A State and Local CIO’s Guide to Identity Verification

Every day, millions of people go online and use government services. They need to renew licenses, apply for assistance, pay taxes, or use any of the hundreds of services governments provide. Citizen-facing portals create a huge challenge for state and local CIOs: how do states accurately assess identities for everyone while protecting programs from identity fraud and abuse? 

Right now, the United States has a patchwork identity verification infrastructure across federal, state, and local entities. It isn’t working. Bad actors have access to Americans’ personal identifiable information (PII) and use sophisticated methods to attack government programs. During the pandemic, relief programs like the Paycheck Protection Program lost billions to fraud. Meanwhile, many legitimate applicants are left frustrated when they can’t verify their identity automatically. CNBC reported that three years after the pandemic, applicants for unemployment benefits still suffer from significant delays. Offering a secure and accessible identity verification solution can go a long way toward meeting citizens where they are. 

Government Technology hosted a 30-minute webinar with leaders in the industry to help advise government agencies on identity verification. Socure also released a new Digital Identity Playbook to help state CIOs, CTOs and CISOs identify their issues with digital identity and the steps they can take to fix them. 

The speakers for the event were:

• Deborah Snyder (Moderator) — Senior Fellow, Center for Digital Government

• Jeremy Grant — Managing Director, Technology Business Strategy, Venable

• Matthew Thompson — SVP, Public Sector at Socure

Q. What is digital identity? What are the challenges government organizations are wrestling with in terms of managing digital identities?

Matt: This is a question I’ve spent my entire civilian career trying to answer. Everyone has a different definition for what that means. Digital identity is critical infrastructure for enabling trust and choice in a modern society. We all have a digital identity; everyone has established their identity online to access some type of service, whether it’s with the government or a commercial entity. Some of us manage dozens of digital identities. At its core, digital identity relies on trustworthy approaches for verifying that the right person is accessing the right services for the right reasons at the right time. 

One of the problems that we have is a lack of understanding and awareness of best practices in the space. It wasn’t a focus until the pandemic, when the government had to figure out digital identity at scale and get benefits to millions of people. At the same time, bad actors, nation states fraud rings were able to easily access those benefits and steal billions from taxpayers.

From there, it’s a state or agency CIO problem. When we leave it up to each agency or state, they don’t have shared best practices. You end up disadvantaging the public by forcing them to re-prove who they are with sensitive information that is siloed. 

Jeremy: One way I frame the digital identity discussion is to break it down into common components. To me, it comes down to two things. 

1. Identity proofing – the process you go through when opening account for the first time
2. Authentication – how do I sign in the next time after I have established who I am?

I spent several years leading an Obama administration initiative called the National Strategy for Trusted Identities in Cyberspace (NSTIC), I also built up and led the digital identity team as NIST that does research and standards for digital identity. As things are evolving, it’s clear that authentication is getting easier, but identity proofing is getting harder. For passwords, we’re on the verge of a password list environment where consumers will have a passkey managed by their device or a software. But for identity proofing, the systems we used to use aren’t working particularly well anymore. 

I often talk about an old New Yorker cartoon where there are two dogs at a computer and one dog says “on the Internet, nobody knows you’re a dog.”

These days, the ability to be a dog on the internet is being actively weaponized against us. Organized criminals and hostile nation-states know how to impersonate identity. They know how to defeat many of the legacy systems we used for identity proofing, and they’re using it to steal billions of dollars. This makes it harder for Americans to get access to the benefits and services they need. 

Since digital identity, as Matt said, is critical infrastructure. We need to recognize it as such and make some of the investments to solve it. We need to get past this gap between what I call “nationally recognized authoritative credentials” (passports, driver’s licenses, etc.) that work in the physical world issued by federal and state governments and the lack of anything in the digital space that you can use. 

Q. I really like the idea of considering digital identity as critical infrastructure. It forces organizations to think about the topic in a more meaningful way. Are there lessons we can draw from regarding the role of digital identity?

Jeremy: The attackers have caught up. For years, we’ve hung onto the notion that if I know 5-6 things about you, it must mean I’m you. We’ve leveraged “knowledge-based verification” tools where it’s static security questions like “what is your favorite color?” or questions tied to credit reports…During the pandemic, we found this was no longer working. When the federal government approved billions in aid for temporary unemployment assistance, the criminal underground zoomed in on those programs. Some of the banks I work with in the private sector said they saw fraudulent applications go down during the pandemic because criminals thought they should focus their efforts on state governments. 

The market has been a bit slow to respond. Many of the purchasers at state and federal government agencies have been slow to learn the old stuff doesn’t work…What we’re seeing tends to be single-application solutions, duplicating the work someone did at the DMV already. 

There are some steps you can take immediately to harden your systems. Make sure you can get past some of these legacy tools that don’t work anymore and add tools that are more secure and easy to use. 

Matt: If I can add to what Jeremy said, the fraud networks have surpassed legacy systems because they have access to broader and fresher data from ongoing data breaches. 

Q. What kinds of identity fraud are you seeing in government organizations and what are some of the strategies that work in addressing it? 

Matt: One thing I’ve seen is a focus on identity proofing without focusing on fraud. Our identities change over time — addresses changes, names changes, credit changes. There’s multiple aspects of your identity that evolve over time. Fraudsters have access to that data fairly easily for low cost. They have built ways to automate and weaponize the information they have. We’re seeing that in sophisticated attacks on government programs. We need to develop a strategy where you’re doing identity proofing alongside technologies and approaches to ensure the correct person is submitting that information, not a scammer. 

Fraudsters evolve their tactics and scale up those attacks. While they’ll always find new ways to attack programs, agencies need to also be evolving their techniques, tactics, and procedures…It’s also important to have a networked approach and share fraud signals across a broader network rather than a siloed agency. 

Q. What are some of the approaches that get us close to what ideal digital identity looks like?

Jeremy: There are tools that are helping, but the question is are they helping stop fraud or are they creating new burdens that are preventing people from getting services and benefits they need. States correctly found fraud in the pandemic unemployment programs. However, you’d also see real stories of people who were out of work but couldn’t convince the state who they really were because the systems were imperfect. We can’t make these solutions too hard to use.

I’m more concerned with preventing attackers at scale. We saw attackers using tools to attack at scale and impersonate thousands of people. That leads to billions in losses. If I target a single identity, I’m going to have to expend more resources and work for it more. It’s not an ideal outcome, but it’s making things better. 

There are newer solutions where you take a suite of tools and combine them into a full identity verification platform that can look at data, what documents you have, a picture of you, and other risk signals. With Socure, you can bring in some advanced AI and analytics that can block the people who aren’t who they say they are. A big challenge we’re seeing is usability and friction. If you’re putting somebody through a 15-minute process, how can you get that down to five minutes or 30 seconds? 

Matt: Socure demonstrated what this identity verification solution could look like with one of our early use cases in government at the Florida Department of Economic Opportunity. We worked with their housing assistance fund where we were able to verify 100% of their population without the need for a human to review that information by using layered solutions. 95% of those applicants we verified in less than one second. We want to show the government what best-in-class looks like, from customer experience to program integrity. 

We used passive risk-based verification methods that use data sources along with machine learning and AI to verify the identity and detect the fraud risk associated with that 95% of people. They were verified in less than a second. 

We also added the step up capability of document verification that evaluates the previous intelligence associated with the transaction. That helped the remainder of the population that was applying for the housing assistance funds. While that wasn’t in less than a second, it took less than three minutes. 

Access the full Government Technology webinar here.