In a recent blog post, Does KBA and Public Sector Online Services Have a Future?, I raised as an issue the inadequacy of KBA for remote identity proofing given the public, and potentially compromised, data sets that are currently used for this purpose. I believe that it is critical for citizen facing public sector services to incorporate continuous identity vetting/verification/proofing as a compensating control. But can that be effectively done when the service is utilizing federated credentials?
The current notion of having layered security controls is often focused on the network, host, and application layers (which are absolutely critical) and less so on having layered controls within the authentication process itself. For citizen and business facing public sector services, I believe that the strong processes outlined in NIST Electronic Authentication Guideline SP-800-63-2 (PDF) should only be one layer in a comprehensive authentication strategy.
But when adding compensating controls to a federation environment, the following questions come to mind:
- What guidance can serve as a starting point?
- What technical controls are recommended?
- Which entity in a federation is ideally suitable (or capable) of implementing specific controls?
I have found the Federal Financial Institutions Examination Council (FFIEC) authentication guidance (PDF) a good resource on this topic. It identifies the following Technical Controls:
- Out-of-band identity verification (via a separate channel) to pass through gates related to account maintenance activities (e.g. password reset) performed by customers either online or through customer service channels
- Device Fingerprinting (including device configuration, IP address, geolocation) with the initial binding of the fingerprint to a user done by leveraging an out-of-band identity verification mechanism
- Internet protocol (IP) reputation-based tools to block connection to servers from IP addresses known or suspected to be associated with fraudulent activities
- "Out of Wallet" questions that do not rely on public information (i.e. the entity has a close relationship with the person and can leverage internal data for this purpose) for authorizing higher risk transactions
- Anomaly detection that looks at velocity of transactions as well as customer history and behavior
In the above table, I've also taken an initial cut at mapping the controls to the entities able to implement them (based on policy) in a federation environment.
The answer to the question that I've asked as the title of the blog post is "YES". It does require clear thinking on roles, responsibilities and capabilities, but in order to effectively deliver public sector online services, we need to move away from the waterfall approach to identity proofing that is in place to one that is more agile and responsive to the constantly morphing threats.
- Does KBA and Public Sector Online Services Have a Future?
- FFIEC - Supplement to Authentication in an Internet Banking Environment (PDF)
- NIST Electronic Authentication Guideline SP-800-63-2 (PDF)
- Gartner (Behind Paywall):The Four Layers of Identity Proofing Lead to Stronger Identity Verification
Did you find this interesting? Don't miss any new posts. Sign up to automatically receive them now!
This blog post first appeared on Anil John | Blog (https://blog.aniljohn.com). The opinions expressed here are my own and do not represent my employer’s view in any way.