At least four major federal agencies: The United States Postal Service (USPS), the Centers for Medicare and Medicaid Services (CMS), the Department of Veterans Affairs (VA) and the Social Security Administration (SSA) still use an outdated form of identity confirmation called knowledge verification.
Two other federal agencies: the General Services Administration (GSA) and the Internal Revenue Service (IRS) have junked knowledge verification.
Jake Leary explains how knowledge verification works and why it is flawed in this report for PCMag:
Four use knowledge-based verification, an identity-confirmation method where you provide a piece of personal identifying information. But this assumes only you know your personal information, which—given that breaches occur on an almost weekly basis—is unrealistic and naive.
In the 2017 Equifax breach, which ultimately impacted up to 147.9 million Americans, hackers stole everything from addresses to birth dates to Social Security numbers, all of which are standard answers to knowledge-based verification questions. Hackers then used this stolen information to pilfer identities and fraudulently apply for Social Security cards or benefits.
The GSA and IRS have ditched knowledge-based verification entirely, the GAO says. The VA only relies on the outdated method for some of its dependents, but other agencies have only developed action plans to move beyond knowledge-based verification. The Centers for Medicare and Medicaid Services insisted on maintaining the status quo.This shouldn’t be a shock. Two years ago the National Institute of Standards and Technology (NIST), condemned knowledge-based verification and provided strategies to improve security. But NIST didn’t include sufficient implementation plans, the GAO found.
The GAO has now proposed several alternatives: One method would require you to snap a photo of your driver’s license and have an agency compare it with a filed document. Another would use cell phone records to confirm your identity.
But both rely on mobile devices, which, though prevalent, aren’t ubiquitous; according to Pew research, 19 percent of US adults don’t have a smartphone, with elderly, uneducated, and low-income citizens being less likely to own a mobile device than their wealthy, upper-class counterparts. A verification system dependent on phone-ownership could exclude populations most reliant on government services, making it more difficult for those groups to access necessary information and services.
