (you can check my article about multi-factor authentication here). But we have a chicken and egg scenario… Let’s imagine one is opening a bank account for the first time and there are no credentials, username, MFA, nothing. It’s imperative that the bank verifies the identity of the persona not just because of the regulatory requirement, but mostly to fulfil the third A (Accountability), prevent repudiation and limit fraudulent activities. That is the proofing. In the old days we would go to the bank and present a document like a passport or an ID card. The teller would check the picture, do some checks on the document itself, maybe cross reference with other data sources and then, if everything checks out ok, open the account. It’s mainly a function of business and compliance.
Not a ‘one-off’
You may say ‘but I only open the account once’. And you’re right, but these days proofing is not a one-off and is utilised in many more use cases. We have become a digital society whether we like it or not and COVID-19 pandemic only accelerated the transformation of businesses. Most switched to remote working model and coming out of the pandemic remained so or introduced a mixture of working from home and the office. This way or another we have no physical contact and no ability to ‘proof’ the identity should we need to, at least in a traditional way. A good example would be a forgotten password procedure. There may be a situation that you cannot reset the password yourself and you need to call the helpdesk. And now we face a major problem – how do we proof the identity of the caller and make sure it’s not a bad actor. Well, we figured this out using security questions, vetting by a line manager (in principle the person who in the organisation knows the culprit best) or by sending a selfie with a photo of our document. Proofing happens much more often than we think.
The good – empowering users by enabling self-service
Where there’s a will there’s a way and vendors came up with solutions helping with this process. When you open a Starling Bank account (which operates in an on-line only model) you just take a selfie and a picture of your passport or ID card. It’s not a real-time service, but it takes very little time, usually minutes to proof the identity. Long story short you can open a bank account in 15 minutes from the comfort of your home. Ping Identity have recently released a new product, called PingOne Verify. It allows you to include this technology in your own processes. Deploying automated proofing solution not only empowers your users (workforce or customers) but also reduces the overhead of support. You may argue that there’s room for fraud, but is it worse than a support engineer who is not a forensic analyst or a document authenticator in the first place? Of course not. In fact, in a password reset scenario i described earlier it’s more secure, as it utilises complex algorithms to analyse and compare the photo from the ID to the selfie as well as checks on the document itself.
The bad – proof at the customer’s experience expense
Ever since I experienced it myself I wanted to write this article. I won’t disclose the name of the offender, but let me just say it was a major, international credit card provider. In principle they used risk based authorisation which I triggered by adding the card to ApplePay on two phones. Nothing outrageous, after all I used a private and a corporate mobile. I failed to add the card to the second phone as it seemed odd, fair enough. They would not want to resolve the issue when I called their support line. They said they would have to call me back. Ok, I thought, this will be sorted in a jiffy. So, they called me back… on my office desk phone, which they had because I also held a corporate credit card in my name in the past. That card wasn’t active anymore and I have since changed jobs. Well, it took me a while to talk some sense into them, or so I thought. They insisted they had to call me back to proof my identity but to my surprise they would call from a number that has a very mixed score in the telephone number feedback system. That number would also not be published on their website, so goes without saying, I did not want to go along with it, especially that it seemed eerily similar to what fraudsters do. The bottom line is that the customer experience was heavily impacted, to makes thing worse… on a false positive signal.
Prevent fraud, but don’t destroy customer experience
If you want to be secure and prevent fraud you need to ‘drink your own champagne’ (apparently it’s better than ‘eating your own dog food’). Use proofing methods that you would like to go through yourself and don’t leave anything to chance or guess. Your customer has every right to the same scrutiny to verify you as you have to verify the customer. Nothing in security is 100%, so find a ‘good enough’ solution that provides excllent customer experience. Listen to the feedback from your customers and take a look around what others do. I would love to see more enterprises using self-service, automated proofing and I think we are on a good path.