When I recently applied for a new credit card, the issuing bank sent me a letter to verify my identity first. The options were to either visit one of their branches to show my ID, mail in a copy of my ID, or provide a recent utility statement. Not wanting to take time out of my day to visit a local office and cautious of the risk of sending a copy of my ID via mail, I decided to send in a recent utility bill. Unfortunately, this only brought me to the next roadblock – I recently moved and had no bills with my new address yet.
While this anecdote – and countless similar ones – underline the nuisance of life without a strong digital identity, other consequences are much more serious. For instance, right now, criminals are using stolen PII (personally identifiable information) to steal millions from state unemployment agencies who are trying to quickly provide pandemic assistance to their citizens.
The lack of a comprehensive digital infrastructure is not new and has long predated COVID. But the pandemic has now added the risk of contagion to the hassle of in-person identity verification, while remote identity proofing options remain limited. For instance, over half of North American banks still mandate an in-person visit to open a new account.
As the Better Identity Coalition points out, the systems for verifying and protecting our identities online are outdated and broken. Our identity documents still live in the physical world, while the traditional method to prove our identities online – knowledge-based verification – is subject to so many breaches it’s hard to even keep track of them. While trying to prove your identity online, you may be stumped by questions like which car you drove in 2012, where you lived in 2008, or the last four digits of your social security number. Criminals may have your PII at the ready though, and do not hesitate to use it.
However, change may be on the horizon.
The recent bi-partisan “Improving Digital Identity Act of 2020” has three promising elements that could improve the identity status quo.
1. A task force to bring together all levels of government to develop secure methods for government agencies to validate identity attributes
The bill rightly acknowledges that the government is uniquely positioned to “fix” our digital identity infrastructure. Starting with our birth certificates and continuing throughout the rest of our lives, it’s the government that acts as an authoritative issuer of our identity information.
The challenge, however, is that this information sits at different levels of government. Social security cards and passports are issued and administered at the federal level, while driver’s licenses and other commonly used identity documents are issued by the states. On top of that, there’s no easy way to access these various government sources online or allow third parties to do so on your behalf.
So, the challenge is really to develop a government-wide approach to digital identity. The bill’s proposed task force will empower federal, state, and local governments to work together to find ways for reliable, interoperable digital identity verification.
The Social Security Administration (SSA) is already leading the way here. Through their forthcoming eCBSV API service, SSA will allow financial institutions to verify if an individual’s social security number, name, and date of birth combination matches Social Security records.
eCBSV is a significant step in the fight against synthetic identity fraud but did require a legislative change through the “Growth, Regulatory Relief, and Consumer Protection Act’’. The proposed task force can help identify additional barriers (including legislative ones) to opening more government data sources and analyze the consequences of doing so.
It is clear that getting more government agencies to establish consent-based identity data validation APIs – such as eCBSV – would be a major improvement for digital identity. A prospect we already got very excited about when we reviewed the updated Federal Identity, Credential, and Access Management policy last year.
2. A new framework of standards to guide government agencies
The bill also puts the government (NIST) in charge of developing the framework – the “how” – of providing these digital identity verification services. Having NIST (and not the private sector) provide the framework promotes a focus on privacy, security, and equity – for instance by ensuring inclusion for the underbanked or less digitally savvy.
And when the government sets the framework and “unlocks” their authoritative data, the private sector can then do what they do best: innovate, cut costs, and reduce user friction for identity proofing and authentication.
3. Digital Identity innovation grants
Finally – the power of the purse. The federal government will provide grants to state governments to upgrade their driver’s licenses and other identity issuing systems to participate in these new and government-wide digital identity verification systems. Given that our most common identity documents (driver’s licenses, ID cards) are issued at the state level, providing money to upgrade systems at the state level is the right approach.
The “Improving Digital Identity Act of 2020” is spot on by firmly putting the government in charge of improving our digital identity infrastructure. My credit card application would have been handled a lot faster and safer if I could have allowed my state government to vouch for my identity online. And far less unemployment insurance money would be paid out to criminals if identities could be verified in real-time. The proposed legislation marks an important and exciting step in “fixing” digital identity in the US.
1 thought on “Three ways the Digital Identity Legislation can improve the identity status quo”
Pingback: Presentation Attacks: From Mission Impossible to The New Normal