Poor Man Verified ID

From IIW

Issue/Topic: Poor Man’s Identity Verification

Session: Wednesday 2G

Convener: Jon Webb

Conference: IIW-11 November 2-4, Mountain View, Complete Notes Page

Notes-taker(s): Jon Webb, Dan Miller

Tags:

Verified Identity, anonymity, delegated authority

Discussion notes:

Brainstorm format:

What do people want to verify?

  • Confirm address
  • Employment verification
  • Job role verification
  • Jon Webb Sony Playstation wants verification that the user is who they claim to be and that it hasn't changed since the last time seen (Playstation has 50mm+ users)

How to prevent account sharing that degrades quality of service for the network and other users?

Q: did people consider delegated authorities?

A: People have less need to share account information since they can delegate use appropriately

e.g. edit timesheets on another’s behalf, manage parental consent for minors, allow trusted users to conduct banking activities

Noted that systems to implement delegated authority have really only been deployed in the enterprise space, not much in the consumer space. UX in consumer space is a concern.

Pat From Equifax. Studying parental consent issue. Verifying 1.5mm users per day. Community filtering of sex offenders is common.

Allan from HP presented an interesting approach at last year’s IIW that had to do with provisioning with an unguessable URL

Need to keep it low friction.

You could put additional challenge response cycle

Pat: You need very little info to verify ID. But it depends on the problem you're trying to solve, what kind of data and what do you need to verify, it comes down to what's the business case

Verification generally happens out of band

Password maps are hard to transfer between users. They are a personalized image where elements of the image are the password

Multifactor to avoid

How to assert ID without promoting a way for them to share the id

Discussed credit cards as an imperfect form of identity