Reading this post by John at IDology, I'm starting to understand how “knowledge verification” can differ from conventional uses of personal identifying information:
So I came across some interesting commentary in the blogsphere regarding verification services sparked by Jessicaâ€™s article I blogged about in my last entry (which you can now read a version of in The Charlotte Observer). In the article, Jessica describes the verification chain (which I must point out is only a brief snapshot as well as a combination of several different processes from different providers) that prompted Conor Cahill to post on the problems of verification services in general.â€œRight now we give all our identifying information to every Tom, Dick and Harryâ€¦What if we just gave it to Tom, or a couple of Toms, and the Toms then vouched for who we are? We would â€˜registerâ€™ with the Toms, and the Toms would make claims about us and the chances of having our identity stolen would dropâ€¦â€
â€¦there is still light to be shed on what a verification service is and how it in fact works today to protect consumer data from being further comprised in the event of becoming a victim of identity theft.Conor comments: â€œI would hope they start to add stronger verification that the person who â€œknowsâ€ this stuff is actually the person whoâ€™s data is being verifiedâ€¦We really need to move away from knowledge of basic facts as a verification of identity, especially when many of those facts are published in one form or another.â€
Yes, in some instances some verification providers are using current information, credit history and other data resources that are easy for thieves to buy, know or guess when impersonating someone. Thatâ€™s why using knowledge-based information on past personal history is much more effective. This information is hard to dig up. Admittedly itâ€™s not foolproof against our mother or spouse, but if someone that close to me stealâ€™s my identity then there are other levels of trust issues to be discussed.
Based on Kimâ€™s commentâ€œIâ€™ve been asked so many times for the name of my first pet that Iâ€™ve had to make one up.â€
I want to clarify that this form of verification does not fall in the category of what I define as knowledge based authentication. Sure, itâ€™s based on knowledge, but itâ€™s a knowledge we provide which is then stored in a database for when we inevitably forget our password. Considering most consumers probably use the same question/answer and passwords or combination password at several different sites, consumers are in a real pickle when a data breach occurs or a laptop with those records is stolen. The solution for this of course is very eloquently addressed in the Tom, Dick and Harry example Kim Cameron provided, but itâ€™s important to explain that Knowledge verification services as they relate to ecommerce today and in the future for Identity 2.0, are intelligent-based and ask you questions not every Tom, Dick and Harry use or know.
It would help to understand the concepts better if John would give us some examples of how this works in practice. What kinds of questions are asked, and how does IDology know the answers?