The ability to enroll an individual online – and then issue a credential with some level of assurance behind it – is becoming increasingly crucial in the modern Internet economy. Financial institutions have been doing this for years, enabling customers to open lines of credit online. Enterprises are beginning to use the solutions to issue credentials to employees who require access to web-based systems.

The Affordable Care Act – less affectionately known as Obamacare – is providing a major impetus for states to step up online identity vetting. In the past, Medicaid recipients would have to fill out paper forms, interview with a social service agent and then await notification of eligibility.

The Affordable Care Act is going to see citizen participation in Medicaid programs grow, as it may be the only option for many. States want to streamline the enrollment process and many are investigating online identity vetting.

Enterprises are also routinely turning to online identity vetting for business partners, contractors and even remote employees. The time and money these systems save are great for the enterprise and the individual receiving the credential.

Online identity vetting is not without issues, however. A large component of these systems use knowledge-based authentication, asking questions such as the name of the bank holding your car loan, the address you lived at in 1996 or the square footage of your current house.

This method has come under fire recently as several providers of these online identity vetting services have been hacked. LexisNexis, Experian and others have been breached, bringing to the public consciousness the idea that this secret information is not so secret. The reality is that much of it wasn’t secret to begin with as it can be readily mined from social networking or other online sites.

Providers are quick to point out that knowledge-based questions are just one aspect of identity vetting services. There are many other tools that should be leveraged in a multi-layered proofing process.

Health care may be the largest market that is looking to streamline identity vetting in the wake of the Affordable Card Act. The Commonwealth of Virginia launched the Commonwealth Authentication System that is proofing resident identities using information from its Department of Motor Vehicles databases.

The system went live Oct. 1, and instead of having to fill out paper forms and wait for a response from the Department of Medical Assistance Services, everything can now be done online. The commonwealth is expecting to save significant resources by conducting online identity checks versus in-person interviews.

Virginia isn’t alone. One of the latest pilot award recipients from the National Strategy for Trusted Identities in Cyberspace is setting up a system to accurately identify residents applying for benefits online. The Michigan Department of Human Services pilot is working to end the manual review of applications, giving clients a fast and accurate way to prove their identity in an automated way.

SAFE-BioPharma hits 60% with online proofing solution

More than two-years ago, SAFE-BioPharma was looking for a quick and secure way to get credentials to members, says Gary Secrest, chief technology officer at the organization. This led the group to go to the Federal Public Key Infrastructure Management Authority who pitched online identity proofing.

The group was successful and now offers online identity proofing to members in the U.S. SAFE-BioPharma was established by the biopharmaceutical industry to help speed the transformation to an electronic environment by providing standardized digital identity and signature standards. SAFE is also one of four organizations cross certified with the federal PKI Bridge.

In order for a SAFE member employee to receive a credential, they first must be invited via email, Secrest says. The employee then clicks on the link that takes them to the registration site. From there, they fill out initial demographic data, name, Social Security number, date of birth, etc.

That information is sent to the identity vetting service, which brings up five knowledge-based authentication questions that the individual must answer within two minutes, Secrest explains. If the individual answers one of the five questions incorrectly they are taken to another service, which asks another five questions that again must be answered in two minutes.

If all the questions are answered correctly they are considered to have proven their identity and the process to issue a credential begins. If they don’t answer the questions correctly – and 40% do not – then they are required to present documents to a notary for verification and go through a paper-based verification process, he says.

SAFE realizes that a 60% pass rate for online verification isn’t ideal. “We want to get it higher,” Secrest admits. “Some of the questions are structured in a way that people have trouble understanding or answering.”

Also, some answers can be overly exact, posing a problem. “For example, question might be what’s the square footage of your house and sometimes the multiple choice answers are too close together,” Secrest says.

SAFE is working with the providers to address these issues. “It’s not perfect but on the other side of the coin, the people who do pass think it’s the greatest thing ever,” Secrest says. “Six minutes and you can be credentialed.”

The five questions in two minute rule was put in place to help gain approval for the process from the Federal PKI Management Authority to issue a level of assurance three credential, Secrest says.

There was some back and forth with the feds before online identity vetting was approved, he explains. Level three is as far as it goes for now and it’s unlikely that online only will be used to issue a level four credential. “You need person to person, but could it be done over a secure video link?” Secrest asks. “There could be different processes put in place that would be the equivalent of face to face.”

---

Related articles:

Online identity vetting for state benefits DNA for future identity is in your wallet What is an identity ecosystem?