How government can build secure and frictionless digital identity programs
States that lost millions to fraud during the pandemic have plenty of ways to tighten their ID management programs, a new playbook suggests.
Pandemic-era unemployment insurance fraud highlighted the need for states to better manage applicants’ digital identities, and a new playbook outlines a series of best practices state and local government IT leaders can follow to establish digital identity management programs.
The playbook, developed by identity management company Socure, describes how agencies can be sure digital identity management initiatives are both secure but frictionless, meaning that users’ identities are properly protected but are easy for them to access, especially across different departments, using single sign-on.
It recommends governments get users’ consent before collecting any data and explain why and how agencies will be using it. Identity management programs must also provide agencies with constant visibility into who is accessing systems and how risky their activity is.
Socure calls on digital identity program managers to have a real-time fraud response when a digital identity might be under attack. Also essential are performance-based metrics that show how effective the system is at letting through legitimate users while keeping out bad actors.
To ensure equitable verification and access, the company advises identities be verified using data that is as inclusive as possible. That could mean being mindful of those who do not possess photo identification or those without a credit history, as the latter unfairly excludes people who are unbanked, underbanked or have never used credit cards.
While it is early days, several states are moving toward broad digital identification programs. Governments must think of digital identity management as a “horizontal capability,” rather than try and solve it in each individual agency, said Matt Thompson, senior vice president and general manager for public sector solutions at Socure.
“Stop trying to build digital identity in silos is the macro point,” he said. “There's either not the … resources at every agency to get it right [or] to know what right looks like.”
Once governments have users signed up, they can engage in “progressive profiling” to gradually collect more information about those users, the playbook recommends. As users engage with websites or applications, they build a robust profile and establish behavioral patterns for risk and fraud that agencies can use to help verify identity.
The playbook also calls for governments to use a variety of authentication methods and effectively manage user profiles on the back end, tracking the complete life cycle of an identity record, which is crucial to identifying potential fraud.
And it urges governments to integrate customer service across multiple channels, including online, in person and by phone to minimize friction. Greater transparency will help users understand what personal information they are sharing and for what purpose.
Other sectors, like the financial services industry, that have more experience with digital identification can provide insights on effective identity management, the playbook states.
“Government has a tendency to look at what other governments are doing,” Thompson said. “What we're encouraging them to do is talk to references outside of government … for best practices.”
The playbook also urges governments to embrace emerging technology like artificial intelligence to help detect fraudulent claims. AI or machine learning can help detect anomalies or behavioral patterns that could indicate compromised identities or fraud risks.
Because people’s identities do not stay “static” throughout their lives, but evolve with changes in life events, Thompson said, AI can help track current contact details, last names or even Social Security numbers in rare instances.
As fraudsters continue to find new ways to attack systems, whether it be through advances in synthetic fraud, or through methods that look to outwit the facial identification software that has been increasingly embraced by governments, Thompson said “if you're using outdated approaches, you're going to get beat by the new, more sophisticated ones.”
Better identity management is “critical infrastructure for restoring trust in American society,” Thompson said. It will be crucial for states to learn from the authentication mistakes made during the pandemic and put those lessons into practice, especially when future crises hit. “Fraud shouldn’t be the price of doing business in government,” he added.