How To Enroll a User, Even When There are No Shared Identifiers

My last two blog posts covered various approaches to relying party user enrollment within the context of public sector online services that need higher assurances of identity. The key item that made this possible was a shared piece of information between the person and the RP. This blog post looks at options to consider when such information does not exist or cannot be used due to policies or laws.

If, for a variety of reasons, it is not possible to resolve the identity of a person in order to enroll them into an RP, other options need to be considered. They may include:

• In-person identity proofing
• Knowledge based authentication (KBA)
• Attestation from a trusted third-party

In-person identity proofing is self explanatory, but it is important to keep in mind that it is expensive.

As to Knowledge based authentication, it is necessary to thread the needle a bit on it, at least within the context of the rules followed by the U.S. Federal Government per NIST SP 800-63-2 (PDF):

Knowledge based authentication achieves authentication by testing the personal knowledge of the individual against information obtained from public databases. As this information is considered private but not actually secret, confidence in the identity of an individual can be hard to achieve. In addition, the complexity and interdependencies of knowledge based authentication systems are difficult to quantify. However, knowledge based authentication techniques are included as part of registration in this document.

NIST SP 800-63-2: Electronic Authentication Guideline

What the above statement is saying is that while it is acceptable to use the knowledge based process for identity proofing a.k.a. Registration, KBA as practiced in the private sector, where it is often used as a second factor in authentication, should not be used for that purpose for the reasons stated above.

Now the last option, Attestation from a trusted third-party, is one that I find rather interesting. An example in the physical world is the use of a notary public. As I’ve mentioned before in “Identity Establishment and the Role of the Public Sector”, I believe that public sector organizations are uniquely positioned to serve this function. I was reminded of this recently when I saw an article in the Guardian about the UK IDAP Program which provided a UK citizen’s point of view:

I pay the government to identify and verify me when I am born (birth certificate), when I marry (marriage certificate), when I die (death certificate) and when I travel (passport and driving licence). Why should I then have to pay an outside private organisation to verify who I am when I transact with the government online, when I've already paid the government?

Guardian: Privacy worries mean citizens prefer a government-owned identity provider

From an implementation perspective, at least in the U.S., I would not go so far as to propose that public sector agencies be CSPs. But, I can easily envision scenarios where a consumer could request that one agency, with which they have already enrolled, vouch for their identity (be an attribute provider?) to another agency for the sole purpose of enrollment. The technical capabilities exist; the policy and the will? TBD.

RELATED INFO

• If You Don’t Plan For User Enrollment Now, You’ll Hate Federation Later. Redux.
• Here Be Dragons - Social Security Number and Federation User Enrollment
• Guardian: Privacy worries mean citizens prefer a government-owned identity provider
• Identity Establishment and the Role of the Public Sector
• NIST SP 800-63-2: Electronic Authentication Guideline (PDF)
• User Enrollment Challenges with PKI Credentials