There is no doubt that mobile technology has made life easier, but it has also created a number of challenges. The anonymity that the internet provides can be a benefit in a number of cases, but it can also help facilitate a host of criminal activities. Identity theft, in particular, is an especially pernicious problem on the digital superhighways designed specifically with anonymity in mind.
Businesses and merchants have a need to ensure that the users attempting to access accounts and make purchases are actually authorized to do so. In some cases, such as with banking, businesses actually have a legal responsibility to ensure that individuals attempting to open accounts and do business with the bank fit certain legal criteria, such as being a legitimate, tax-paying citizen of the United States. This attempt to validate the legitimate identity of the user is what is known as identity proofing.
In some cases, a legitimate real-world identity needs to be clearly established in order ot open an account or access a service. In other cases, online businesses merely need to ensure that the person attempting to access an account is the same person that set up the account in the first place. For instance, a bank or online employer may need to validate an individual's real-world identity before opening an account or issuing a paycheck. In that case, they may request a scan of a valid passport or state-issued ID as well as verifiable personal information such as an address, phone number and full social security number.
Even then, however, an individual may simply use someone else's stolen documents. In some cases, the identification can simply be used and replaced without the actual owner being any the wiser. To combat this, many online businesses now require users to submit a selfie of themselves holding the ID, as well as a close-up of the ID itself. One drawback to this, however, is that almost anyone with some basic photoshopping skills can scan or photograph an ID and then superimpose their own face onto the ID and print it out. What would not pass an in-person inspection can all-too-easily pass an online inspection. This is where other services that help to validate a real-world identity online come into play.
Documents can be easily forged for online use, but what cannot be as easily forged is an online identity. Personal information is available from legitimate sources online that can be compared with information being provided by new account applicants. For instance, credit reporting agencies can help confirm personal details like addresses, phone numbers and even social security numbers. There are even services that can run state identification numbers to ensure the identification being offered online belongs to the person attempting to open an account or purchase restricted items.
When it is not necessary to establish a real-world identity, it is still important for businesses to only be granting access to accounts to legitimate account holders. This is where procedures like multi-factor authentication come in. Thanks to a long series of high profile data dumps and users that stubbornly continue to use the same login ID and password on multiple accounts, login credentials alone are no longer sufficient to secure most accounts. Multi-factor authentication requires users to provide at least two of three types of verification: possession (something you have), knowledge (something you know) and inherency (something you are)to prove their authority to access an account. In some cases, smart devices even roll a number of different factors into one smooth, seamless process.
A smartphone user may use a smartphone with a thumbprint scanner that will scan their thumbprint (something they are) before automatically inputting their login credentials (something they know) to an app or website they are trying to access. At the same time, the website or app may be registering the unique ID of the device they are using (something they have) and comparing it to previous logins. If it matches, that provides a third factor of verification.
If it does not match, it may trigger secondary protocols which require the user to provide further verification. This can include things like answering pre-arranged security questions or entering a code sent to a pre-arranged cell phone number or email address. While the user themselves may be doing nothing more than just pressing the home button on their smartphone or even just holding their smartphone with facial recognition software up to their face, what they are actually doing is utilizing multi-factor authentication to verify their identity.