Multi-factor verification PLUS multivariate – it ain’t what you do, it’s the way that you do it
In a previous post, I discussed how we have entered an era of Multi-factor verification (MFV). By combining multiple methods of verifying a person, your identity-related service can build resilience, better security, and usability.
The art (or is it science?) of MFV has captured the imagination simply because it makes a lot of sense. We already do it, as one commentator said. Sure, we do, but as the old 80s popular beat combo, Fun Boy Three said, “It ain’t what you do, it’s the way that you do it.”
I see your multi-factor verification, and I raise you a multivariate verification
Adding multiple verification factors to a system improves options in designing more usable and adaptive systems. Multiple verification factors provide service designers with flexibility; factors that are the best fit for their service and its customers can be offered. If these factors are handled using identity orchestration, the service can be modified to adapt user journeys to reflect specific use cases, such as “identifying journeys.” This is a powerful position for an organization to take. It provides a method of building a person’s robust profile while ensuring that person has options that optimize match rates. Services that focus on accessibility, like identity vouching, are secured by tying the process to the best-fit verification options. Even the issuance of verified claims can be augmented. However, there is another consideration layer. Having multiple verification factors is all well and good, but are some verification methods more trustworthy than others? This is where multivariate verification comes into play.
What is multivariate verification?
Systems, including society, are made of interacting layers, and identity systems are no exception. Multi-factor verification must use trust-weighting factors to incorporate granularity and fine-grained identity assurance into the MFV model. Each factor is assigned a weight. This weight can be calculated using a variety of mathematical or ad hoc methods; weighting can also be adjusted based on the system’s conditions. For example, a passport’s weighting may be lower if the passport is out of date.
The weighting of individual factors in a multi-factor verification service generates a mathematical result that is then combined to determine an assurance level. This assurance level can be used to reflect the security requirements of an individual transaction or during an onboarding process.
Risk-based verification
Just as not all verification methods are equal, so too the conditions of a transaction can change. Multivariate verification is aligned with risk-based verification during transactions. For example, a rule can ensure that if certain conditions occur that are seen as increasing risk in the service, then the weighting of a verification method can be adapted to those circumstances. Rules are used to further fine-tune verification weighting based on risk. Weights must be dynamic to modify the system if that system changes or a trigger event happens, such as someone accessing the system from a greylisted IP address. By applying a risk factor to the weighting of a verification method, you can finely tune your identity checks.
How do you decide on a verification weight?
As mentioned, the weighting of a verification type can be set based on several criteria. Some examples of those criteria include the following:
- Service-set (subjective): the service designer sets the weights based on arbitrary rules that reflect the service risk levels.
- Standards-set (objective): standards such as GPG45 or advisories like JPLSG can be used to determine the risk-level of specific verification methods. These risk levels can translate to objective weightings based on expert views.
These weights are used to define rules and reflect policies on risk-based MFV.
It may be multi-factor, but you still must think like a system designer
Multi-factor verification and its control using multivariate factoring is vital to system thinking. Digital transactions are a complex movement of interrelated cogs in the grand wheel of digital life. A layer of trust can be added to the system using fine-tuned multi-factor verification. Our identity-based services are not standalone, static objects; they are part of a fluid infrastructure and must reflect changing conditions. The adaptability required to reflect these conditions is achieved using identity orchestration built upon the foundation of decisioning.
If you want to know how to use multi-factor verification powered by a multivariate model, shout out to Avoco Secure.