Building credibility: Establishing online identity without sacrificing convenience

Transcription

1 Building credibility: Establishing online identity without sacrificing convenience May 2006 Executive summary Shifting from familiar, paper-based approaches to identity verification can save money, but it takes creative, well thought out approaches to do it safely. By combining traditional online approaches that are familiar from e-commerce with rigorous cross-checking capabilities, an IBM team has created a successful pilot program for a European government agency. The work provided insight into the real world requirements and may provide a model for future electronic identity opportunities. In this Executive Technology Report, Peter Andrews interviews Paul Scott, a Consultant in IBM Global Business Services, aligned to the Communications (Customer Relationship Management) area. Paul has spent the last five years working on large systems implementations, mainly in the telecommunications industry. In that time, he has also been involved in a fair range of cross-industry projects. Peter Andrews Paul, could you tell me a bit about what you and your team have been up to in the area of identity? Paul Scott Earlier this year, I worked on an engagement with a team here delivering an electronic channel for a European government agency. One of the key challenges facing them in their move to the electronic channel was online identification of their customer base, as all the current processes rely on paper and document based checks. The migration to the electronic channel is being driven by a cost of service reduction and a customer experience agenda, so there is a strong need to ensure that the channel provides the easiest process possible. The particular problem facing the agency is an interesting one, as it applies to most government agencies. They have a pool of customers who are essentially anonymous to them when they first use an online channel. Some of these customers will not have had contact with the agency for years (average time between transactions is more than 5 years, in many cases). ibm.com/bcs Executive technology report 1

2 The electronic channel needed a solution which could take any individual who was applying, and somehow confirm that the individual exists (validation) and that the person entering those details actually was that individual (verification). Using a combination of commercial state-of-the-art offerings from a credit bureau service and a series of process based controls, a solution was created which will offer the necessary level of authentication, while allowing the individual to follow a light-touch online process. ([Light-touch] means that the individual can enter details which they know without having to find documents, etc., and can complete the transaction without having to mail in any additional documentation.) Peter Andrews Was this problem essentially the same as what a new e-commerce site would face? Paul Scott The problem is a little different to a new e-commerce site, due to the implications of the transaction. An interesting way to consider the identification process is in terms of the risk it is mitigating. We met with a number of banks to understand their processes around identification. For a transaction such as opening an account online, the bank assesses the risk level and offers a reduced product set as appropriate. Therefore, they balance the level of authentication against the risk to which they expose themselves. Peter Andrews Could you provide a couple of examples of this, and then move to your situation? Paul Scott If an individual applies online for a bank account, his or her details will be checked with a reference agency. If a low score is returned (based on a threshold) the bank will only offer them a reduced credit limit, then monitor the use of the account. In this way, they mitigate the risk. The documentation issued by the agency is considered a form of proof of identity by many parties, and the purpose of the electronic channel is to issue these documents. Given this, there is no risk mitigation possible in terms of limiting the transactions on offer, as all online transactions issue an entitlement document. Therefore, a higher bar of authentication was required in order to verify integrity of the issuing process. ibm.com/bcs Executive technology report 2

3 Peter Andrews Essentially, you are providing a document with more value than just the agency s own processes to a stranger, right? Paul Scott Yes, that is it. Although officially the document is not ID, in practice, most institutions accept it as such. Peter Andrews Has anyone solved a problem like this before? Paul Scott As far as we could discover, not in a single stage, online process. Most of the applications we found were using electronic authentication as an additional check alongside additional paper processes. Peter Andrews Aha. Paul Scott Not having an additional paper channel means that the electronic authentication must stand up on its own, without the fallback to document based checks. Also, we found that a lot of the initiatives underway to implement better identity checking tended to assume that some form of physical token would be issued to people to allow electronic authentication. For our application, given that the paper channel is easy for customers, and will be supported for an indefinite period, we needed to make the electronic channel easier than paper to drive [adoption]. Therefore issuing tokens was never really practical (and would have been prohibitively costly). Peter Andrews The paper channel is easy for customers? Paul Scott The current one is, yes. For example, to get a replacement document at a new address I would have to write my new address on my current document and mail it in. That's it. However, a fully paper channel is very costly to operate, as every application has to be manually processed. ibm.com/bcs Executive technology report 3

4 Peter Andrews OK, so the expectation is high that you will have a quick and easy application online, even though you are not providing paper documentation. The customers don't intuitively see that they are putting a much higher demand on you, right? Paul Scott Exactly. The one area the online channel does win in ease of use is that it is much quicker to issue documents. (Potentially, an individual could have a new document within 48 hours.) Certainly something we found is that there is no single solution to this yet. The whole area of online identification is one that is moving forward quickly, but there is not a stable solution yet. Peter Andrews So what did you come up with? What was standard and what was novel? Paul Scott The solution used is based upon the principle of authentication by checking data held by third-party providers. The customer enters the applicable personal details, and these are checked against third parties. Based on the results returned, a level of authentication is determined. [This part was standard.] What we did find is that the standard authentication offerings needed quite a bit of thought as to how they could work for a government organization, to fit them to the different requirement, as we discussed. [This part was novel.] Additionally, a key understanding we gained is that authentication of this nature is not just a box at the start of your process, but has implications and considerations throughout your processes and transactions. Peter Andrews So you depend on accessing data that both can be definitively connected to the customer who is online and has something like a paper document already associated with it? Paul Scott For something like a paper document, we rather think of it as data of a certain provenance. So biographical information (name/address) from financial organizations (such as banks), we consider to be primary data, as they have a strong security checking process in place on that data (due to antifraud regulations). Data from, for example, utility companies, we consider to be secondary data, as these sources typically have very limited security as part of their account checking processes ibm.com/bcs Executive technology report 4

5 Peter Andrews And when you put several of these together, it builds confidence? Paul Scott Exactly. Peter Andrews It must be a challenge to get access to these, and to get to some of the associated data. Paul Scott To further strengthen the solution, it is intended to also bring online additional government data sources to provide a higher level of confidence but, [it s] exactly as you say, the problem is in getting access to the data. For the third-party providers, we used a broker agency (bureau), who manages the data. We send them the details we have, which they check against their stored data, and all they return to us (in essence) is a pass/fail result. Peter Andrews With banks, as I understand it, the confidence in identity is a dynamic thing. They are on the lookout for identity theft and for customers who turn sour. Was this solution also like this? Paul Scott Only partially. Identity theft is the key issue here. The agency s customers don't turn sour in the sense a banking customer does, although preventing individuals from registering with a fake name if they are not eligible is covered by the identity theft agenda. People's credit worthiness, for example, is of no relevance to authentication for the agency s purposes. Peter Andrews I was thinking of people who just barely meet your criteria for a document. Wherever you draw the line, isn't it likely that a percentage will be able to get passed illegitimately? Paul Scott With any authentication process (online/paper /interview-based), someone could potentially get around the rules. Authentication (and security in general) is all about putting in place appropriate measures to verify that the risk of compromise to your process is met with an appropriate level of control. ibm.com/bcs Executive technology report 5

6 How to design the thresholds for the solution is a very difficult question. We used all the available information on pass rates and fraud levels that the third-party data provider we were using could give us, combined with the expert knowledge of the existing issuing procedures in the agency. We then took a cautious initial standpoint, and will look to fine tune the solution over time. Additionally, behind the online channel, all the existing security processes in the agency will still operate. Therefore, the online channel in many ways provides additional security to the process, by leveraging routine realtime checking of multiple third-party data providers. Peter Andrews Right. It should be fairly easy to model A) no higher number getting through, but I can't imagine how you would model B) no worse characters getting through. Any guidance on this? Paul Scott There is lot of experience in the financial services industry involving catching fraud (such as impersonation). This is also under high scrutiny, currently due to terrorism-related money laundering and the like. The approach we employed was to take the best practice commercially available solution, develop a detailed understanding of how it functions in our domain, and then add additional processes based on the current security processes in order to provide a balanced security solution. Peter Andrews Is this solution being implemented yet? Paul Scott It is currently in limited general public pilot, with full availability later in Peter Andrews What are your criteria for success and how are you measuring them? Paul Scott The key criteria are: Pass rate Level of fraud identified through operational measures for the electronic channel against the paper channel. In terms of measurement, there are a series of additional processes run inside the agency to help ensure compliance, and our measurement will leverage these. ibm.com/bcs Executive technology report 6

7 Peter Andrews Can you share any of these? Paul Scott I am afraid not. The majority of the tracking measures are protected by their nature, but they are very comprehensive! Peter Andrews Any final thoughts? Paul Scott I would say the key considerations when working in this area are: Understand the tool set on offer to you (third party, internal and external processes) Understand the nature of the risk you are mitigating Create a solution to balance the goals of the approach with the risks under management Work on an ongoing basis to track success and tune your solution. This is not a build once area, but more of a continual evolution. About this publication Executive Technology Report is a monthly publication intended as a heads-up on emerging technologies and business ideas. All the technological initiatives covered in Executive Technology Report have been extensively analyzed using a proprietary IBM methodology. This involves not only rating the technologies based on their functions and maturity, but also doing quantitative analysis of the social, user and business factors that are just as important to its ultimate adoption. From these data, the timing and importance of emerging technologies are determined. Barriers to adoption and hidden value are often revealed, and what is learned is viewed within the context of five technical themes that are driving change: Knowledge Management: Capturing a company's collective expertise wherever it resides databases, on paper, in people's minds and distributing it to where it can yield big payoffs Pervasive Computing: Combining communications technologies and an array of computing devices (including PDAs, laptops, pagers and servers) to allow users continual access to the data, communications and information services Realtime: "A sense of ultracompressed time and foreshortened horizons, [a result of technology] compressing to zero the time it takes to get and use information, to learn, to make decisions, to initiate action, to deploy resources, to innovate" (Regis McKenna, Real Time, Harvard Business School Publishing, 1997.) Ease-of-Use: Using user-centric design to make the experience with IT intuitive, less painful and possibly fun Deep Computing: Using unprecedented processing power, advanced software and sophisticated algorithms to solve problems and derive knowledge from vast amounts of data ibm.com/bcs Executive technology report 7

8 This analysis is used to form the explanations, projections and discussions in each Executive Technology Report issue so that you not only find out what technologies are emerging, but how and why they'll make a difference to your business. If you would like to explore how IBM can help you take advantage of these new concepts and ideas, please contact us at insights@us.ibm.com. To browse through other resources for business executives, please visit ibm.com/services Executive Technology Report is written by Peter Andrews, Consulting Faculty, IBM Executive Business Institute, and is published as a service of IBM Corporation. Visit ibm.com/ibm/palisades Copyright IBM Corporation. All rights reserved. IBM and the IBM logo are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both. Other company, product and service names may be trademarks or service marks of others. References in this publication to IBM products and services do not imply that IBM intends to make them available in all countries in which IBM operates. G ibm.com/bcs Executive technology report 8