Five Ways Identity and Access Management (IAM) Cuts the Cost of Unemployment Insurance Fraud


Recent web searches show the massive volume of unemployment insurance fraud occurring across the United States. The increase in unemployment claims due to job losses stemming from the COVID-19 pandemic, coupled with aging IT systems, have led to an increase in identity theft, fraud, and loss of federal tax dollars. The State of Rhode Island estimates 43% of its unemployment claims in the past year may be fraudulent. California lost over $11 billion dollars to fraud in the past year. Thousands of accounts that use Social Security numbers (SSN) as the primary account identifier have been stolen in Minnesota

What’s Behind the Fraud?

There is no single answer, but the surge in COVID-19 related unemployment claims, stolen personally identifiable information (PII) from massive data breaches, and antiquated state unemployment systems that rely on out-of-date technology have generated the perfect storm for unemployment fraud. 

The United States government recognizes that state unemployment insurance systems are in dire need of upgrades or replacement. To address this crisis, the U.S. Department of Labor recently announced it will distribute $100 million dollars in funding to state agencies to help them combat fraud and recover improper payments. This is a good start, but a much more comprehensive plan is needed. 

Legacy Applications 

Some state unemployment insurance applications rely on technology that is at least 20 years old. This older technology does not provide an agile and efficient way for average citizens to quickly, securely, and safely access their unemployment claims. The systems are not user friendly, while many users want to log in to manage their claims using a smart device. Some states may not be in a position to upgrade their applications and systems until the pandemic surge in unemployment claims recedes.  

Legacy Identity and Access Management (IAM) 

Deploying a modern identity and access management system on the front end of these legacy applications can help reduce fraud. Keeping the applications on premises and deploying an IAM solution in the cloud is the best approach. Leading analysts state that hybrid cloud and hybrid IAM will continue to be the best approach in the coming years to support legacy systems. Legacy applications will continue to prevail until they are migrated to either SaaS applications or applications developed in DevSecOps.

The ForgeRock Approach

ForgeRock protects several state unemployment systems with millions of constituents authenticating daily. Identity Gateway allows state governments to continue using their legacy unemployment applications with a more modern approach by providing an authentication framework for legacy applications. By coupling Identity Gateway with Identity Management, Access Management and Intelligent Access, state agencies now have a modern, more secure, and agile IAM platform that will meet their needs. 

“Identity and Access Management is a key foundation in modernizing unemployment insurance.”

— Mike Wyatt, Cyber Risk Leader focusing on Identity Management and State Government at Deloitte

What Can States Do? 

The U.S. Department of Labor has published guidelines that reference the National Institute of Standards and Technology’s (NIST).

While these guidelines attempt to address commonly encountered flaws, they can be addressed more effectively by taking advantage of modern security tools such as those provided by ForgeRock. Here are the Labor Department’s recommendations and how ForgeRock can help:

1) Stop Using Social Security Numbers as a Constituent Login Method 

Social Security numbers (SSN) can be compromised in a variety of ways, including stolen mail and breached databases. The best approach is for constituents to log in using a unique identifier instead of their SSN. Unique identifiers offer additional benefits, including having a user-friendly syntax with data that only the owners would possess. They can also be used in other programs within the state without the fear of disclosure to inappropriate agents.

If an email address is used as the login key, ForgeRock’s user validation and orchestration tools within Identity Management can provide the necessary assurance of the email’s accuracy. In combination with the fraud detection analysis available in ForgeRock Intelligent Access, agencies can ensure that the email login key is unique and approved for use. 

2) Implement Robust Password Policies 

ForgeRock suggests having different password policies based on different types of users. Although complex password policies are not considered user-friendly, many backend unemployment systems running on mainframes require passwords for access. ForgeRock’s user interface (UI) ensures that passwords meet your desired security parameters and support rigorous password refresh/reset policies when a user is going through registration, thereby maintaining a high level of confidence throughout the experience. 

3) Implement Geo-Fencing

If a constituent is logging into the unemployment site from another state, that user should be flagged. Claimants should be in the state they are filing a claim in, ready and available for work. For example, if a login occurs from Montana for a New Jersey unemployment claim, this should be flagged as suspicious. 

ForgeRock Intelligent Access can use geolocation to verify that the user is logging in from a real location. For example, ForgeRock Access Management can allow a login event to occur only if it is physically possible. This prevents a person from logging in from two widely separated locations within a timeframe when movement at that speed would be impossible. Intelligent Access user journeys can be designed to transparently detect fraud through behavioral biometrics. If a login attempt does not fit the established use patterns, it can require the person logging in to provide stronger assurance of their identity. 

4) Enable Contextual and Adaptive Multi-Factor Authentication

ForgeRock includes the cost of multi-factor authentication (MFA) with Intelligent Access, while other vendors charge for it. Most users now understand that MFA makes their login experience more secure, so they are generally willing to sign up for it. Depending on the perceived fraud risk and the type of transaction, ForgeRock Intelligent Access can also adjust the MFA method and require more validations if needed. Often, an MFA challenge requires minimal contribution from the user, for example, by using facial recognition through an iOS device along with a PIN.

5) Incorporate Identity Proofing Solutions

ForgeRock offers pre-built identity proofing solutions through its Trust Network partners. These vendors extend the digital experience by leveraging fast, accurate, and contextually driven flows. These journeys surpass the user validating experience achieved in face-to-face transactions and provide a global review of a person’s assertions to further decrease any chance of fraud. The dynamic nature of the ForgeRock identity proofing flow enables organizations to fine-tune proof of identity. This ensures the level of assurance always corresponds to the level of access or the type of assets a user may need to reach. The experience encountered is tailored to the type of user and the risk associated with the flow, without the need for manual interventions from state agents.

There’s no question that the applications and IAM systems behind state unemployment agencies desperately need to be modernized. ForgeRock has the technology to make unemployment insurance better, stronger, and faster.

To learn more about how ForgeRock can help retrofit aging unemployment insurance infrastructure, check out the following assets: