Anil John
Making Digital Services Secure and Trustworthy

Anil John

HOW TO Choose Attributes to Uniquely Identify a Person

 Tweet  Share  Share  Comment  Print  Email

The ANSI/NASPO Identity Proofing and Verification (IDPV) Standard Development Project identifies sets of core identity attributes across the dimensions of Name, Location, Time and Identifier that in most cases, allows for resolution to a single identity. This blog post provides details about the factors that influence how one chooses one particular set over another.

As a starting point, it is important to acknowledge that there are many classes of transactions that does not require unique identity resolution. At the same time, there are also transactions where it is critical to know the identity so that services can be delivered to a specific person. This ANSI/NASPO standard is focused on the latter set of use cases. By providing a set of criteria and a corresponding process that can be used to evaluate which set of core attributes should be used, it seeks a balance between utility and data minimization.

The IDPV Project conducted a study, using LexisNexis data, which defines five attribute sets across the dimensions of Name, Location, Time and Identifier that provide an equivalent level of effectiveness when it comes to identity resolution. In selecting a particular set, it recommends that the following factors be used to choose one particular attribute over another:

  1. EFFECTIVENESS: How EFFECTIVE is the attribute at distinguishing an identity?
  2. SENSITIVITY: Is the person SENSITIVE about the data attribute? Is the individual concerned that providing the requested information may make them vulnerable to harm?
  3. ACCESSIBILITY: Can the enroller verify the attribute? Does the enroller have ACCESS to resources that have details about the attribute?
  4. PERMANENCE: Is this attribute stable over time?
  5. UNAVOIDABILITY: Is the attribute something that is required to be collected as part of a business processes or for other reasons?

The attributes and the associated attribute sets are:

An example of usage could be, if as part of your regular business process of tax reporting, you already collect the full social security number. In such a case, it would make sense to use Attribute Set 5 (First Name, Last Name, Full SSN) and additionally collect the first and last name to do identity resolution. This avoids the need to collect address and date of birth.

While the attribute sets are U.S. centric, my sense from the International participants in the standard process is that they find the process itself to be valuable and expect to modify and adjust the attribute sets to their particular jurisdiction. The working group is open to anyone and is actively looking for wider feedback and input.

RELATED INFO


Did you find this interesting? Don't miss any new posts. Sign up to automatically receive them now!

I will never share, rent, or sell your information to anyone. Cancel anytime.

This blog post first appeared on Anil John | Blog (https://blog.aniljohn.com). The opinions expressed here are my own and do not represent my employer’s view in any way.

Topic(s):
By on |

Continue The Conversation ...

I would love to know your thoughts on this blog post. Please leave a comment below!

I am a digital security coach. I help technical leaders make digital services secure and trustworthy. Learn more »

Free Updates

I will never share, rent, or sell your information to anyone