[Log In] []

Exploring the science and magic of Identity and Access Management
Saturday, October 5, 2024
 

Identify Verified by miiCard

Identity
Author: Mark Dixon
Wednesday, March 20, 2013
9:41 pm


This evening, I stepped through the process of having my identity verified by miiCard. The process of establishing an account, verifying my identity, linking to my online accounts and posting a badge on my blog took about 30 minutes. Not too bad. You can click on my badge on the right to check the extent of my verification.

It will be interesting to learn how I can leverage this in the future.

 

13 Responses to “Identify Verified by miiCard”

    I like the vCard download, although boo and foo for email and phone is a little odd.

    Another aspect of the vCard – it uses the miicard page for the miicard identifier as the web address. That doesn’t seem quite right, but it may be more of a vCard limitation. (It would be more web-of-trust/verified-certificate -like if there was some sort of countersigning.

    I think your experiments are very interesting. Thanks for the reports.

    Comment by orcmid on March 21, 2013 at 10:48 am

    I dug around in miicard and came back with a couple of concerns.

    1. The explanation of Multi-Factor Authentication in the FAQ on MFA is worrisome.

    2. It appears that the verification of the party identified with an miicard is the ability to log into an on-line banking account. (Sort of the OAuth drill.) That’s not something I would be happy doing. I didn’t go into the sign-up process enough to confirm this. Do I have that right?

    Comment by orcmid on March 21, 2013 at 11:21 am

    Thanks for the information. You uncovered some details that I didn’t.

    The verification process is a bit troubling. I had to provide my user name and password for my bank account. I only did that after I read some stuff on multiple websites that indicaed miiCard was trustworthy – but I still changed my password immediately after the verification was done. I think that process will need to be changed.

    Comment by Mark Dixon on March 21, 2013 at 2:43 pm

    This is a test comment.

    Comment by Mark Dixon on March 21, 2013 at 2:51 pm

    It’s interesting that you changed your on-line banking password after obtaining our miiCard. My impressions is that they will periodically re-ping that account to confirm your sustained association, so it will be interesting to see what happens then.

    Comment by orcmid on March 22, 2013 at 10:36 am

    Hi Mark and orcmid,

    Thank you for signing up to miiCard and for your review and comments. We really appreciate all the feedback we get from our members as we develop the service.

    I though it might be helpful to explain our identity proofing process in more detail as I see there are some questions around how we do this. The strong level of identity proofing online that miiCard provides comes from you proving ownership of your financial accounts using your secure credentials. We do this for a number of reasons. Firstly we need to use information only known to you, we can’t use information about you (bank account number, date of birth etc) as this information is widely available and is contributing to increasing fraud levels through identity theft. Secondly, your bank knows you really well, so we are able to ‘passport’ the identity checks carried out when you opened the account into your miiCard. We use a checking account for verification and ensure a name match as well as a minimum of 4 transactions per month so that we can ensure the account is active. Through our regular revalidation of miiCard members we can ensure the identity is always up to date and ready to be used. This also helps to maintain traceability back to the individual should it be required. Changing your log in details on your bank account will result in your miiCard verification status dropping when the system revalidates your account. The only way to revalidate your miiCard will be for you to go back into your account and connect your bank account again.

    To connect you to your financial accounts we use a data aggregation service and have partnered with a company called Yodlee who are experts in this field. Yodlee has been around for 10 years, has about 40m users and highlights 45 of the top 55 banks in the US as their customers (including Bank of America/etc). We never store these or any other sensitive information about these accounts and keep it a strictly read-only environment. Please do let me know if I can help with further information here.

    Multi-Factor authentication FAQ – we are in the process of reviewing our authentication FAQs now as we have recently added support for YubiKey and Toopher to provide members options for securing their accounts. I think the MFA FAQ you are referring to orcmid is our explanation of 2-FA devices used to access some online banking. I’ll get this reviewed by our security team but would love your input on how we could improve this further.

    On the vCard, those fields should not be displaying and we are working on a fix for this for the next release – thank you for bringing this to our attention.

    Again, we really appreciate your feedback and would welcome the opportunity to discuss miiCard with you further.

    Regards,
    Cassie

    Comment by Cassie Anderson on March 25, 2013 at 12:48 pm

    Hello Cassie:

    Thanks for your reply.

    I am still very concerned with your process of identity proofing. I can see how it works to verify my identity, but I propose that it presents huge risks to each user and to you. Suppose I have $5,000 in my accounts. I am betting $5,000 that people and systems I don’t know will not use my private credentials to access that money. While I realize that is not your objective, it is the unintended consequences that trouble me. If by some minor chance, your system was breached, I could lose the $5,000 – and you could be held liable for all such losses for all your customers. Unless you contractually indemnify me against all such losses, including litigation costs, it is highly doubtful that I will let you or your agent retain a copy of my password.

    If that means that miiCard doesn’t work for me in the long run, so be it. I would hope that you could find some other way to verify my identity or find a way to calm my fears.

    Thanks,

    Mark

    Comment by Mark Dixon on March 25, 2013 at 4:59 pm

    Thank you Mark for your concern and for getting back in touch. We absolutely appreciate that this is a sensitive issue and while it is the only method we know of to prove your identity purely online, it has been built with these concerns in mind.
     
    The specific reason why we have partnered with Yodlee to connect you to your online secure accounts is to protect your information and enforce a read only environment. There is no functionality within miiCard or Yodlee that either provides access directly to your secure credentials or anything other than read-only access to your details. Account aggregation has been in use for years and is very established practice used by millions of people every day.
     
    Given the multi-party environment is impossible for us to indemnify against all risks associated with operating online but we do take responsibility for our part of the process, Yodlee for theirs and so-forth. If by using miiCard you did experience a loss that was contributed (with evidence) to a failing of our systems then we would of course cover you.
     
    While we can explain and support a decision as much as we can – we understand that it’s a personal decision. We hope you make the decision to use miiCard but if not I would personally thank you for taking the time to consider it.

    Regards,
    Cassie

    Comment by Cassie Anderson on April 1, 2013 at 1:27 am

    Cassie:

    Thanks again for your reply and clarification. I will investigate further until I understand whether the risk is worth the reward.

    Mark

    Comment by Mark Dixon on April 1, 2013 at 7:51 pm

    I have MiiCard verified ID, but it is useless to me, both socially and in business!
    MiiCard has verified my legal first name and surname. However, I happen to belong to a common group of people who prefer to use their middle name! I was named after my father, but I have always been called “Geoffrey”. Even my mother called me Geoffrey!
    Every man, woman, business, university, website, etc. etc. knows me as Geoff or Geoffrey. And this includes both people locally and (IMPORTANT TO ME) “internationally”, and it is included in my full legal name on my Passport.
    But MiiCard does NOT recognize middle names. Hence, in a social or business context (the problem only gets worse when I include international networking), having to use my MiiCard-verified “first name”- which no one in the world would recognize – would cause me all kinds or hassle, and very likely, breed distrust.
    So, I do not use or promote my MiiCard ID!
    Actually, I have complained loudly to MiiCard, and persisted in my true claim: MiiCard does NOT prove ID, it proves your “banking ID”, not your everyday, business or social ID, which you may use locally or internationally. Currently, we are exchanging ideas. I have suggested a process to MiiCard, which is “an optional appendix to the current MiiCard ID”.
    This is for those people, who want to include their full legal name (their Passport name) as part of their MiiCard ID. Briefly, it involves getting a legally-certified copy of a person’s Passport name or ID. In Australia, when I have to prove my ID to a Government Department – for example, I am ordering a personal document via the postal service, concerning Births, Deaths and Marriages related to my current status – I go to the local police or justice authorities, who must visually check my photo and signature in my Passport or Driving License (whatever is required) and certify that “I am the true applicant”.
    As I am discussing with MiiCard, my Passport suggestion works and it is NOT a replacement for the current MiiCard process. It is simply an option for those people who want it, to have “their full Passport nameaa’ on their MiiCard ID. This only seems equitable to me. Also, it could be important for non-English cultures, where the Western model does not necessarily apply. As ban aside, in China PRC, many people have an English common name, by which they are known, which is totally unrelated to their formal Chinese banking name; but that is another story..
    My MiiCard manager is very sympathetic, but faces the usual problems in getting the attention of Management in IT-oriented companies, where IT projects actually take longer than they do (ponder that!)
    But seriously, I feel a sense of discrimination regarding my personal identity and reputation. It will not take long for “someone somewhere” to NOT succeed in an employment or promotion application, to lose out, and then to discover that it was because the organization was reliant on MiiCard ID as a general criterion or filter for separating people into “will consider this person, put him/her into the pool of potential candidates” and “will not consider this person further”. MiiCard and Employers may wish to dwell a moment on the legal implications.
    Wish us luck in getting MiiCard Management to focus on “what MiiCard members and industry wants”, not on “you must change your life and fit into the MiiCard mould … or else”.

    Comment by Geoff Alford on May 22, 2013 at 6:07 pm

    I totally agree with the concern about providing my bank log in information to be verified. Let’s say I do lose the hypothetical $5000 mentioned earlier. There is nothing in any agreement I have read that says I would be reimbursed for that loss. A certain company that I do business with requires miicard in order for me to get a better deal on their services. I have offered a copy of my passport to no avail. If a passport is good enough to get me back into the US after international travel, why is it not good enough to prove my identity to miicard? I personally think that a great many people would agree. I might be willing to provide it once, but to leave it on file and possibly have it hacked later is unacceptable.

    Comment by Robert Lacy on July 26, 2013 at 9:32 am

    Thank you again for your comments and thoughts on miiCard.

    While we understand that the use of bank details may not be for everyone it is a very strong source of validation that is accepted across a number of industries. It is also something that the majority of people that operate online already have and that can be quickly used to create a high level of trust, a level of trust that doesn’t exist today, when interacting purely online.

    While the process for connecting financial profiles to miiCard is widely accepted (50m+ consumers and 45 of the top 55 banks in the US use it) we are actively looking for additional methods to verify real identities. To date we have not found an alternative that doesn’t require a physical interview of process of some sort. It is this level of both trust and convenience while giving our members complete control over their identities which is so special about miiCard.

    miiCard as a Bring Your Own Identity is very focused on supporting the needs of our members and as such we take all of the suggestions and feedback very seriously. I have seen myself the middle name point highlighted here raised internally and know that our product team is looking for ways to accommodate this. What’s critical is that we find ways of verifying these details so that we can ensure you can trust them when you view someone else’s miiCard – and when a business needs to rely on it.

    Thank you again for your thoughts and feedback. Having seen this conversation run for a while I wanted to take the personal opportunity to get involved and offer any insights and feedback I could.

    Thanks!

    James Varga

    Comment by James Varga on August 6, 2013 at 1:38 am

    James:

    Thank you for taking the time to respond. I appreciate your interest and sensitivity. However, I still cannot support miiCard’s position that I must share my personal login credentials to my bank account to validate my identity. I am an information security professional, specializing in Identity and Access Management. Sharing personal passwords with anyone, no matter how well-intentioned, is not a safe practice. We continually advise our clients against it, and provide identity management software to help companies enforce the preferred industry practice of keeping one’s passwords completely confidential. While I can appreciate that validating my identity via my bank account in this manner can be good for you, I have concluded that it is not good for me. I did it once with miiCard and immediately changed my password. Your company is the only company which has required me to do this, while several others have successfully validated my identity via my bank account without requiring me to share login credentials. I simply do not see the value miiCard offers me that would cause me to violate sound, proven security principles to meet your requirements.

    Thank you,

    Mark

    Comment by Mark Dixon on August 6, 2013 at 7:52 am

Copyright © 2005-2016, Mark G. Dixon. All Rights Reserved.
Powered by WordPress.