by Peter Leppik on Wed, 2008-07-30 01:00

The days when you would personally know your banker, travel agent, and Marge the local phone operator are long past. Our modern, globally connected world has brought great benefits in the form of better products, lower prices, and sophisticated services. The downside is that verifying a customer's identity has become a real problem with major consequences (such as identity theft) for failing to properly tell a real customer from an impostor.

One solution has been to use information in credit reports and public records to ask personal questions--for example, "In 1993, did you own a Honda or a Buick?" An article in Destination CRM about a new company called ID Analytics talks about some refinements to this technique: using multiple databases to ask ever more obscure questions, and scoring an individual's likelihood of being subject to identity theft in order to adjust the level of confidence required before verifying an identity.

Personally, I have some issues with this entire approach. The Emergent Chaos blog puts a finger on some of the key problems: these kinds of personal questions are annoying (and sometimes creepily intrusive), and the approach is predicated on the notion that merging a bunch of large databases together gives a more accurate and complete picture of reality.

History has shown, however, that the databases these kinds of systems rely on are often anything but accurate and complete. Credit reports are notoriously error-filled, and merging together two disparate data sets inevitably introduces entirely new mistakes. This isn't a big deal for low-stakes purposes such as targeting a direct mail campaign, but if being able to access your bank account depends on a database provider not accidentally merging your record with someone else's, then even a very low error rate is unacceptable.

Identity verification is a hard problem. My favorite solution so far is PayPal's: they sent me a cryptographic "dongle," which gives me a unique six-digit number every time I press the button. I can't access my PayPal account without providing the number, thus proving that I both know my password and have physical possession of the unique dongle registered to my account (security experts call this "two factor" authentication since it requires two distinct things, in this case something I know and something I have).

Will there ever be a foolproof way to verify identities over the phone (or online)? I don't know, but I suspect the "asking personal questions" technique is close to played out. I have a hard enough time remembering my wife's birthday--I don't need to be asked about my next-door neighbor from 20 years ago.

