The recent statistics and stories on fraud and ineffective identity verification solutions in the government are sobering—in 2021, the U.S. Secret Service estimated pandemic relief fund losses at a staggering $100B1, many veterans have been locked out of Veterans Administration (VA) benefits because they can’t validate their identities2, the IRS is shifting course and revamping its identity verification processes after an expensive and ineffective effort using facial recognition3, and Oregon, California, and other states claim they were misled about the use of facial recognition as a tool for identity verification for their unemployment agencies4.
The common thread among these stories, and many more like them, is that the solutions being applied to these situations are fundamentally wrong in their approach. Using manual reviews, document-centric approaches, knowledge-based authentication (KBA), and an over-reliance on credit data, many federal and state government agencies have unfortunately discovered that these solutions are all imprecise and unreliable. Furthermore, they result in bad outcomes by delaying needed services to the public across a wide range of programs and social needs.
To be clear, none of this is happening because of malicious intent or malfeasance on the part of program administrators. There are all kinds of technology solutions, each equipped to solve certain problems. At issue in these cases, and what is lurking as an ongoing threat to government agencies seeking speed and accuracy in their pursuit of serving valid users, is the fact that limited solutions with myopic approaches are being used to solve problems that are highly complex and require adaptation with the same velocity of evolving fraud attacks. In short, these solutions are incapable of handling the issues they face. And what’s more, when put to the task of solving these problems in a live environment, they end up exacerbating the situation by failing to catch fraudulent activity while incorrectly assessing and validating legitimate users.
Scalable Identity Verification: Human Review vs. Automated Solutions
Identity verification and fraud assessment require precision, at a scale and speed that humans cannot provide. Reliance on manual review and a limited pool of data prevent organizations like the IRS and the VA from scaling and moving fast as they adapt to deliver on their stated missions. The IRS, as an example, processed more than 240 million tax returns in 2020, collected almost $3.5 trillion, and issued $736 billion in refunds5 — all with the help of automation. Without automation in the identity verification process, and the machine learning (ML) that powers automation, the IRS and other federal agencies would never be able to achieve their mandates.
Automation is not simply a matter of technology innovation. Automation can be used to make almost any process go faster. However, when processes are complex and the stakes are high (as is the case with delivering benefits and services to citizens with pressing financial needs), automation must do what point solutions cannot – continuously adapt and deliver as needed to be able to meet changing scenarios, all without introducing more friction into processes.
Behind the automated, graph-centric approach to identity verification used in Socure’s Sigma Identity Fraud, KYC/CIP, and Predictive DocV solutions are an identity graph and ML models that combine more than 17,000 features, 8 billion rows of data, redundant data sources, patented identity resolution technology, and a continuous feedback loop of known outcomes from a consortium network of over 1,800 customers.
It’s simply not possible for humans to analyze and correlate the full spectrum of available data points that can be used to inform identity verification decisions. And it’s not enough to leave the process up to rules-based solutions that don’t have the feedback data and automated ML pipelines to adapt to new fraud trends in near real time, resulting in users being rejected because of low accuracy and high false positive results.
Machine Learning & Providing Equitable Access to Services
Our data science approach has been built and refined for over a decade, and our ML models have been developed to learn behaviors and correlate continuously-growing sources of public and private data that form the most comprehensive, reliable view of a digital identity. At the heart of our approach is a simple goal that happens to closely align with what government agencies are trying to do, namely, equitably verify the largest number of real people with the highest degree of accuracy.
On January 20, 2022 the European Union Agency for Cybersecurity (ENISA) highlighted the efficacy of ML and automation in this context in Section 2.5 of their report on identity proofing:
Rapid advancements in Deep Neural Networks have not only made the automated controls faster and cheaper but, according to most service providers, also more effective than their human counterparts. Some service providers claim a False Acceptance Rate for the comparison of real user faces to their photo ID that is almost a full order of magnitude lower in favor of AI (0.3% vs 2-3% according to one of the interviewees).6
Compare what ML can accomplish in the pursuit of identity verification against what we’re seeing from most vendors today. In the cases of the solutions used by the IRS and VA, users either had to provide biometric facial recognition or they had to wait through lengthy, manual review queues. Facial recognition requires a face-to-face meeting with a human who performs a manual validation. It’s inefficient and it invites subjective factors that should have no bearing on the processes of validating an individual.
Eliminating Bias in the Identity Verification Process
Bias and other factors can come into play, all of which are eliminated when the right ML approach is put to the task of finding, correlating, and responding to relevant data. A survey of users of the Oregon Employment Department (OED) found underrepresented demographic groups found face-to-face verification challenging and impeded their ability to apply for benefits. More than 50% of Spanish language speakers cited technology as a barrier, and 30% of the demographic of those 20 years old and younger found the process to be too difficult7.
In an article in The Verge, a lawyer for the Project on Government Oversight (POGO) explained, “When a tech like facial recognition doesn’t work, which it disproportionately doesn’t for women and people of color, then there’s a human cost, and that cost is augmented when these types of backup systems fail.”
Think about all of the choreography that has to happen just to conduct a meeting – scheduling, the need for stable internet connections, technical savvy on the part of the user, and a host of other conditions that must be met just to have an opportunity to demonstrate that a person is who they say they are. Then, there’s the issue of the post-meeting follow-up which takes time for manual processes to deliver decisions. While all of this is happening, these systems are not truly addressing fraud. They’re also not taking care of the people who, in many cases, desperately require financial, health, or other high-stakes services, and who typically need it as soon as possible.
This last point — the desire and need to deliver services — is a refrain we hear repeatedly from our government customers. Efficiencies and achieving quantitative goals are core to their mission, but so too is the ability to make smoother paths for people who are trying to build something good out of situations mostly out of their control.
If you have questions or want to learn how Socure can help you optimize your identity verification program, please contact us today.
- Secret Service
- BusinessInsider, Identity verification service ID.me has a lucrative contract with the VA. Veterans and their families say it’s locked them out of disability payments and emergency assistance
- The Verge, Feds Are Still Using ID.me to Scan Your Face – And Its Human Reviewers Can’t Keep Up
- Bloomberg, Cybersecurity Company ID.me Is Becoming Government’s Digital Gatekeeper
- IRS, IRS Data Book
- ENISA, Remote Identity Proofing – Attacks & Countermeasures
- Oregon Employment Department, Potential Disparate Impacts of ID.me for Unemployment Insurance Claimants in Oregon
Matthew Thompson, CISSP, is an industry-recognized thought leader in the area of Identity and Security Management and currently serves as SVP & GM for public sector solutions at Socure. Matt is an innovator in the digital identity space, having co-founded ID.me, which was named to the “100 Brilliant Companies” list in 2014 by Entrepreneur Magazine. Matt has spent years working in the public and private sectors to promote privacy-enhancing, secure, interoperable, and user-friendly ways to give individuals and organizations confidence in their online interactions, which garnered him recognition by One World Identity as one of the “Top 100 Leaders in Identity” in 2017 and 2018.
SoCandid Spotlight: Beyond NIST - Why Higher Standards...
Socure recently achieved a milestone when the Kantara Initiative certified our identity verification...
An Open Letter to the IRS: You Can...
Dear Internal Revenue Service, It’s time to look for root causes....