Identity verification is a mission-critical component of fraud prevention in unemployment. However, done incorrectly, it can also be a huge driver of inequitable access to benefits.
States should be prohibited from using non-compliant identity verification methods such as manually reviewing photocopies of drivers’ licenses, comparing Social Security numbers, etc. NIST has also forbidden the use of Knowledge-Based Authentication since 2017,1 due to the prevalence of data breaches that have made it trivial for criminals to write scripts that can pass these checks and commit identity theft at scale.
States that continue to use these methods could be held liable for the resulting identity theft fraud, while states adhering to federal guidelines could be eligible for some relief in instances of resulting identity theft. This shifts the burden of maintaining up-to-date identity verification standards to NIST, where they belong, and not to individual, state-level workforce agencies that don’t have the expertise needed.
It’s particularly important that state agencies stop using social security numbers as proof of identity. For decades, SSNs have been inappropriately used as IDs by schools, medical providers, banks, credit bureaus, and nearly every other application imaginable. Dozens of these mass databases have been compromised and leaked online. The result is that SSNs are effectively public information. They can’t serve as a “something you know” or “secret” factor in standards such as AAL2.
In addition to being NIST IAL2/AAL2 compliant, U.S. DOL could require2 that identity verification solutions for unemployment:
Identity verification vendors should only get paid when they successfully verify an individual’s identity, aligning incentives for vendors to find more solutions to help more real people through (while remaining standards-compliant).
U.S. DOL should measure outcomes across demographics for identity verification vendors,7 in collaboration with NIST. NIST already leads work on bias in identity verification algorithms. They could engage the Algorithmic Justice League for assistance.
NIST could also encourage an algorithmic bias “bug bounty” program similar to security bugs, giving people a pathway to report algorithmic bias and to track the resolution of reported incidents.
Some states have made identity verification the very first step, while others allow people to get further in the process first.
Of the states that have adopted federally-compliant identity verification during the pandemic, some require all claimants to complete it, while others only send claimants with higher risk scores, or only PUA claimants, through it. The demonstration project should explicitly measure equitable outcomes, looking for areas where real claimants may be discouraged or stopped from progressing, and fixing them.
Undocumented workers aren't currently eligible for unemployment benefits, even if they have identity documents that can pass federal verification standards. No solution is likely at the federal level, because of immigration politics and the likelihood that any federal data on undocumented workers will eventually be used for purposes other than intended.
If unemployment benefits were to be extended to the undocumented workers, there are promising solutions to support benefits for undocumented workers at the state level. (Even then, we caution strongly against developing a database of undocumented individuals.) New York's Excluded Worker Fund is one example, partnering with community organizations to distribute funds based on proof of income.
“Although commonly used by federal agencies for remote identity proofing, knowledge-based verification techniques pose security risks because an attacker could obtain and use an individual’s personal information to answer knowledge-based verification questions and successfully impersonate that individual. As such, NIST’s 2017 guidance on remote identity proofing effectively prohibits the use of knowledge-based verification for sensitive applications. The guidance states that the ease with which an attacker can discover the answers to many knowledge-based questions and the relatively small number of possible responses cause the method to have an unacceptably high risk of being successfully compromised by an attacker.” - GAO https://www.gao.gov/assets/gao-19-288.pdf ↩
U.S. DOL already requires myriad identity verification requirements, listed on page 20 here: https://wdr.doleta.gov/directives/attach/UIPL/UIPL_16-20_Change_4.pdf ↩
USPS is a logical partner here, which could provide identity verification in post offices and offer rural in-person remote proofing by postal workers. ↩
With additional training, DOL could provide in-person identity proofing options at DOL offices. ↩
IRS uses Certified Acceptance Agents to verify documents for ITINs ↩