Monthly Archives: August 2006

Knowledge Verification In Practice…

My last post has sparked more interest in knowledge verification and how it works exactly. In response to Kim Cameron’s request in this blog post

“It would help to understand the concepts better if John would give us some examples of how this works in practice. What kinds of questions are asked, and how does IDology know the answers?”

I will address how this works in practice from two different angles- a consumer point of view and also a business point of view – because both are important in how knowledge verification helps protect consumer privacy and promote the responsible use of data by businesses (which addresses a comment from Adam of Emergent Chaos posted in Kim’s blog.)

For the simplicity of these examples let’s look at this in relation to an e-commerce transaction where we are buying something on the Internet over $250. First, because we (the consumers) have voluntarily submitted our information with the intention of entering into a business transaction, we have given our consent for the business to verify the information we’ve presented. Once the business receives the information, in the interest of controlling fraud and completing the transaction as quickly as possible (avoiding a manual review of the transaction by the business), it uses an automatic system to verify that the personal information submitted is linked to a real person and that I am indeed that person. Enter IDology’s knowledge-based authentication (KBA) which scours (without exposing) billions of public data records to develop on-the-fly intelligent multiple choice questions for the person to answer. Our clients vary in their delivery of KBA, some reward their customer with expedited shipping for going through the process, others consider it a further extension of the credit card approval process which during the process various data elements associated with the credit card will be validated such as address verification along with the credit approval.

The key is for a business to use a KBA system that bases its questions on non-credit data and reaches back into your public records history so that the answers are not easily guessed or blatantly obvious. Typically, consumers find credit based questions (what was the amount of your last mortgage payment, bank deposit, etc) intrusive and difficult to answer, and these type of answers can be forged by stealing someone’s credit report or accessed with compromised consumer data. Without giving away too much of our secret sauce, our questions relate to items such as former addresses (from as far back as college), people you know, vehicle information and anything else that can be determined confidentally while not exposing data from existing public data sources.

Once the system processes the results (which is all real-time processing), it simply shares how many questions were answered right or wrong so that the business can determine how to handle the transaction further. The answers are not given within the transaction processing (protecting the consumer and the business from employees misusing data) and good KBA systems have lots of different types of questions to ask, so that the same questions are not always presented and one question doesn’t give away the answer to another.

So you see, this is much more than performing shared authentication based on your dog’s name or favorite sport’s team. And KBA is in the marketplace today working well for both businesses and consumers. In fact, our client’s get comments from their customers thanking them for taking the steps to protect their identities through this process. In other words, this can stop the bad guy’s from committing ID theft.

At the end of the day, the consumer, by completing this ecommerce transaction, is establishing a single pointed trusted identity with that business. The next extension is how the consumer can utilize this verification process to validate his/her identity to complete other economic transactions or have an established verified identity to make posts to a blog or enter into a conversation in a social network where participants have agreed to be verified to establish a trusted network or may be concerned with the age of someone in their verified network. To us, KBA can be an important part of establishing and maintaining a trusted identity.

I hope this provides more clarity for Kim on how KBA works and gives a better understanding on the types of questions presented. While I think I addressed Adam’s first comment related to consumer consent, I still need to address:

“Second, the information that such companies can gather are probably already being gathered by Choicepoint, Axciom, Google, and others. So the assertions that ‘it’s cheap for us, and expensive for the attackers’ are hard to accept as credible.

Third, if truth and your database don’t agree, then we’re forced to have a reconciliation process, in which I, or the id thief, convince the company to change its answers. How does that process work?”

There are several different verification solutions available today including some from vendors who are also in the business of gathering, buying and selling data. That is not our (IDology’s) business. We access public data records during a transaction real time to assist with completing the transaction and make an independent observation about our findings. We don’t aggregate, distribute or otherwise reuse data. In other words, we provide a real-time solution to assist with establishing trusted identities.

So what happens if KBA is unable to verify you? A business would handle the exception transaction as they do now – probably asking for us to contact their call center, which may or may not be something I’m willing to do as a consumer.

So, hopefully this (very long but I wanted to be thorough) answer helps better explain how KBA works…thoughts?


Filed under Digital identity, identity, Identity 2.0, identity theft, Identity verification, kim cameron, knowledge based authentication, knowlegde verification

What is Knowledge Verification?

So I came across some interesting commentary in the blogsphere regarding verification services sparked by Jessica’s article I blogged about in my last entry (which you can now read a version of in The Charlotte Observer). In the article, Jessica describes the verification chain (which I must point out is only a brief snapshot as well as a combination of several different processes from different providers) that prompted Conor Cahill to post on the problems of verification services in general.

While I think Kim Cameron’s blogpost response helps clarify verification as it relates to Identity 2.0…

“Right now we give all our identifying information to every Tom, Dick and Harry…What if we just gave it to Tom, or a couple of Toms, and the Toms then vouched for who we are? We would ‘register’ with the Toms, and the Toms would make claims about us and the chances of having our identity stolen would drop…”

…there is still light to be shed on what a verification service is and how it in fact works today to protect consumer data from being further comprised in the event of becoming a victim of identity theft.

Conor comments: “I would hope they start to add stronger verification that the person who “knows” this stuff is actually the person who’s data is being verified…We really need to move away from knowledge of basic facts as a verification of identity, especially when many of those facts are published in one form or another.”

Yes, in some instances some verification providers are using current information, credit history and other data resources that are easy for thieves to buy, know or guess when impersonating someone. That’s why using knowledge-based information on past personal history is much more effective. This information is hard to dig up. Admittedly it’s not foolproof against our mother or spouse, but if someone that close to me steal’s my identity then there are other levels of trust issues to be discussed.

Based on Kim’s comment

“I’ve been asked so many times for the name of my first pet that I’ve had to make one up.”

I want to clarify that this form of verification does not fall in the category of what I define as knowledge based authentication. Sure, it’s based on knowledge, but it’s a knowledge we provide which is then stored in a database for when we inevitably forget our password. Considering most consumers probably use the same question/answer and passwords or combination password at several different sites, consumers are in a real pickle when a data breach occurs or a laptop with those records is stolen. The solution for this of course is very eloquently addressed in the Tom, Dick and Harry example Kim Cameron provided, but it’s important to explain that Knowledge verification services as they relate to ecommerce today and in the future for Identity 2.0, are intelligent-based and ask you questions not every Tom, Dick and Harry use or know.



Filed under authentication, identity, Identity 2.0, identity theft, Identity verification, kim cameron

Hats off to Zoeys Room

Thanks to all the recent media hoopla surrounding age verification and MySpace, we were able to establish a partnership with a social networking site – Zoeys Room. (To read the full press release, click here) What’s unique and exciting about this is that Zoey’s Room members are ages 10-14. So much of the press coverage and industry focus has been on not being able to age verify kids because of the lack of data on this demographic. Until recently I think this has been used as an excuse. But obviously the tide is turning.

On a side note, IDology and this announcement were covered in a Wall Street Journal article yesterday titled New Ways to Prove You Are Who You Say You Are Online (subscription required). This is a great article giving a consumer-focused view of online safety and Identity 2.0. Although she doesn’t mention “Identity 2.0” she speaks to the heart of it in the teaser headline on the front page of the paper which says “Building Trust Into Web Identities.”



1 Comment

Filed under Age Verification, Identity verification, social networking