Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Alloy and Experian are different from the other vendors in that they explicitly and transparently leverage other companies’ technology as identity proofing platforms. Both take information that others have already interpreted and use that as an input to their own risk interpretation. Additionally, Idemia itself uses Experian.
Alloy has a platform that can combine multiple risk assessments about the same piece of data. For example, Alloy can interpret in parallel the fraud risk data sent by both SentiLink and Ekata about a particular Name + Address combination. Alloy has agreements with more than 65 partners in total that can be mixed and matched when setting up an identity proofing system. This immense flexibility (and overlap with the vendors evaluated in this paper) and the fact that no pricing information was made available make it hard to come to any conclusion about Alloy.
Experian’s approach is slightly different. They build some of the infrastructure themselves, and they rely on other companies for specific pieces of the puzzle: Acuant provides their document verification; EmailAge by LexisNexis gives them a risk assessment specifically about the longevity of an email address and the domain to which it belongs. Experian bundles the vendors and features into 2 or 3 offerings, as distinct from Alloy’s a la carte approach.
UI agencies themselves could also build their own platform by using different vendors at different steps of the process. (If you wanted multiple products to provide synthetic identity detection on PII, it would likely be more effective and less risky to achieve that through Alloy--with the caveat that their pricing is unknown.) For example:
Use your existing method to determine validity of SSN / Name / DOB combination
If that combination is valid, collect and use additional PII (address, mother’s maiden name, email, phone, etc.) and evaluate it with one vendor’s synthetic identity detection product.
If step 2 indicates a particular fraud risk, have that individual go through a document + biometric verification step.
Given the variety of products from these vendors and the way that the information was provided, it’s hard to do a direct comparison -- but we can try by making a couple of assumptions and establishing some constants:
For the vendor with a set-up fee (Experian), the cost is amortized over 2 years and 10,000 claims per month.
For the vendors that provided approximate costs:
Sentilink said $0.25 / verification: we will create a moderate cost range of $0.15 - $0.45 / verification.
Socure said mid-to-high single digit cents / query: we will create this as a range of $0.04 - $0.09 / query.
Not all queries will result in a verified identity; we will stipulate that a best-case scenario for all vendors other than ID.me is 95%, and that the worst-case scenario is 80%.
*Because ID.me has a virtual in-person proofing step that none of the other vendors have, we will stipulate that their best-case scenario for achieving a verified identity is 99%, and that their worst case is 85%.
Below are the results of calculating average cost per query (i.e., cost per new UI claim) for the 6 vendors whose pricing information we have
Low average cost per query
High average cost per query
Cognito
$0.56
$0.94
Ekata
$0.10
$0.25
Experian
$0.11
$0.28
ID.me
$3.40
$3.96
Idemia
$2.00
$5.23
SentiLink
$0.12
$0.43
Socure
$0.09
$0.29
For each of the evaluated vendors, we have done our best to provide accurate information through a combination of research and conversations with company representatives. This section of the document summarizes some of the more important vendor differences to inform your decision making. For all the details, see the appendices:
There is an identity proofing vendor that falls outside of the scope of this document, but that is likely to be of interest to readers: Login.gov, provided by the federal government. The single-sign-on service was launched by the General Service Administration in 2017, providing two-factor authentication, fraud detection, and Identity Assurance Level 2 (IAL2) under NIST-800-63A. It was initially available only to federal agencies, with a FedRAMP Moderate ATO, with customers including the Department of Defense, the Department of Homeland Security, the Department of Energy, and the Department of Transportation. At the end of 2020 they were granted permission by the White House Office of Management and Budget to accept state agencies as customers.
Login.gov is not a drop-in identity proofing vendor. They perform identity proofing, but only as a component of a user registration process within Login.gov. For employment agencies to use Login.gov for identity proofing, they need to replace their entire authentication flow with Login.gov, integrating it via OAuth 2.0 or SAML.
Name, website, and last date updated in this document
Headquarters
Founded
User Base
Best for
New York, NY
2015
Financial services, banking
KYC/AML compliance, fraud prevention
Palo Alto, CA
2014
Financial services and marketplaces
KYC compliance; address and age verification
Seattle, WA
2012
Online lending, retail banking, ecommerce and marketplaces
Identity records for dynamic PII
Dublin, Ireland
1996
Government partners, financial services, online lending
KYC compliance, fraud prevention, identity records
McLean, VA
2010
Government partners, retail, online healthcare
Identity records
Idemia
https://www.idemia.com
5/4/2021
France
2007
Government partners
Identity records
Tallahassee, FL
2003
Financial services, banking, retail
Identity and age verification
San Francisco, CA
2017
Retail banking, credit card issuers, all types of lenders, and fintech
Synthetic fraud detection & analytics
New York, NY
2012
Retail banking, credit card issuers, and remittance providers
Fraud scoring and analysis
USDR can help you further evaluate vendors to find out which will best suit your state’s specific needs. Reach out to if you are interested.
Follow 18F’s when planning your identity proofing automation project.
See “Appendix B: Acceleration Plan for Identity Verification” in California’s to serve as a reference for how you can create a plan for your state.
If you have questions or need help solving unemployment insurance issues in your state, please contact the Unemployment Insurance Team by .
Alloy is the most configurable of the vendors; they have partnerships with many other vendors that provide a wide variety of identity verification methods that can be used in combination with each other. Their partners include most of the vendors evaluated in this report: Cognito, Ekata, IDology, SentiLink, and Socure. We do not have information on their pricing.
Cognito’s identity proofing focuses on basic PII: Name, phone, address, and SSN. Their unique offering is through using synthetic identity detection to confirm the validity of a Name / Phone number combo, and then using 2FA to confirm that the person is still in possession of that phone number. (Additional KBV is an add-on for further detection of stolen identities.) With this reliance on 2FA, their product isn’t as suitable for managing the applicant backlog without needing the applicants to take some action.
Ekata specializes in confirming “dynamic PII” -- Name, phone, address, and email. By also looking at passively-collected information (e.g., IP address and phone metadata), they are able to detect stolen as well as synthetic identities. They do not have a batch way to process the applicant backlog without needing the applicants to re-enter this basic PII. They do have a dashboard where you can see the results of an individual’s ID proofing process.
Experian is one of the vendors that could provide all the identity proofing pieces; they have both a step-up offering and a full NIST IAL2 offering. It is one of two vendors that appear to have gotten contracts with state UI agencies since the passage of the CARES Act (5-6 states). Their synthetic identity detection product can be used on the applicant backlog without needing the applicants to take any action (document verification would of course need the applicants to provide that documentation). They were the one company that mentioned the use of “marketing data” as one of many data sources used in their synthetic identity detection.
ID.me is another of the vendors that could provide all the identity proofing pieces; their primary offering is a full NIST IAL2 identity proofing solution. (They also offer pieces as individual products, but we do not have as much information on that.) It appears to be the primary vendor that has gotten contracts with state UI agencies since the passage of the CARES Act (AZ, CA, CO, FL, GA, ID, IN, LA, ME, MA, MS, MO, MT, NV, NJ, NY, NC, ND, OR, PA, SC, TX, WA). Their document + biometric verification solution is the most sophisticated; if someone cannot be verified through a comparison of a selfie to the uploaded documents, they are routed to a “remote in-person” identity proofing video chat where those documents are presented in real time to an ID.me call center. There have been concerns around the wait times of this service, e.g. in Nevada. To be used in applicant backlog management, it requires that everyone be sent to their site to re-enter their PII and provide documentation because it is an IAL2 certified solution.
Idemia is another of the vendors that could provide all the identity proofing pieces, partially through the way it leverages Experian Precise ID. They appear well set-up to be used in a “step-up” identification process for either applicant creation or backlog management (i.e., their batch API can do synthetic identity detection without additional action from the applicant). If a state's Department of Motor Vehicles uses Idemia, that state's UI system can be configured to use that database as another trusted source.
IDology is another of the vendors that could provide all the identity proofing pieces, though we don’t have their pricing information. They appear well set-up to be used in a “step-up” identification process for either applicant creation or backlog management (i.e., their batch API can do synthetic identity detection without additional action from the applicant). Part of their unique offering is access to the Consortium Fraud Network that allows them to securely check the use of PII combinations in additional contexts.
SentiLink focuses on synthetic identity detection, comparing the self-asserted PII to numerous data sources. The breadth of their data sources means that with sufficient PII collected, they should be able to detect stolen identities; however, they did not mention the use of passively-collected information, which can be very helpful in this regard. They can be used at either application creation or to evaluate applicants in the backlog without the applicant needing to take action; they also have a dashboard where you can see the results of an individual’s ID proofing process.
Socure is another of the vendors that could provide all the identity proofing pieces. They explicitly recommend creating a “step-up” process and shared that the synthetic identity detection step can verify 90% of people, leaving only 10% to need the more expensive doc + bio verification step. They can be used for either applicant creation or backlog management (i.e., their batch API can do synthetic identity detection without additional action from the applicant)
UI agencies already have in place methods to determine whether a provided SSN / Name / DOB combination is real (i.e., not synthetic). That functionality can remain in place alongside any new identity proofing mechanisms, as long as there is clear communication between pieces of the system.
There are 2 ways that vendors determine the validity of a provided Social Security Number (Ekata doesn’t handle SSNs at all). The second method is more “official,” but both Cognito and Socure believe their method to be effective.
Cognito and Socure have systems that search for prior use of a SSN / Name / DOB combination, e.g., through DMV records or credit files. A drawback of this approach (depending on the details of the vendor’s implementation) is that it is possible for synthetically created identities to have credit files. Additionally, the vendors that rely heavily on credit bureau sources will systematically be less likely to prove the identities of those with less access to credit. Via both Cognito and Socure, Alloy has this functionality.
Experian, ID.me, and SentiLink have systems that check against the Social Security Administration Death Master File, which will not have any synthetic identities in it. All three vendors use additional methods to detect synthetic identities. However, it is updated at most weekly and is not a comprehensive record of all deaths in the country; a notable exception is that it excludes state death records. Via SentiLink, Alloy has this functionality.
Note: Two vendors, SentiLink and Experian, have access to the SSA's new eCBSV product, which for their financial customers only allows them to effectively query the SSA directly and thus know with near-certainty that the SSN / Name / DOB match, and belong to a live human. Unfortunately, the SSA does not currently allow for other uses of this API, despite how useful and effective it would be for the UI identity theft detection scenario.
There are many players in the commercial identity proofing & fraud detection space that are good candidates for use by UI agencies. In addition to providing key overview data for each company, we have aggregated data that will help UI agencies in making a vendor decision. We have also listed out a number of other non-functional requirements that would be relevant to most implementations.
In evaluating vendors, we came up with a list of key questions that influence the degree to which the vendor could help ease the identity proofing burden on UI systems:
What is the pricing model, and what is the cost? If it’s by verification attempt rather than only successful verification, the overall difference in per applicant cost could be 5-20% depending on the vendor’s success rate (which we don’t really know). Additionally, if a company has known set-up costs, those are noted.
What is the user experience (UX) like during identity proofing at account creation? I.e., is it an API call that is run in the background without the user noticing and/or a UX provided by the vendor that the user is sent to? Some vendors have a single product that provides an experience that all applicants would have; other vendors have multiple products that can be chained together in the “step-up” method depending on individual results.
How can it be used to process users in the backlog who have been flagged as potential fraud risks? The most impactful functionality in this area is whether they have a “batch API” that can be used to help make a determination on many individuals at once, without needing those individuals to take further action. Some vendors need a special workflow set up to send people from the backlog to their site to gather, or re-gather, information.
What methods does it use to verify identity, per descriptions in the "Process of Identity Proofing" section?
Where do they get the data against which they perform the identity proofing, including SSN? Every data source has limitations, and so in general, more data is going to result in more people with positively proved identities while continuing to catch those trying to commit fraud. (On the other hand, more data sources is likely to be reflected in a higher price for that vendor.)
If you believe that a vendor is a good match for your needs based on the key considerations above, the following information about the company could help you finalize your decision. Please do not be discouraged by “unknown” answers for some of these questions — that we have been unable to get answers to these questions does not mean that they are unanswerable.
What notable (name-brand) customers do they have?
What special certifications/authorizations does it have?
Have other government entities used it?
Does this vendor have existing contracts through an available Federal Supply Schedule (FSS) through GSA or some other Governmentwide Acquisition Contract (GWAC)?
Is this vendor under a recognized socioeconomic program or status such as the 8(a) program or Service-Disabled Veteran-Owned Small Business (SDVSOB)?
While most state unemployment insurance agencies are trying to solve the same set of problems, the technologies and processes that they are working with vary greatly. Each organization will have to determine their own requirements in the following areas:
Network API and style (e.g. REST/SOAP/GraphQL)
Supported development languages
Client libraries
Security concerns
Average and 99th percentile response times
Scalability
Error rate
Support (API docs, consulting services, third-party support, etc.)
Licensing, embedding, reuse
Data storage and access policies (Do they store PII on their side? Do their employees have access to that data? If so, how are those employees vetted and/or held accountable?)
Severability and replaceability (How is their contract structured? If they store data, is that data accessible in a bulk, machine-readable format?)
Hosting model (SaaS or on-premise?)
Digitizing the document verification step for those whose identities are in question is a key part of detecting fraud and of reducing load in UI agency staff. As discussed in Recommended Process for UI Identity Proofing, the system can require everyone to go through a document verification process, or only a subset of individuals (a “step-up” process).
The following vendors provide document verification:
Alloy
Experian
ID.me
Idemia (via Experian Precise ID)
IDology
Socure
All of these vendors’ documentation verification products combine it with a biometric verification step. The biometric verification is in the form of a selfie that gets checked for “liveness” (i.e., to check whether someone else’s existing photo was uploaded) as well as compared against the provided photo ID.
ID.me’s document + biometric verification is built into their primary product offering. They take doc + bio verification a step further than any of the other companies with a "remote in-person” identity proofing interview: a video call in which an applicant must present their documents live. This happens only for the set of people who cannot be verified at other steps in their process. (You can also get their document verification and/or doc + bio verification products individually, but we don’t have information about the pricing.)
Note:
IDology, and Socure have their own stand-alone document verification products that could be used as the “step up” from a different vendor’s synthetic identity detection. Alloy and Experian could likely provide just a document verification service, but it may not be the most efficient way to do so: Both use Acuant to provide document verification.
The following vendors do not have document verification:
Cognito
Ekata
SentiLink
ID.me is planning on adding 500 in-person identity proofing "outposts"
Idemia's could also be used by states looking to outsource physical/in-person identity proofing