[WG-IDAssurance] Updates to my comments

Scott Shorter sshorter at electrosoft-inc.com
Fri Dec 6 14:48:10 CST 2013


To follow up on prior discussion, the FFIEC guidance has some good
information about attribute verification on page 13 of
http://www.ffiec.gov/pdf/authentication_guidance.pdf, namely:

Customer verification is a related but separate process from that of
authentication. Customer
verification complements the authentication process and should occur during
account
origination. Verification of personal information may be achieved in three
ways:

• Positive verification to ensure that material information provided by an
applicant matches
information available from trusted third party sources. More specifically,
a financial
institution can verify a potential customer's identity by comparing the
applicant's answers
to a series of detailed questions against information in a trusted database
(e.g., a reliable
credit report) to see if the information supplied by the applicant matches
information in the
database. As the questions become more specific and detailed, correct
answers provide
the financial institution with an increasing level of confidence that the
applicant is who
they say they are.

• Logical verification to ensure that information provided is logically
consistent (e.g., do the
telephone area code, ZIP code, and street address match).

• Negative verification to ensure that information provided has not
previously been
associated with fraudulent activity. For example, applicant information can
be compared
against fraud databases to determine whether any of the information is
associated with
known incidents of fraudulent behavior. In the case of commercial
customers, however,
the sole reliance on online electronic database comparison techniques is
not adequate since
certain documents (e.g., bylaws) needed to establish an individual's right
to act on a
company's behalf are not available from databases. Institutions still must
rely on
traditional forms of personal identification and document validation
combined with
electronic verification tools.

Might be worth a reference as we ask them to clarify about verification.
-
Scott


On Fri, Dec 6, 2013 at 1:56 PM, Scott Shorter
<sshorter at electrosoft-inc.com>wrote:

> Hi all,
>
> Updates to a few comments based on today's call.  The "IAWG let's discuss
> on Friday" comment is now:
>
> 1. Clarify the distinction between identity proofing and identity
> resolution, the attribute verification requirements for each, and when
> those requirements are applicable (e.g. CSPs/RAs during enrollment, CSPs as
> attribute providers, RPs during account linking and problem resolution,
> etc.)
>
> 2. RPs should be able to make a determination based on their risk
> assessment whether credentials based on data broker verification meets
> their needs.  FICAM could provide guidance on the pros and cons, and
> consider providing granularity in levels of Identity Assurance reflecting
> the data sources against which verification was performed.
>
>
> Does that more or less reflect the discussion?
>
> I didn't add this because we didn't discuss it, but what also occurred to
> me is:
>
> 3. FICAM could declare that SSN is not an acceptable "valid current
> government ID number" during remote identity proofing.
>
>
> NIST has persistently declined to clarify this issue, although the
> conspicuous lack of the term "picture ID" in column 2 of Table 3 of SP
> 800-63-2 does permit it.  Changing that would be huge, and I doubt a
> suggestion to do so would clear the ARB, but I offer it for the sake of
> completeness.
> -
> Scott
> --
> Scott Shorter, Principal Security Engineer, Electrosoft Services Inc.
> sshorter at electrosoft-inc.com O: 703-437-9451 x21 M: 240-994-7793
>



-- 
Scott Shorter, Principal Security Engineer, Electrosoft Services Inc.
sshorter at electrosoft-inc.com O: 703-437-9451 x21 M: 240-994-7793
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kantarainitiative.org/pipermail/wg-idassurance/attachments/20131206/e5974a6c/attachment.html>


More information about the WG-IDAssurance mailing list