Poor Man Verified ID
Issue/Topic: Poor Man’s Identity Verification
Session: Wednesday 2G
Convener: Jon Webb
Notes-taker(s): Jon Webb, Dan Miller
Verified Identity, anonymity, delegated authority
What do people want to verify?
- Confirm address
- Employment verification
- Job role verification
- Jon Webb Sony Playstation wants verification that the user is who they claim to be and that it hasn't changed since the last time seen (Playstation has 50mm+ users)
How to prevent account sharing that degrades quality of service for the network and other users?
Q: did people consider delegated authorities?
A: People have less need to share account information since they can delegate use appropriately
e.g. edit timesheets on another’s behalf, manage parental consent for minors, allow trusted users to conduct banking activities
Noted that systems to implement delegated authority have really only been deployed in the enterprise space, not much in the consumer space. UX in consumer space is a concern.
Pat From Equifax. Studying parental consent issue. Verifying 1.5mm users per day. Community filtering of sex offenders is common.
Allan from HP presented an interesting approach at last year’s IIW that had to do with provisioning with an unguessable URL
Need to keep it low friction.
You could put additional challenge response cycle
Pat: You need very little info to verify ID. But it depends on the problem you're trying to solve, what kind of data and what do you need to verify, it comes down to what's the business case
Verification generally happens out of band
Password maps are hard to transfer between users. They are a personalized image where elements of the image are the password
Multifactor to avoid
How to assert ID without promoting a way for them to share the id
Discussed credit cards as an imperfect form of identity