This document discusses identity proofing and verification. It defines key identity concepts like establishment, resolution, validation and verification. It explains that verified identity is needed to deliver high-value digital services and discusses challenges like confusing terminology and siloed identity systems. The document also reviews standards like NIST SP 800-63-2 and considers how to take a minimal and contextual approach to identity attributes disclosure.
3. Verified identity is the starting point for the delivery of
high value digital services, benefits and entitlements
3
● Who are you?
● What are
you?
● What are you
entitled to?
● ...
4. Verified identity is the starting point for the delivery of
high value digital services, benefits and entitlements
Who are you?
Are you eligible for a
government benefit?
Benefits fraud
Longer processing time
Redundant processes
Identity Risk Issues
Public Sector
Who are you?
How will you pay?
Financial fraud
Money laundering
Higher transaction fees
Identity Risk Issues
Financial Sector
Who are you?
What is your medical
history?
Prescription fraud
Patient privacy
Record integrity
Identity Risk Issues
Healthcare Sector
… but the consequences of identity risk issues are felt by everyone
4
Today, verified identities are managed in “cylinders of excellence” a.k.a silos ...
5. Identity, security and privacy architects are critical to
successful digital service delivery
5
6. Confusing terms and practices threaten the promise of
digital service delivery
6
Credentialing
Vetting
KBA
Claimant
Verifier
Provisioning
7. Keep the focus on uniquely identifying the person at the
other end of the wire and not on marketing terminology
7
9. 9
Identity: A set of attributes that uniquely describe an
individual within a given context
Who are
you,
really?
10. 10
Identity: A set of attributes that uniquely describe an
individual within a given context
Verification
Validation
Resolution
Establishment
11. 11
Identity: A set of attributes that uniquely describe an
individual within a given context
Verification
Validation
Resolution
Establishment
Creation of a new
identity, in an
authoritative
source, where
none have existed
previously
12. Creation of a new identity in an authoritative source
where none have existed before
12
13. Establishment = Initial creation in system of record
13
● Initial record of
existence
● Very few entities
are responsible
for this record
● Typically in
public sector
14. Establishment = Initial jurisdictional encounter
14
● First encounter by
a jurisdiction
○ Immigration
○ Visitor
● Few responsible
entities
● Typically in public
sector
15. 15
Identity: A set of attributes that uniquely describe an
individual within a given context
Validation
Resolution
Establishment
Confirmation that
an identity has
been resolved to a
unique individual
within a particular
context
Verification
16. NASPO IDPV Project
Identity resolution study results
Category Attribute Description
Attribute Bundle
1 2 3 4 5
Name Name First Name AND Last Name
Location
Partial Address Postal Code OR (City and State)
Place of Birth (City or County) AND (State or Foreign Country)
Time
Partial Date of Birth (Month and Day) OR Year
Full Date of Birth
Identifier
Partial Social Security Number Last 4 Digits
Full Social Security Number Full 9 Digits
NASPO IDPV
Identity
Resolution
Study Data
% Resolved 97.56 96.29 96.65 97.00 96.52
% Null Identities
Identity record missing one or more attributes needed for a particular bundle
Approximate measure of the lack of availability of the attribute bundle
~ 12 ~ 12 ~ 3 ~ 17 ~ 3
% Availability
100 - % Null Identities
~ 88 ~ 88 ~ 97 ~ 83 ~ 97
17. NIST SP 800-63-2 Electronic Authentication Guideline
Remote identity proofing @ Assurance Level 2
17
Level 2 Record Checks
- 1 Government Record OR
- 1 Financial or Utility Record
Full Legal Name Date of Birth
18. NIST SP 800-63-2 Electronic Authentication Guideline
Remote identity proofing @ Assurance Level 3
18
Level 3 Record Checks
- 1 Government Record AND
- 1 Financial or Utility Record
Full Legal Name Date of Birth
19. NASPO IDPV Project
Overlap with NIST identity proofing requirements
Category Attribute Description
Attribute Bundle
1 2 3 4 5
Name Name First Name AND Last Name
Location
Partial Address Postal Code OR (City and State)
Place of Birth (City or County) AND (State or Foreign Country)
Time
Partial Date of Birth (Month and Day) OR Year
Full Date of Birth
Identifier
Partial Social Security Number Last 4 Digits
Full Social Security Number Full 9 Digits
NASPO IDPV
Identity
Resolution
Study Data
% Resolved 97.56 96.29 96.65 97.00 96.52
% Null Identities
Identity record missing one or more attributes needed for a particular bundle
Approximate measure of the lack of availability of the attribute bundle
~ 12 ~ 12 ~ 3 ~ 17 ~ 3
% Availability
100 - % Null Identities
~ 88 ~ 88 ~ 97 ~ 83 ~ 97
20. Requirements of selected non-US jurisdictions
- enabling interoperability
20
Canada
● Name
● Date of Birth
● Gender
● Place of Birth
● ...
New Zealand
● Name
● Date of Birth
● Gender
● Place of Birth
●
UK
● Name
● Date of Birth
● Gender
●
● Address
21. Disclosure of personal information MUST be minimal,
contextual and fit for purpose. Otherwise ...
21
24. 24
Identity Proofing
Minimal
Data Collection
Identity Attributes Additional Matching Criteria Personal Attributes
● Full Legal Name
● Date of Birth
● Gender
● Place of Birth
● Address of Record
● […]
● [Contextual]
● [Authority]
● [Entitlement]
● [Business Process]
25. 25
Identity: A set of attributes that uniquely describe an
individual within a given context
Resolution
Establishment
Confirmation of the
accuracy of the
identity as
established by an
authoritative
source
Verification
Validation
28. No Easy Answers (especially in the US)
Due diligence needed by implementers
28
● What authoritative
sources do you have
access to?
● Direct or downstream
access?
○ Data refresh interval?
○ Data quality?
● Scoring algorithm
information?
● ...
29. 29
Identity: A set of attributes that uniquely describe an
individual within a given context
Establishment
Confirmation that
the identity relates
to a specific
individual
Verification
Validation
Resolution
30. Knowledge based verification is the current
state of practice. Answers private, not secret
30
Can you use internal data to generate the questions?
31. Social media mining and data breaches make
knowledge based verification less effective
31
32. Verification is an area ripe for innovation and disruption
32
● Live video?
● Blended
online +
in-person?
● Digital
notaries?
● Biometrics?
● ...
33. Identification is in the critical path of successful digital
service delivery
33
35. 35
Map vendor-neutral concepts to services and products
that you can leverage, evaluate, build or buy
Verification
Validation
Resolution
Establishment