Anil John
Making Digital Services Secure and Trustworthy

Anil John

An Emerging Standard for Identity Proofing and Verification

 Tweet  Share  Share  Comment  Print  Email

The Identity Proofing and Verification (IDPV) Standard Development Project (ANSI/NASPO-IDPV-2013) at the North American Security Products Organization (NASPO), which is an ANSI-accredited standards development organization, is developing minimum standards for the assertion, evidence and verification of personal identity. To my knowledge, this is currently the most comprehensive, data-driven, and privacy respecting effort in the area of identity assurance that has active practitioner engagement.

I recently attended the 6th plenary meeting of the IDPV National Standard Project and was impressed by both the rigor of the work, as well as the active engagement of practitioner focused subject matter experts from both private and public sector organizations. The focus of the work is NOT about the initial establishment of an identity, but about:

  • Developing minimum requirements for (a) Reconciling an asserted identity to a single individual (b) Proofing the asserted identity by verifying corroborative evidence and by looking for symptoms of fraud
  • Providing guidance for implementation and privacy concerns

The proposed standard identifies sets of core identity attributes across the dimensions of Name, Location, Time and Identifier that in most cases, allows for resolution to a single identity. It also provides a list of supplemental attributes that can be used to prevent collisions in cases where the core attributes are not enough. The basis of these core and supplemental attributes are not theoretical, but based on extensive data modeling and analysis done on data sets that covered the U.S. population.

At the same time, the group has been very cognizant of the privacy aspects of this work and, from the start, baked in the Fair Information Practice Principles (FIPPs) in a contextually sensitive manner regarding the information being requested.

While the foundation appears solid, and applicable equally to jurisdictions outside the U.S., there is still work that needs to be done to make it more consumable to non-experts.

The work is open to anyone and the group feels that, as it stands now, the work would benefit from wider scrutiny and input. If you have an interest in identity assurance and its associated privacy aspects, I would encourage you to take a look at the work, get engaged, and provide feedback.

RELATED INFO


Did you find this interesting? Don't miss any new posts. Sign up to automatically receive them now!

I will never share, rent, or sell your information to anyone. Cancel anytime.

This blog post first appeared on Anil John | Blog (https://blog.aniljohn.com). The opinions expressed here are my own and do not represent my employer’s view in any way.

Topic(s):
By on |

Continue The Conversation ...

I would love to know your thoughts on this blog post. Please leave a comment below!

I am a digital security coach. I help technical leaders make digital services secure and trustworthy. Learn more »

Free Updates

I will never share, rent, or sell your information to anyone