There is currently a discussion going on in the Identity Ecosystem Steering Group (IDESG) regarding knowledge based authentication (KBA) metrics. I am a bit unsure about what is being sought by the IDESG from a standards development organization (SDO). This blog post is an attempt at framing the questions, as I understand them, to determine if there is value here, or if it is the application of makeup to porcine livestock.
I’ve written before about the role that the public sector currently has in identity establishment, but not in identity validation. This absence has led to an online ecosystem in the U.S. that depends on non-authoritative information for identity validation. These are some initial thoughts on what an attribute validation service, which provides validation of identity attributes using authoritative public sector sources, could look like.
I have found it very important to allocate time to rest, relax and recharge in order to deal with the pace and stress of daily life. My family and I find the outdoors to be the place to do just that. We just got back from Banff National Park, in the Canadian Rockies, which we visit often enough that my kids call it their happy place.
Keep close to Nature's heart... and break clear away, once in a while, and climb a mountain or spend a week in the woods. Wash your spirit clean.
Before I joined the U.S. Civil Service, I worked as a contractor for the Cyber Security Division (CSD) of the DHS Science and Technology Directorate. They are an excellent, mission driven organization which just released a R&D solicitation that folks who work in the identity, privacy and security space may be interested in.
NIST Electronic Authentication Guideline (SP 800-63) does not permit Knowledge Based Authentication (KBA) as a viable “something you know” authentication factor (Instant KBA). But it also notes that "knowledge based authentication techniques are included as part of registration" which is sometimes confusing. The term KBA is overloaded, often misused, and needs to be clarified based on the usage context.
Operators of multi-sided platforms need to deliver compelling value to attract, keep, and grow participants in the platform. Leveraging cross-side and same-side network effects are ways to create value. I believe that a Federation-wide Reliable Account Usage Data (FRAUD) Service is one example of a platform service that can provide such value.
I've been spending a fair amount of time thinking about how to minimize the information asked of a person, to uniquely identify them, in order to deliver a high value public sector service to them. In particular I am interested in the overlap between what is asked for as part of identity proofing at Level 2 and Level 3 in NIST SP 800-63-2, and what studies show is needed for unique identity resolution.