Interesting eWeek article on Identity Proofing
You can read here an interesting interview eWeek ran of Burton Group analyst Mark Diodati on the topic of Identity Proofing – that crucial but often tricky process that verifies that someone is indeed who they are claiming to be. This is somewhat different from authentication, which is the process of someone identifying themselves to a system as a previous identity that the system has interacted with (usually based on an authentication token). The distinction is important, because going through identity proofing each time someone wants to interact with a system would be overkill (wouldn’t make sense if I had to play 20 questions every time I wanted to log into my banks website for online banking).
Most often, identity proofing is part of the registration process that will lead to the issuance of an authentication token to someone. However, it is becoming increasingly desirable for identity proofing to be used as part of a contextual authentication process when a deeper level of assurance is needed (for instance, when I decide to transfer all my money to another bank account).
Having made the distinction between authentication and proofing, it is unfortunate that two out of the three identity proofing methods that Mark explains in the article have the word “authentication” in their industry names. Mark does a good job explaining the difference between these three methods – Knowledge-Based Authentication, Dynamic Knowledge-Based Authentication, and Out Of Band Proofing. As he points out, OOB Proofing is probably the most interesting of these mechanisms, as it doesn’t rely on some data source that could be infiltrated by someone intent on fraud. Interestingly enough, in my recent post on the Bharosa acquisition, I talked about their VoicePad product that provides something called Voice-based Authentication. This is a tool that enables OOB Proofing, by relying on a voiceprint biometric token, similar to the mechanism alluded to by Mark in the article (System calls the registered phone number, or sends a text to it asking the person to call back, and verifies the identity using a voiceprint match).
Give it a read. We are going to see increasing importance placed on the ability to leverage identity proofing as part of business transaction processing, which has some interesting implications for the whole Identity-As-A-Service discussion.