Identity Proofing – Can it be done well? Especially Remotely?
Non-Person Entities
Wednesday 4I
Convener: Jim Fenton
Notes-taker(s): Susan David Carevic
Tags for the session - technology discussed/ideas considered:
Identity Proofing
Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:
Methods:
Remote:
KBA: Knowledge Based Access: questions – to assure identity – example: social security administration.
Data is out there – KBA not the best method,due to availability of data.
Trusted 3rd party certificates
Biometric + Doc Auth
Social Score/trust\vouching for persons
Fraud signals
Virtual In-Person:
Hasn’t been evaluated well – how clear must a video be, to ensure person is the same as picture in an ID card – if they are holding it up virtually.
In person:
works well, but is inconvenient for users and expensive process, but highly accurate, less scalable.
Other flavors:
Identity.com: Uses sequential upload followed by a verification process. (NetVerify).
AirBnB uses NetVerify.
We need to fully understand the in-person proofing process to be able to create an alternative solution. Here is what happens during an In Person Session:
- Biometric screening
- Records check
- Proof of address, name, DoB
- Credit style audit checks
- Personal feeling if they are lying
- Interview process to verify data
- Original identity document position/showing
Proofing of data usually a government role – not sure I trust companies to do this/this role. Governments shouldn’t outsource this responsibility. Personal feeling should not be criteria.
If there a better way to do Identity Proofing virtually or make Remote Identity proofing better?
- We can’t count of federal agencies to do this
What can be done better to improve remote identity proofing?
- Need to consider level of assurance needed: What LOA are we trying to talk about: All of them.
What ways are there to do identity proofing remotely:
- Account activity: Answer question about recent transaction: but only binding to a Bank’s log. Only proving you have access to the logs.
- Telesigning: Call API – they report on where person is/person associated with the phone number – if this matches the person using a credit card, you’ve verified identity.
In U.S. it all comes down to government documents?
In Canada: Office of Vital statistics
There is Federal Identity and State Identity in the U.S.
Federal Assurance Exchange: Credit bureau information.
Problem is how to verify the document remotely.
The fact that you have a drivers license, doesn’t necessarily mean that it identifies you.
Telesign: Creating a full loop – if that is correlated with an ID. Problem is any PBX can emulate a telephone number.
- How can that get highjacked?
- Because at any point you can redirect a phone number to another destination.
Does a telecom do any identity proofing before giving out a telephone number? No – just need to be able to pay.
Issuance of credential by U.S. Mail? Verification of address: They mail a code or some other information. There is also registered mail requiring a signature.
Derived Proof: Create registration process that provides sufficient binding to proof. Selfie + ID Card scan, biometric check, send to DMV – and provide a score of likelihood person is who they say they are. Are DMVs allowed to share information? - they only share an opinion, don’t need to send out data.
Why is there a need to send packet to DMV? Privacy measure. More difficult to compare facial features to a copy of a card with security features over the face.
DMV is not reliable source of identity information? – yes – because we call them that.
Few other things that could be used for proofing: Trust cloud\social score. LinkedIn: Professional resume with verification of employment provides proof that someone is a real person. : concern: more than one identity: for example, for voting—need to ensure voting only once.
Closing the loop is the only way to prevent at-scale attacks.