Using Trusted Third Party Identity Providers
A
trusted third party "identity provider" could help prevent identity
thieves from establishing new credit accounts using someone else's
identity information by verifying that a person applying for such an account is
truly who he/she claims to be. This trusted identity provider
could also help to prevent identity thieves from making unauthorized
changes to beneficiary names, addresses, and other personal information
associated with various government services such as Social Security,
Internal Revenue, etc.
This trusted identity provider would issue electronic credentials to people whose identities it can verify using a variety of physical documents as well as possibly knowldege-based authentication. This identity provider could then be invoked by "relying parties" such as credit grantors or government agencies, to authenticate, using multifactor authentication, anyone who claims the identity of someone who has previously been verified in this way.
Although any number of entities could take on the role of a trusted identity provider, the most likely candidates may be banks or other financial institutions, or perhaps state motor vehicle bureaus. As banks begin to implement stronger forms of authentication for online banking services in response to the FFIEC guidance, these authentication capabilities might be able to serve as the basis for new authentication services that could be offered to help banking customers avoid becoming victims of identity theft. Customers of participating banks could be invited to register for this service. If the customer chooses to register, anyone henceforth claiming that person's identity when opening a new credit account would be subject to an identity authentication procedure, provided that the credit grantor seeks to rely on participating banks or other identity providers to authenticate the identities of new acount applicants.
How A Third Party Identity Provider Could Prevent Identity Theft
In the case of new account applications being made online, the service might work as follows:
- A person initially registers with an identity provider, who verifies the person's identity using documentation and possibly other knowledge-based authentication, and issues that person credentials that can subsequently be used for multifactor identity authentication in an online environment.
- Someone wishing to open a new credit account with some merchant or other credit grantor provides identity information (Name, SSN, birthdate, etc.) at the merchant/creditor’s website as part of the new account enrollment process.
- If the information provided identifies a person who has been issued credentials by some identity provider, and that identity provider is trusted by the merchant or credit grantor, the applicant will be redirected (at some point during the account opening process) to a secure webpage associated with the identity provider. The applicant will be requested to present the appropriate identity credentials so that his/her identity may be authenticated using multifactor authentication. [The details for how this would happen are not important here.]
- The result of the authentication procedure
will be provided to the merchant/creditor in the form of an identity-related assertion
message from the Identity Provider.
- If the authentication fails, the merchant/creditor will assume that the credit application is fraudulent and will not open an account. If the authentication is successful, the merchant/creditor then proceeds to verify that the applicant, whose identity has now been verified, is credit-worthy by checking the applicant’s credit report.
- If the applicant is credit-worthy, a new account is opened.
If
the applicant is applying for a new account in-person, it is possible
that the identity authentication procedure can not be completed
immediately, unless the applicant possesses some form of authentication
token that can be used during the in-person application process.
Otherwise, authentication would need to be delayed until the the
applicant is able to complete the authentication process at a later
time.
This proposal for identity theft prevention using strong authentication is based on work I did that was published in the Winter 2004 edition of Journal of Economic Crime Management, in an article entitled Preventing Identity Theft Using Trusted Authenticators.
We also made a similar proposal within the context of a 2-day workshop sponsored by the Federal Trade Commission on April 23-24, 2007 to explore the role of authentication processes in preventing identity theft.
This proposal for identity theft prevention using strong authentication is based on work I did that was published in the Winter 2004 edition of Journal of Economic Crime Management, in an article entitled Preventing Identity Theft Using Trusted Authenticators.
We also made a similar proposal within the context of a 2-day workshop sponsored by the Federal Trade Commission on April 23-24, 2007 to explore the role of authentication processes in preventing identity theft.