Fri Apr 8 06:51:39 PDT 2016

Control Architecture: Identity proofing: How are asserted identities proofed after originally identified?


Options:

Alternatives include:

  • 0: No proof needed
  • 1: Identity token (of type)
  • 2: Biometric (of type)
  • 3: Repository check

Token types have characteristics allowing evidence of:

  • A: Unique identifier
  • B: Electronic information (O: optionally with integrity protection)
  • C: Proprietary knowledge required to reproduce it
  • D: Proprietary apparatus required to reproduce it
  • E: Authenticatable as to token source
  • F: Controlled issuing process based on original identity
  • G: Real name of the individual
  • H: Knowledge base for verification
  • I: Token was issued to the individual possessing it

Biometric evidence types include:

  • R: Photograph
  • S: Fingerprint
  • T: DNA information
  • U: Eye print
  • V: Facial characteristics
  • W: Hand geometry
  • X: Physical description
  • Y: Identifying marks
  • Z: Other physical information

Decision:

The individual being identified produces evidence of their identity that is tested according to evidence as follows:

Consequence Minimum Ratings Example
High 123ABOCDEFGHIR[S/T/U/V/W]XYZ Common Access Card with biometrics used
Med 13ABOGHIRX [Passport / Drivers license] and Verification Check
Low 1AIR [Membership / Credit] card with Photo
Authentication process minimums

Basis:

Identity proofing is a process by which original identity is tied to an individual at a subsequent time. This is typically done through the use of identity tokens of some sort (e.g., a passport, drivers license, or other issued identity), an optional biometrics (e.g., picture on the identifier, fingerprint, retinal print, DNA analysis, etc.), and optional verification against a repository.

From: "Identity proofing: How are asserted identities proofed after originally identified" - the UK government standard - and an excellent description of a workable process.

Key Principles:

    - The process should enable a legitimate individual to prove their identity in a straightforward manner whilst creating significant barriers to those trying to claim to be somebody they are not.

    - The individual shall expressly declare their identity.

    - The individual shall provide evidence to prove their identity.

    - The evidence shall be confirmed as being Valid and/or Genuine and belonging to the individual.

    - Checks against the identity confirm whether it exists in the real world.

    - The breadth and depth of evidence and checking required shall differ depending on the level of assurance needed in that the identity is real and belongs to the individual.

Process

  • The Applicant shall be required to declare the name, date of birth and address that they wish to be known as so that there is no ambiguity about the identity that is going to be used (Claimed Identity).
  • The Applicant shall be required to provide evidence that the Claimed Identity exists (Identity Evidence Package). This may be provided electronically or physically depending on the level of assurance required and the capabilities of the organization that is going to proof the Applicant.
  • The evidence provided shall be checked in order to determine whether it is Genuine and/or Valid (Validation).
  • The Applicant shall be compared to the provided evidence and/or knowledge about the Claimed Identity to determine whether it relates to them (Verification).
  • The Claimed Identity shall be subjected to checks to determine whether it has had an existence in the real world over a period of time (Activity History).
  • The Claimed Identity shall be checked with various counter-fraud services to ensure that it is not a known fraudulent identity and to help protect individuals who have been victims of identity theft (Counter-Fraud Checks).
  • At the end of the process there is an Assured Identity that describes the level of confidence that the Applicant is the owner of the Claimed Identity and that identity is genuine.
Level Details Situation
1

No requirement for the identity of the Applicant to be proved so no declaration of a Claimed Identity is made, no evidence is needed and no proofing is performed. The Applicant provides an Identifier that can be used to confirm an individual as the Applicant. The Identifier is been checked to ensure that it is in the possession and/or control of the Applicant.

Nominal identity check.
2 Identity is a Claimed Identity with evidence that supports the real world existence and activity of that identity. The steps taken to determine that the identity relates to a real person and that the Applicant is owner of that identity. This is intended to give sufficient confidence for identity to be offered in support of civil proceedings.
3 Identity is a Claimed Identity with evidence that supports the real world existence and activity of that identity and physically identifies the person to whom the identity belongs. The steps taken to determine that the identity relates to a real person and that the Applicant is owner of that identity. This is intended to give sufficient confidence for identity to be offered in support of criminal proceedings.
4 Identity that is required to meet all Level 3 requirements AND provide further evidence and is subjected to additional and specific processes, including the use of Biometrics, to further protect the identity from impersonation or fabrication. This is intended for those persons who may be in a position of trust or situations where compromise could represent a danger to life.
Levels of Identity Proofing Assurance
Score Properties of the Identity Evidence
0

No compliant Identity Evidence provided.

1

The issuing source of the Identity Evidence performed no identity checking

The issuing process for the Identity Evidence means that it can reasonably be assumed to have been delivered into possession of an individual.

The issued Identity Evidence contains at least one reference number that uniquely identifies itself or the person to whom it relates.

2

The Issuing Source of the Identity Evidence confirmed the applicant's identity through an identity checking process.

The issuing process for the Identity Evidence means that it can reasonably be assumed to have been delivered into possession of the person to whom it relates.

The issued Identity Evidence contains at least one reference number that uniquely identifies itself or the person to whom it relates.

Where the issued Identity Evidence is, or includes, electronic information that information is protected using cryptographic methods and those methods ensure the integrity of the information and enable the authenticity of the claimed Issuing Source to be confirmed.

Where the issued Identity Evidence is, or includes, a physical object it requires Proprietary Knowledge to be able to reproduce it.

3

The Issuing Source of the Identity Evidence confirmed the applicant's identity in a manner that complies with the identity checking requirements of The Money Laundering Regulations 2007.

The issuing process for the Identity Evidence ensured that it was delivered into the possession of the person to whom it relates.

The issued Identity Evidence contains at least one reference number that uniquely identifies itself or the person to whom it relates.

The Personal Name on the issued Identity Evidence must be the name that the identity was officially known at the time of issuance. Pseudonyms, aliases and initials for forenames and surnames are not permitted.

The issued Identity Evidence contains a photograph/image of the person to whom it was issued OR the issued Identity Evidence can be used to identify its owner through a Knowledge Based Verification.

Where the issued Identity Evidence is, or includes, electronic information that information is protected using cryptographic methods and those methods ensure the integrity of the information and enable the authenticity of the claimed Issuing Source to be confirmed.

Where the issued Identity Evidence is, or includes, a physical object it contains developed security features that requires Proprietary Knowledge and Proprietary Apparatus to be able to reproduce it.

4

The Issuing Source of the Identity Evidence confirmed the applicant's identity in a manner that complies with the identity checking requirements of The Money Laundering Regulations 2007.

The Issuing Source visually identified the applicant and performed further checks to confirm the existence of that identity.

The issuing process for the Identity Evidence ensured that it was delivered into possession of the person to whom it relates.

The issued Identity Evidence contains at least one reference number that uniquely identifies itself or the person to whom it relates.

The Personal Name on the issued Identity Evidence must be the name that the identity was officially known at the time of issuance. Pseudonyms, aliases and initials for forenames and surnames are not permitted.

The issued Identity Evidence contains a photograph/image of the person to whom it was issued.

The issued Identity Evidence contains a Biometric that was captured at registration that can be used to identify the person to whom it was issued.

Where the issued Identity Evidence is, or includes, electronic information that information is protected using cryptographic methods and those methods ensure the integrity of the information and enable the authenticity of the claimed Issuing Source to be confirmed.

Where the issued Identity Evidence is, or includes, a physical object it contains developed security features that requires Proprietary Knowledge and Proprietary Apparatus to be able to reproduce it.

Strength of Evidence of Identity Proof
Copyright(c) Fred Cohen, 1988-2015 - All Rights Reserved