Identity, Proofing/Verification and Credentialing: Level Setting
(Room Tampa Convention Center:Room 15-16)
21 Sep 16
9:15 AM
-
10:15 AM
Tracks:
: Cross-cutting Issues, : Cross-cutting Issues, : Cross-cutting Issues
Identity Proofing and Validation (IDPV) services are those services which verify people's identity before an institution issues them accounts and credentials. IDPV practices are typically based upon a "life history" or transactional information that is aggregated from public and proprietary data sources. The authoritativeness of data sources may vary depending upon the needs and risk factors associated with the nature of the transactions that take place within a specific community of interest. IDPV services may be applied in both remote and in face-to-face scenarios. IDPV services may also be used to add an additional layer of assurance for purposes of stronger authentication where higher-risk transactions occur.
IDPV is typically performed by verifying a unique set of attributes about a subject (user). The type and number of attributes verified will vary based upon the risk that is associated with a transaction. Additionally, depending upon the context of the transaction, a community must determine which data sources are considered authoritative and trustworthy.
IDPV, performed at a level that is commiserate with the associated level of transactional risk, is a critical component to enable the development of a trusted identity ecosystem of tools and services that are positioned to address societal and economic implications of the digital transformation. NIST Special Publication 800-63-2 sets out guidance for U.S. government agencies with regard to identity proofing requirement as well as other mechanisms. NSIT SP 800-63-2 is informed by the OMB Memorandum M-04-04 that defines Levels of Assurance to guide agencies and communities with regard to identity authentication best practices based upon defined levels of risk. The document sets out Levels of Assurance that range form 1 (low confidence) to 4 (highest confidence) in alignment with various transactional scenarios.
IDPV Use Cases at a glance
Use cases for IDPV services are myriad.
- Use case scenarios that require little to no confidence also require little to no IDPV and typically include access to services like subscribing to the local weather report or accessing one's favorite on-line radio station. A user may simply create a userid and password, or federate their account with an existing credential service provider.
- An IDPV use case that requires slightly more confidence could be to change one's address of record that is stored with a service provider. These types of changes require more confidence in the appropriate identification of the subject who is making the change. In this scenario a service could mitigate risk by sending an additional email, text message, or an out-of-band postal letter to the subject to re-affirm the change. By doing so, the service is relying upon IDPV that is often performed by a telecommunications provider to issue a phone number and device for example.
- A use case requiring strong IDVP practices would be a patient seeking to access their medical records. In accordance with jurisdictional regulations, health data is considered confidential, sensitive, and private. This data requires stronger IDPV, authentication, and authorization mechanisms. A biometric identifier may be used in this type of scenario in addition to a userid and password.
- Finally, a use case requiring the strongest confidence for IDPV includes the dispensation of a controlled substance. A biometric and/or hard token credential is required and that credential must be stored on a trusted device issues by an authority. This mechanism can be paired with other mechanisms like userid, password, one-time password, etc.