While the industry rushes to standardize and improve
authentication, how will holders of consumer accounts assure that the identities behind those credentials and multiple factors are real? You can add identity proofing, and doing so can actually improve consumer privacy! Does proofing have to be in person, really, really? This presentation shows how to measure what happens during an identity proof and perform similar steps within online systems.
Proofing ex post facto from Cloud Identity Summit 2017
1. Add identity proofing to your accounts, after they’ve been established
Simplify Protect Secure
2. WHY “ADD” IDENTITY PROOFING?
Proofing value (IAL) must be added to Multi-Factor Authentication to achieve higher LOA
Higher LOA is required to provide Services to Users that involve higher RISK to the SP.
Higher Value Services require you to better proof your customer accounts! Stronger than KYC
3. NIST 800-63 Defines “Levels” for Identity over Time
• Enrollment Time
• Identity Assurance Level
• Credential Issuance Event
Proofing
• Over Time
• Credential Integrity
• Revocation & Validity
• Usage Tracking/ Evaluation
• Reputation Scoring
• Location Detection
Assurance • Transaction Time
• Authentication Assurance
Level
• User Verification
Authentication
800-63A 800-63B
IAL1 + AAL1 LOA2 Low
IAL2 + AAL2 LOA3 Substantial
IAL3 + AAL3 LOA4 High
5. IDENTITY PROOFING
What happens in-person… Identity Proofing Event
How can it translate to an online or mobile action?
Proofing
800-63A
6. Qualified Record
Valid Authentic
Documented
Real
Unique
Evidence
• Single Identity
• Valid Attributes
• Scanned Images
• Authenticatable
Resolved
Identity Proofing Event
⓴⓱@davidkelts
Identity
(Digital Subject)
Authenticate
Resolution
• Determine Evidence is for a
Single Legal Identity
Evidence Qualification
• Data Validation
• Document Authentication
Verification
• Multi-Factor
Authentication to Evidence
Proofing
800-63A
7. Resolved
Identity
Full Legal
Name
Date of
Birth
Place of
Birth
Sex
Minimum Attributes for
Legal Identity Resolution
⓴⓮@davidkelts
Legal
Identity
Citizenship
Address
Over18
Over21
US Legal
Presence
Mobile
Number
Additional Attributes
that activate Use Cases
for a Legal Identity ⓴⓯@davidkelts
Identity Resolution
What attributes resolve to a Single Legal Identity?
9. Post Issuance Authentication
Authenticity of credentials at points of service
Secure Credential Design
Creates a feeling of authority that we all detect
UV & IR Exposed Features
Hardware and physical doc present
Visual Inspection
Document Authentication
Determine that the Identity Evidence is Official and Untampered
White Light Scan
• Document Authentication
• Data Extraction
Advanced Pattern Recognition
• Biometric Techniques Applied to Documents
• Machine Learning of Unique Patterns
• Detectable Security Features
New white-light
techniques enable
Doc Auth APIs
10. COMPARING IDENTITY PROOFING EVENTS
What are the requirements for the common identity proofs that Citizens go through?
What IAL would these proofs achieve?
Proofing
800-63A
11. Know Your Customer
• Not-Specified • Visual Data Validation to
Presented Document
• Unexpired Passport
• PAN Card
• Voter Identity Card
• Unexpired Driving License
• Others for Proof of Address
• Authentication Not-Specified
• Operator Visual
Proof of Legal Name
Commonly used Names
Proof of Perm Address
o Collect Date of Birth
o Collect a Unique
Identifier from a Doc
Requirements Resolution Qualification Verification
⓴⓱@davidkelts
12. DMV Standard
•Processing to Ensure 1
Person = 1 Record
•Operator Option to Pause,
Stop, or Flag the Record
•Validate Data
•SSOLV (Name)
•PDPS & CDLIS
•EVVE (Birth)
•Scan Multiple Documents
•Anti-Forgery Efforts
•Fraud Doc Training
•Authentication Equipment
•Operator Visual
•Visual to Docs of Guardian
if < Age of Consent
•1 : Record Biometric
•1 : Many Biometric
•Background Checks
Proof of Legal Name
Commonly used Names
Proof of Perm Address
Proof of Date of Birth
Proof of Signature
o Nationality & Legal
Presence in US/State
o Collect Front-Facing
Photo
Requirements Resolution Qualification Verification
In-Person
⓴⓱@davidkelts
13. Real ID
• Processing to Ensure
1 Person = 1 Record
• Participate Cross State
1 Person = 1 Record
• Operator Option to Pause,
Stop, or Flag the Record
• Validate Data
• SSOLV (Name & SSN)
• PDPS & CDLIS
• EVVE (Birth)
• SAVE (Legal Presence)
• Retain Scan Docs 5 – 7 Years
• Anti-Forgery Efforts
• Fraud Doc Training
• Authentication Equipment
• Operator Visual
• Visual of Guardian if < Age of
Consent
• 1 : Record Biometric
• 1 : Many Biometric
• Background Checks
Proof of Legal Name
Commonly used Names
Proof of Perm Address
Proof of Date of Birth
Proof of Signature
Proof of Nationality &
Legal Presence in US
Proof of Social Security #
o Collect Front-Facing
Photo at Start of Proofing
o Collect Scan of Docs
o Unique Identifying Num
Requirements Resolution Qualification Verification
In-Person
⓴⓱@davidkelts
14. Comparing Proofing Processes
What you need to know
• KYC is a little more than an
Identity Verification
• Every DMV Proofing meets IAL3
• Real ID exceeds that
– States have all implemented
– Road blocked 4 States? Legislative
• These open opportunities for
you to attach to strong identity
15. IDENTITY ASSURANCE
ACCURACY OF THE IDENTITY ATTRIBUTES
Underlying concepts needed to understand how to validate identity data
Assurance
16. Measure of Freshness, Based on Decay Rate
Proofing Event
Decay Rate
Authentications
Refresh Cycle
Stale
Decay Rates vary by attribute
• Date Of Birth
• Place of Birth
• Sex
• Citizenship
• Full Name
• Legal Presence
• Over 21, Over 18
• Mobile Number
• Address
• Driver StatusTime
Accuracy
DecayRateTolerance
NeverAnnually
17. Measure of Provenance
Distance from original legal identity record (birth + authorized changes)
Primary Records
Birth Registry
Social Security
Marriage Registry
Nationality DBs
Death Master File
Proofing Authority
Document Issuer
DL Valid/Exists
Passport Valid/Exists
Aggregated Proofs
Published Records
Public Records
Algorithmic Correlations
Correlated
• Public Records
• Public Posts
• Public Data
More Authoritative
⓴⓯ @davidkelts
More Subject to Error incl. from Decay Rate
Can you validate against
Authenticated Token?
Validate
18. ADDING IDENTITY PROOFING
Qualified Evidence can be added if the user is Authenticated to the Identity Record at high AAL.
Reputation scoring, while valuable, is not identity proofing
Usage tracking and patterns, while valuable, are not identity proofing
Assurance
19. Your Accounts – the goal is to…
Strengthen Proofing Concepts Validate Assurance Concepts
Resolution
•Determine single legal identity
Evidence Qualification
•Data Validation
•Document Authentication
Verification
•Multi-Factor Authentication to
the Identity Evidence
Attribute
Valid
Provenance
Freshness
Accuracy
20. Identity Assurance Level (IAL) 2 IAL 3
Add Identity Assurance to Your Accounts
Scan
Authentic
Identity
Documents
Validate
Identity Data
you Hold
Verify
Identity of
Account
Holder
Bind to
another
High IAL
Account
Proof the
Individual
Even after registration, Qualified Evidence can bring your accounts upward to NIST 800-63A Identity Assurance Levels
APIs for User and ID Verification
API Connections to Authoritative
Sources for Data Validation
21. Key Additional Steps
• Authenticate your User at your Highest Possible AAL before
– Scan, upload, or snap a document
– Webcam or selfie their face
– Capture a biometric (see hole in TouchID)
– Scan data from one of their documents
• Presentation Attack Detection
• Risk: Evaluation of Signals
• Privacy: Beware of Outsourcing (GDPR)