Identity Verification for People w/o Paper Trail (Open Discussion)

From IIW

Session Topic: How do we authenticate w/o a paper trail?

Tuesday 1K

Convener: Chris Papazian, Yoz

Notes-taker: Sarah Allen

Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:

Many systems are built around challenge questions that rely on information about buying a house, having multiple permanent addresses, etc. There are people who don’t have that history. How do we verify them?

How do you do identity verification for new immigrants or other people without financial history?

UK Government — (Link coming soon) gov.uk working on an online identity verification system, historical the UK government

Texas allows 6 forms of identification to get a voter ID card; however, people who are new to this country may have none of them

In the US, we typically assume that people have:

a single, exact birth date

name that conforms to first name & last name

Use cases:

take an online persona and match them to a real-world identity

Consider alternate real-world authentication?

such as: real-life in-person verification

Is it ok if one person creates multiple accounts? for buying a house, sure. For a gun registry, that would be a problem.

Lexus-Nexus search:

  • banks use this to verify identity
  • was fully breached and all of the data was taken — all that data is now in the wild

Another use case IDP (Identity Provider)

want to know that I’m taking to the same person that created the account — biometrics are perfect for this, since you can’t lose that like a password

I don’t actually need to know your true identity

“abidingness” is more important than identity, it’s tough to be anonymous and non-ephemeral

not we require another channel in addition to a password (email or cell phone)

Social scoring

calculations: 200 friends, had the account for 10 years, some score that its a legitimate identity

Voting needs to be anonymous, but also secure and provable

in Arizona you can look up voter record by voter ID or driver’s license


Levels of Establishing Trustworthy Accounts

Self-attested (enter your own data)

KBA - knowledge based authentication

Social Scoring or Account Consolidation (Klout, TrustCloud, LendDo, length of time? # friends?)

External Validation (miCard, or verification of deposit in an account - prove you have that acct)

Sponsored Member or Employee Accounts

Identity Proofing to get an Account (show up in person with evidence of paper trail)

it’s like the problem where spam email is more email than real email

there was an idea about “proof of work” — where you would have to do something computationally intensive to send an email

the levels about are identity verification is based on proof-of work

could create a distributed system where local governments verify that someone is a real per on

Could we have some organization that is non-profit and trusted by the people? you go there and they take your fingerprint and they give you a cryptographic ID that you can use, they don’t reveal your fingerprint. That org could verify that the IDs were unique.

new crypto algorithm LRSW - person sets up their identity, then organizations verify something about that identity


Pseudonym Systems, Lysyanskaya, Rivest, Sahai, Wolf, MIT LCS paper

Oakland and NY, EBT cards (cash cards) incent someone to retain one identity

16,000 years of human interactions, if I was a shopkeeper, I know whether to trust someone because I recognize them and pattern of interactions — certain pattern of speech, look a certain way

BC government has done a lot of work on these issues. Population that loses their ID cards. Biometrics is a photograph. They have a chip-enabled ID card. Chip is a random number. If you lose it then it gets turned off. Thought through use cases for marginalized populations. A unique identifier for each system — linked to an individual identity.

polymorphic identification — one card, diff IDs for diff systems


Can you assert the unique ID? (or do you care who this person actually is)

Can you recover the ID? (how important is persistence?)

Can you rotate your credential?

Can you have privacy through pari-wise identifiers?

New York City did a trial where people had to check into a homeless shelter.

They goal was to study the length of the average stay. (3 days, only 5% chronically return)

You need someone to vouch for the people who no one will vouch for — you need a social organization or government organization.

Concept of vouching

I know someone who is ok, so I am ok

People vouching for people. Could work for undocumented people. Immigrants or homeless.

Could there be an internet-equivalent of a notary?

We don’t need a situation where people trust the government? Instead the government needs to know that it can trust a particular person. However, this is a very narrow sense of trust — have you received these benefits before? Are you a veteran?

There are ways to imagine this being solved by personal cloud. Your personal cloud knows your birthday and will tell the store you are over 21 so you can buy alcohol, without revealing my birthday.

The block chain (like bitcoin), append only, distributed, encrypted.

When I am born, that fact is logged and encrypted and I’m the only one who can de-crypt it. I can give select people a secret decoder ring to decrypt that piece of personal data and they could verify it.

Retrieved from "https://iiw.idcommons.net/index.php?title=Identity_Verification_for_People_w/o_Paper_Trail_(Open_Discussion)&oldid=19755"