Identity Proofing – Can it be done well? Especially Remotely?

From IIW
Jump to: navigation, search

Non-Person Entities

Wednesday 4I

Convener: Jim Fenton

Notes-taker(s): Susan David Carevic

Tags for the session - technology discussed/ideas considered:

Identity Proofing

Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:

Methods:

Remote:

KBA: Knowledge Based Access: questions – to assure identity – example: social security administration.

Data is out there – KBA not the best method,due to availability of data.

Trusted 3rd party certificates

Biometric + Doc Auth

Social Score/trust\vouching for persons

Fraud signals


Virtual In-Person:

Hasn’t been evaluated well – how clear must a video be, to ensure person is the same as picture in an ID card – if they are holding it up virtually.


In person:

works well, but is inconvenient for users and expensive process, but highly accurate, less scalable.


Other flavors:

Identity.com: Uses sequential upload followed by a verification process. (NetVerify).

AirBnB uses NetVerify.

We need to fully understand the in-person proofing process to be able to create an alternative solution. Here is what happens during an In Person Session:

  • Biometric screening
  • Records check
  • Proof of address, name, DoB
  • Credit style audit checks
  • Personal feeling if they are lying
  • Interview process to verify data
  • Original identity document position/showing

Proofing of data usually a government role – not sure I trust companies to do this/this role. Governments shouldn’t outsource this responsibility. Personal feeling should not be criteria.

If there a better way to do Identity Proofing virtually or make Remote Identity proofing better?

  • We can’t count of federal agencies to do this

What can be done better to improve remote identity proofing?

  • Need to consider level of assurance needed: What LOA are we trying to talk about: All of them.

What ways are there to do identity proofing remotely:

  • Account activity: Answer question about recent transaction: but only binding to a Bank’s log. Only proving you have access to the logs.
  • Telesigning: Call API – they report on where person is/person associated with the phone number – if this matches the person using a credit card, you’ve verified identity.

In U.S. it all comes down to government documents?

In Canada: Office of Vital statistics

There is Federal Identity and State Identity in the U.S.

Federal Assurance Exchange: Credit bureau information.

Problem is how to verify the document remotely.

The fact that you have a drivers license, doesn’t necessarily mean that it identifies you.

Telesign: Creating a full loop – if that is correlated with an ID. Problem is any PBX can emulate a telephone number.

  • How can that get highjacked?
    • Because at any point you can redirect a phone number to another destination.

Does a telecom do any identity proofing before giving out a telephone number? No – just need to be able to pay.

Issuance of credential by U.S. Mail? Verification of address: They mail a code or some other information. There is also registered mail requiring a signature.

Derived Proof: Create registration process that provides sufficient binding to proof. Selfie + ID Card scan, biometric check, send to DMV – and provide a score of likelihood person is who they say they are. Are DMVs allowed to share information? - they only share an opinion, don’t need to send out data.

Why is there a need to send packet to DMV? Privacy measure. More difficult to compare facial features to a copy of a card with security features over the face.

DMV is not reliable source of identity information? – yes – because we call them that.

Few other things that could be used for proofing: Trust cloud\social score. LinkedIn: Professional resume with verification of employment provides proof that someone is a real person. : concern: more than one identity: for example, for voting—need to ensure voting only once.

Closing the loop is the only way to prevent at-scale attacks.