This document discusses identity proofing and verification. It defines key identity concepts like establishment, resolution, validation and verification. It explains that verified identity is needed to deliver high-value digital services and discusses challenges like confusing terminology and siloed identity systems. The document also reviews standards like NIST SP 800-63-2 and considers how to take a minimal and contextual approach to identity attributes disclosure.
Modernizing the Supply Chain into the 21st CenturyAnil John
U.S. Customs (CBP/Trade) Presentation at the 2022 FedID Conference on using W3C Verifiable Credentials and W3C Decentralized Identifiers to digitize the supply chain
Microservices promise a scalable architecture, increased flexibility, and better performance. But then you find out what’s actually involved in designing, developing, and running a microservices-based architecture. It turns out it’s not that straightforward after all.
Often the discussion around microservices is framed by a false dichotomy between the messy monolith and the lean and mean microservices architecture. Sander Mak explains that there’s a third way: the modularized application. Functional decomposition of your application doesn’t imply that every component has to become its own independent process.
Modularization is about strong encapsulation, well-defined interfaces, and explicit dependencies. Many languages offer in-process modularization features (for example, Java 9 with its upcoming module system), and there’s a strong overlap between the microservices philosophy and development benefits—without incurring the penalty of operational complexity.
Sander explores the right (and wrong) reasons for going with a microservices architecture, as well as what a modularized application entails. You’ll see that splitting up an existing service or application into microservices isn’t always the clear winner. You’ll leave able to choose between the alternatives for the right reasons. There’s a place for both independently deployed microservices and larger applications with a strong internal modular structure. Choose wisely.
Watch full webinar here: https://buff.ly/3q9zL02
Under Quebec’s Law 25, many new obligations come into effect as of September 22, 2023 regarding the handling and governance of personal information. Is your organization ready?
Denodo and Data Sentinel are two technology companies that have joined forces to provide a solution to many of the underlying issues associated with personal information stewardship. Please watch this webinar to learn:
The provisions that go into effect on September 22 and their impact on your organization.
How Automated Data Mapping can help you to implement your privacy program accurately and rapidly by:
- Automating the discovery and tracking of all personal information within your organization
- Automating the classification of PII and all other sensitive data
Cataloging PII and other sensitive data
- Automating the security of this data and auditing its ongoing usage
Who Should Attend:
Quebec's Law 25 applies to ALL businesses holding the personal information of Quebec citizens
- Director level and above responsible for risk, compliance, security, governance
- Privacy officers, CISO, CIO
- Executives of departments holding personal information, including Marketing, Human Resources, Finance, Procurement, etc.
What is identity proofing? What technologies help you proof a new user when they register with your mobile or web service? This presentation from Identity North shows you how.
Modernizing the Supply Chain into the 21st CenturyAnil John
U.S. Customs (CBP/Trade) Presentation at the 2022 FedID Conference on using W3C Verifiable Credentials and W3C Decentralized Identifiers to digitize the supply chain
Microservices promise a scalable architecture, increased flexibility, and better performance. But then you find out what’s actually involved in designing, developing, and running a microservices-based architecture. It turns out it’s not that straightforward after all.
Often the discussion around microservices is framed by a false dichotomy between the messy monolith and the lean and mean microservices architecture. Sander Mak explains that there’s a third way: the modularized application. Functional decomposition of your application doesn’t imply that every component has to become its own independent process.
Modularization is about strong encapsulation, well-defined interfaces, and explicit dependencies. Many languages offer in-process modularization features (for example, Java 9 with its upcoming module system), and there’s a strong overlap between the microservices philosophy and development benefits—without incurring the penalty of operational complexity.
Sander explores the right (and wrong) reasons for going with a microservices architecture, as well as what a modularized application entails. You’ll see that splitting up an existing service or application into microservices isn’t always the clear winner. You’ll leave able to choose between the alternatives for the right reasons. There’s a place for both independently deployed microservices and larger applications with a strong internal modular structure. Choose wisely.
Watch full webinar here: https://buff.ly/3q9zL02
Under Quebec’s Law 25, many new obligations come into effect as of September 22, 2023 regarding the handling and governance of personal information. Is your organization ready?
Denodo and Data Sentinel are two technology companies that have joined forces to provide a solution to many of the underlying issues associated with personal information stewardship. Please watch this webinar to learn:
The provisions that go into effect on September 22 and their impact on your organization.
How Automated Data Mapping can help you to implement your privacy program accurately and rapidly by:
- Automating the discovery and tracking of all personal information within your organization
- Automating the classification of PII and all other sensitive data
Cataloging PII and other sensitive data
- Automating the security of this data and auditing its ongoing usage
Who Should Attend:
Quebec's Law 25 applies to ALL businesses holding the personal information of Quebec citizens
- Director level and above responsible for risk, compliance, security, governance
- Privacy officers, CISO, CIO
- Executives of departments holding personal information, including Marketing, Human Resources, Finance, Procurement, etc.
What is identity proofing? What technologies help you proof a new user when they register with your mobile or web service? This presentation from Identity North shows you how.
Tips to Protect Your Organization from Data Breaches and Identity TheftCase IQ
Carrie Kerskie explains how to assess your organization for potential risks of data breaches and how to put a data breach and privacy plan in place to help you better protect your organization.
To watch the webinar recording, visit http://i-sight.com/webinar-protecting-your-organization-against-data-breaches-and-identity-theft/
Fraud Prevention Strategies to Fight First-Party Fraud and Synthetic Identity...TransUnion
We believe Gartner’s report, “The Growing Problem of Synthetic Identity and First-Party Fraud Masquerades as Credit Losses,” discusses the rise of synthetic identity and first party fraud losses being concealed as credit losses. In Part 2 of this webinar series we will explore Gartner’s recommendations and provide some real-world advice on how you can prepare your business to fight this trend.
In Part 2 of this webinar series, we’ll conclude with:
- Exploring how to battle synthetic identities and first party fraud
- Reviewing Gartner’s recommendations for building a comprehensive fraud prevention strategy
- Looking at some specific capabilities for helping to stop this type of fraud
*Gartner: Take a New Approach to Establishing and Sustaining Trust in Digital Identities, Tricia Phillips, Danny Luong, 1 March 2018.
Data Breach Notifications Laws - Time for a Pimp Slap Presented by Steve Werb...Steve Werby
Data breach notification laws have proliferated worldwide, beginning with California’s law, which was enacted nearly a decade ago. As a result, citizens are being bombarded by breach notifications and media coverage of data exposures has skyrocketed. But are these increasingly onerous laws leading to stronger information security and better decisions by citizens or are they backfiring? I’ll compare existing laws, analyze data breach notifications and explore the effects of these laws, including feedback from citizens and information security professionals. By comparing data exposure disclosure to other negative events that don't require disclosure and sharing alternate disclosure models, I'll leave the audience questioning whether there's a better way.
Identity Fraud Protection Using Big Data Analytics - StampedeCon 2015StampedeCon
Presented at StampedeCon 2015: As technology evolves, consumers are able to do more and more things in a remote setting—banking, shopping, communication, you name it. The more enabled we are, the more fraud is possible. As individuals use their identities to apply for goods and services – credit, loans, wireless phones, mortgages, etc. – certain patterns emerge. ID Analytics, a LifeLock company, quantitatively evaluates billions of data points, in real time, to understand identity risk. The algorithms behind our analysis come from the state-of-the-art machine learning community.
In this talk, we’ll describe the modes of identity fraud with examples of some fraud rings that we have observed along with details of the data structures and big data algorithms we use to catch identity fraud.
Many people are interested in getting a security clearance. In this presentation we cover some of the things you must consider before seeking to be cleared.
Proofing ex post facto from Cloud Identity Summit 2017David Kelts, CIPT
While the industry rushes to standardize and improve
authentication, how will holders of consumer accounts assure that the identities behind those credentials and multiple factors are real? You can add identity proofing, and doing so can actually improve consumer privacy! Does proofing have to be in person, really, really? This presentation shows how to measure what happens during an identity proof and perform similar steps within online systems.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Tips to Protect Your Organization from Data Breaches and Identity TheftCase IQ
Carrie Kerskie explains how to assess your organization for potential risks of data breaches and how to put a data breach and privacy plan in place to help you better protect your organization.
To watch the webinar recording, visit http://i-sight.com/webinar-protecting-your-organization-against-data-breaches-and-identity-theft/
Fraud Prevention Strategies to Fight First-Party Fraud and Synthetic Identity...TransUnion
We believe Gartner’s report, “The Growing Problem of Synthetic Identity and First-Party Fraud Masquerades as Credit Losses,” discusses the rise of synthetic identity and first party fraud losses being concealed as credit losses. In Part 2 of this webinar series we will explore Gartner’s recommendations and provide some real-world advice on how you can prepare your business to fight this trend.
In Part 2 of this webinar series, we’ll conclude with:
- Exploring how to battle synthetic identities and first party fraud
- Reviewing Gartner’s recommendations for building a comprehensive fraud prevention strategy
- Looking at some specific capabilities for helping to stop this type of fraud
*Gartner: Take a New Approach to Establishing and Sustaining Trust in Digital Identities, Tricia Phillips, Danny Luong, 1 March 2018.
Data Breach Notifications Laws - Time for a Pimp Slap Presented by Steve Werb...Steve Werby
Data breach notification laws have proliferated worldwide, beginning with California’s law, which was enacted nearly a decade ago. As a result, citizens are being bombarded by breach notifications and media coverage of data exposures has skyrocketed. But are these increasingly onerous laws leading to stronger information security and better decisions by citizens or are they backfiring? I’ll compare existing laws, analyze data breach notifications and explore the effects of these laws, including feedback from citizens and information security professionals. By comparing data exposure disclosure to other negative events that don't require disclosure and sharing alternate disclosure models, I'll leave the audience questioning whether there's a better way.
Identity Fraud Protection Using Big Data Analytics - StampedeCon 2015StampedeCon
Presented at StampedeCon 2015: As technology evolves, consumers are able to do more and more things in a remote setting—banking, shopping, communication, you name it. The more enabled we are, the more fraud is possible. As individuals use their identities to apply for goods and services – credit, loans, wireless phones, mortgages, etc. – certain patterns emerge. ID Analytics, a LifeLock company, quantitatively evaluates billions of data points, in real time, to understand identity risk. The algorithms behind our analysis come from the state-of-the-art machine learning community.
In this talk, we’ll describe the modes of identity fraud with examples of some fraud rings that we have observed along with details of the data structures and big data algorithms we use to catch identity fraud.
Many people are interested in getting a security clearance. In this presentation we cover some of the things you must consider before seeking to be cleared.
Proofing ex post facto from Cloud Identity Summit 2017David Kelts, CIPT
While the industry rushes to standardize and improve
authentication, how will holders of consumer accounts assure that the identities behind those credentials and multiple factors are real? You can add identity proofing, and doing so can actually improve consumer privacy! Does proofing have to be in person, really, really? This presentation shows how to measure what happens during an identity proof and perform similar steps within online systems.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
3. Verified identity is the starting point for the delivery of
high value digital services, benefits and entitlements
3
● Who are you?
● What are
you?
● What are you
entitled to?
● ...
4. Verified identity is the starting point for the delivery of
high value digital services, benefits and entitlements
Who are you?
Are you eligible for a
government benefit?
Benefits fraud
Longer processing time
Redundant processes
Identity Risk Issues
Public Sector
Who are you?
How will you pay?
Financial fraud
Money laundering
Higher transaction fees
Identity Risk Issues
Financial Sector
Who are you?
What is your medical
history?
Prescription fraud
Patient privacy
Record integrity
Identity Risk Issues
Healthcare Sector
… but the consequences of identity risk issues are felt by everyone
4
Today, verified identities are managed in “cylinders of excellence” a.k.a silos ...
5. Identity, security and privacy architects are critical to
successful digital service delivery
5
6. Confusing terms and practices threaten the promise of
digital service delivery
6
Credentialing
Vetting
KBA
Claimant
Verifier
Provisioning
7. Keep the focus on uniquely identifying the person at the
other end of the wire and not on marketing terminology
7
9. 9
Identity: A set of attributes that uniquely describe an
individual within a given context
Who are
you,
really?
10. 10
Identity: A set of attributes that uniquely describe an
individual within a given context
Verification
Validation
Resolution
Establishment
11. 11
Identity: A set of attributes that uniquely describe an
individual within a given context
Verification
Validation
Resolution
Establishment
Creation of a new
identity, in an
authoritative
source, where
none have existed
previously
12. Creation of a new identity in an authoritative source
where none have existed before
12
13. Establishment = Initial creation in system of record
13
● Initial record of
existence
● Very few entities
are responsible
for this record
● Typically in
public sector
14. Establishment = Initial jurisdictional encounter
14
● First encounter by
a jurisdiction
○ Immigration
○ Visitor
● Few responsible
entities
● Typically in public
sector
15. 15
Identity: A set of attributes that uniquely describe an
individual within a given context
Validation
Resolution
Establishment
Confirmation that
an identity has
been resolved to a
unique individual
within a particular
context
Verification
16. NASPO IDPV Project
Identity resolution study results
Category Attribute Description
Attribute Bundle
1 2 3 4 5
Name Name First Name AND Last Name
Location
Partial Address Postal Code OR (City and State)
Place of Birth (City or County) AND (State or Foreign Country)
Time
Partial Date of Birth (Month and Day) OR Year
Full Date of Birth
Identifier
Partial Social Security Number Last 4 Digits
Full Social Security Number Full 9 Digits
NASPO IDPV
Identity
Resolution
Study Data
% Resolved 97.56 96.29 96.65 97.00 96.52
% Null Identities
Identity record missing one or more attributes needed for a particular bundle
Approximate measure of the lack of availability of the attribute bundle
~ 12 ~ 12 ~ 3 ~ 17 ~ 3
% Availability
100 - % Null Identities
~ 88 ~ 88 ~ 97 ~ 83 ~ 97
17. NIST SP 800-63-2 Electronic Authentication Guideline
Remote identity proofing @ Assurance Level 2
17
Level 2 Record Checks
- 1 Government Record OR
- 1 Financial or Utility Record
Full Legal Name Date of Birth
18. NIST SP 800-63-2 Electronic Authentication Guideline
Remote identity proofing @ Assurance Level 3
18
Level 3 Record Checks
- 1 Government Record AND
- 1 Financial or Utility Record
Full Legal Name Date of Birth
19. NASPO IDPV Project
Overlap with NIST identity proofing requirements
Category Attribute Description
Attribute Bundle
1 2 3 4 5
Name Name First Name AND Last Name
Location
Partial Address Postal Code OR (City and State)
Place of Birth (City or County) AND (State or Foreign Country)
Time
Partial Date of Birth (Month and Day) OR Year
Full Date of Birth
Identifier
Partial Social Security Number Last 4 Digits
Full Social Security Number Full 9 Digits
NASPO IDPV
Identity
Resolution
Study Data
% Resolved 97.56 96.29 96.65 97.00 96.52
% Null Identities
Identity record missing one or more attributes needed for a particular bundle
Approximate measure of the lack of availability of the attribute bundle
~ 12 ~ 12 ~ 3 ~ 17 ~ 3
% Availability
100 - % Null Identities
~ 88 ~ 88 ~ 97 ~ 83 ~ 97
20. Requirements of selected non-US jurisdictions
- enabling interoperability
20
Canada
● Name
● Date of Birth
● Gender
● Place of Birth
● ...
New Zealand
● Name
● Date of Birth
● Gender
● Place of Birth
●
UK
● Name
● Date of Birth
● Gender
●
● Address
21. Disclosure of personal information MUST be minimal,
contextual and fit for purpose. Otherwise ...
21
24. 24
Identity Proofing
Minimal
Data Collection
Identity Attributes Additional Matching Criteria Personal Attributes
● Full Legal Name
● Date of Birth
● Gender
● Place of Birth
● Address of Record
● […]
● [Contextual]
● [Authority]
● [Entitlement]
● [Business Process]
25. 25
Identity: A set of attributes that uniquely describe an
individual within a given context
Resolution
Establishment
Confirmation of the
accuracy of the
identity as
established by an
authoritative
source
Verification
Validation
28. No Easy Answers (especially in the US)
Due diligence needed by implementers
28
● What authoritative
sources do you have
access to?
● Direct or downstream
access?
○ Data refresh interval?
○ Data quality?
● Scoring algorithm
information?
● ...
29. 29
Identity: A set of attributes that uniquely describe an
individual within a given context
Establishment
Confirmation that
the identity relates
to a specific
individual
Verification
Validation
Resolution
30. Knowledge based verification is the current
state of practice. Answers private, not secret
30
Can you use internal data to generate the questions?
31. Social media mining and data breaches make
knowledge based verification less effective
31
32. Verification is an area ripe for innovation and disruption
32
● Live video?
● Blended
online +
in-person?
● Digital
notaries?
● Biometrics?
● ...
33. Identification is in the critical path of successful digital
service delivery
33
35. 35
Map vendor-neutral concepts to services and products
that you can leverage, evaluate, build or buy
Verification
Validation
Resolution
Establishment