Using Trusted Third Party Identity Providers For Identity Theft Prevention
This approach uses a form of identity authentication, for people opening new accounts, that relies not only on knowledge of personal information, but additional factors as well. An Identity Provider that verifies a person's identity and issues credentials that can be used for multifactor authentication could provide identity authentication services for this purpose. One potential type of Identity Provider could be a bank or other financial institution. As banks begin to implement stronger forms of authentication for online banking services in response to the FFIEC guidance, these authentication capabilities might serve as the basis for new authentication services that could be offered to help banking customers avoid becoming victims of identity theft.Identity Providers other than banks may emerge, and these entities may also be viable providers of the type of service proposed here. For instance, state motor vehicle agencies also verify people's identities and issue credentials based on verified identities. Driver's licenses may eventually evolve to include capabilities that would allow them to be used as online identity authenticators. But a bank is an obvious candidate for an Identity Provider, because banks must verify a person's identity before opening a new account, and because banks issue credentials to individuals that can be used for authentication to online banking services.
As described in Authentication for Preventing Account Takeover, banks will be implementing stronger forms of authentication, beyond reliance on passwords only, for the protection of online banking accounts. However, because authentication for online banking usually authenticates a claim of authority to access an account, and not necessarily a claim to a particular identity, these measures may not be adequate for identity theft prevention. Stronger authentication measures for online banking would need to assign different authentication credentials to different people, even if they are authorized to access the same account. But assuming that identity authentication is possible using the same credentials that banks will be using for online banking, these banks could choose to act as Identity Providers on behalf of their customers.
The financial services industry, in conjunction with credit-granting businesses that extend credit to individuals, could choose to offer identity theft prevention services to customers of participating banks, as well as authentication services to creditor grantors for verifying the identities of new account applicants. Such services could leverage a participating bank’s strong authentication capabilities already in use for online banking. Customers of participating banks could be invited to register for this service. If the customer chooses to register, anyone henceforth claiming that customer’s identity when opening a new credit account would be subject to an identity authentication procedure, provided that the credit grantor also seeks the services of the bank or other Identity Provider to authenticate the identities of new acount applicants. Part of the infrastructure required to support this approach would be a way to identify and locate a trusted IdP that has verified and issued credentials to the person whose identity is being to open the new credit account.
How The Service Could Work
In the case of new account applications being made online, the service might work as follows:- A person
initially registers with an Identity Provider, who verifies the
person's identity and Social Security Number, and issues that person credentials that can
subsequently be used for multifactor identity authentication in an online environment.
- Someone wishing to open a new credit account with some merchant or other credit grantor provides identity
information (Name, SSN, birthdate, etc.) at the merchant/creditor’s website as part of
the new account enrollment process.
- If the information provided identifies a person who has been issued credentials by some Identity
Provider, and that Identity Provider is trusted by the merchant
or credit grantor, the applicant will be
redirected (at some point during the account opening process) to a
secure
webpage associated with the Identity Provider. The
applicant will be requested to present the appropriate identity
credentials so that his/her identity may be authenticated using
multifactor authentication. [The details for how this would
happen are not important here.]
- If the Identity Provider is a bank, the authentication procedure may be the same multifactor authentication procedure that the bank uses
for online banking services at the bank where that person is
registered.
- The result of the authentication procedure
will be provided to the merchant/creditor in the form of an identity-related assertion
message from the Identity Provider.
-
If the authentication
fails, the merchant/creditor will assume
that the credit application is fraudulent and will not open an account.
If the authentication is successful, the merchant/creditor
then proceeds to verify that the applicant, whose identity has now been
verified, is credit-worthy by checking the applicant’s credit
report.
- If the applicant is credit-worthy, a new account is opened.
This proposal for identity theft prevention using strong authentication is based on work I did that was published in the Winter 2004 edition of Journal of Economic Crime Management, in an article entitled Preventing Identity Theft Using Trusted Authenticators.
We also made a similar proposal within the context of a 2-day workshop sponsored by the Federal Trade Commission on April 23-24, 2007 to explore the role of authentication processes in preventing identity theft.