| Entities | |
| Topics and Issues |
In 2019, the GAO issued a report, Data Protection: Federal Agencies Need to Strengthen Online Identity Verification Processes. The report, GAO-19-288, is summarized:
Remote identity proofing is the process federal agencies and other entities use to verify that the individuals who apply online for benefits and services are who they claim to be. To perform remote identity proofing, agencies that GAO reviewed rely on consumer reporting agencies (CRAs) to conduct a procedure known as knowledge-based verification. This type of verification involves asking applicants seeking federal benefits or services personal questions derived from information found in their credit files, with the assumption that only the true owner of the identity would know the answers. If the applicant responds correctly, their identity is considered to be verified. For example, the Social Security Administration (SSA) uses this technique to verify the identities of individuals seeking access to the “My Social Security” service, which allows them to check the status of benefit applications, request a replacement Social Security or Medicare card, and request other services.
However, data stolen in recent breaches, such as the 2017 Equifax breach, could be used fraudulently to respond to knowledge-based verification questions. The risk that an attacker could obtain and use an individual’s personal information to answer knowledge-based verification questions and impersonate that individual led the National Institute of Standards and Technology (NIST) to issue guidance in 2017 that effectively prohibits agencies from using knowledge-based verification for sensitive applications. Alternative methods are available that provide stronger security… However, these methods may have limitations in cost, convenience, and technological maturity, and they may not be viable for all segments of the public.