Subscribe in a RSS reader • Subscribe via Email
Yesterday The Identity Theft Prevention and Identity Management Standards Panel (IDSP) released a workshop report calling for the development of an American National Standard on identity verification as a tool to help combat terrorism and identity theft. This is work Kantara Initiative supports and looks forward to continue our engagement with as this standards effort progresses to the next level. I serve on the Steering Committee of IDSP and I’d like to commend Jim McCabe, Graham Whitehead and the other contributors for their excellent work.
I’m writing this post from Washington, D.C. where I’m speaking at the Smart Card Alliance’s 8th Annual Smart Cards in Government conference. Yesterday I was on a panel here with Dan Combs, Brian Zimmer, and Tom Lockwood where we had the opportunity to highlight this important milestone in the standards-setting process for identity vetting & proofing. This is an important standard that will improve the efficacy of Kantara’s own Identity Assurance Framework since our Service Assessment Criteria for identity proofing is dependent on source documents (aka “breeder documents”). This new standard that will be developed based on the impetus of yesterday’s ANSI Report will improve the reliability of breeder documents.
Perhaps the most far-reaching benefit of this report’s recommendations will be on the stability of the consumer identity ecosystem that all “online” Americans find themselves in today. In order for electronic credentials like username & password, or more secure credentials like OTP devices or Smart Cards, to trusted at the highest levels of assurance, they must be properly bound to the identity of the user. Our Identity Assurance Framework standardizes a way of doing this but is largely dependent on the validity of the source credentials used during the enrollment process. This is why we support the IDSP efforts to improve the validity of all source credentials issued in the United States, and will support this work moving forward as the foundation for an international standard in this area.
As an active participant in the IDSP workshop meetings that produced this report, I’d like to offer a few observations about this effort.
The report really does a couple of things. First off, it points out the problems with using “identity” documents such as birth certificates, driver’s licenses, and social security cards for establishing a person’s identity. Second, it proposes that guidelines are needed for the verification of a person’s identity with high confidence, and that those guidelines should form the basis of an ANSI standard for identity verification. Finally, it proposes that a process be developed for implementing those guidelines.
Although the report points out that practical methods for identity verification are needed at varying degrees of assurance, corresponding to the four NIST/OMB assurance levels, consider that the workgroup was made up of people representing organizations such as the Department of Homeland Security, Social Security Administration, Coalition for a Secure Driver’s License, and American Association of Motor Vehicle Administrators, to name a few. These are folks who really want to know a person’s “true” identity with a high degree of confidence. In other words, I think it’s fair to say that the focus of this effort is to develop a standardized process for verification of a person’s true identity at the highest assurance levels, with lesser emphasis on identity verification at the lower assurance levels. That’s not a bad thing, because if you know how to verify someone’s identity with very high assurance, you can probably just be less rigorous in some parts of the process, or skip over certain parts, resulting in a lower assurance verification.
Section 4 of the report gets to the heart of the matter, and describes the conceptual approach for developing the identity verification process. The process is based on collecting various items of documentation and other information about a person, possibly from more than one source, and “adjudicating” whether the collected evidence sufficiently establishes a person’s identity with the desired degree of assurance. Depending upon the type of information and documentation collected, the process could iterate between collecting supporting evidence, evaluating the evidence to see if it supports a particular claim of identity, and seeking additional evidence if the assurance level is not satisfied.
For high assurance identity verification, this adjudication process will likely be sufficiently rigorous such that it may be impractical and time consuming to repeat it every time a person seeks to renew a driver’s license, or get a copy of a birth certificate, or do anything else in the physical world for which someone’s identity must be known with high confidence. So it might make sense to do it once for a given person, then issue that person a secure and trusted credential bound to the individual in some way, and which can be used to assert the verified identity, in different circumstances, with high assurance. In the online world, a new set of identity proofing criteria based on the adjudication process *could* be substantially different than the current identity proofing criteria specified in NIST 800-63 and the Kantara Identity Assurance Framework. Or the identity proofing criteria might just consist of authenticating, in some way, a secure, trusted credential issued on the basis of the new standardized adjudication process.
Could a secure and trusted credential used in the physical world consist of a smart card containing a PKI certificate, and be used in the online world as well? That would essentially eliminate the need to do a separate identity proofing for the issuance of online digital credentials. There are some interesting possibilities and implications for high assurance digital identity credentials that arise from this effort.
- Bob Pinheiro
Chair, Kantara Consumer Identity Work Group