Anil John
Making Digital Services Secure and Trustworthy

Anil John

Are Federated Credentials and Continuous Identity Verification Compatible?

 Share  Print  Email

In a recent blog post, Does KBA and Public Sector Online Services Have a Future?, I raised as an issue the inadequacy of KBA for remote identity proofing given the public, and potentially compromised, data sets that are currently used for this purpose. I believe that it is critical for citizen facing public sector services to incorporate continuous identity vetting/verification/proofing as a compensating control. But can that be effectively done when the service is utilizing federated credentials?

The current notion of having layered security controls is often focused on the network, host, and application layers (which are absolutely critical) and less so on having layered controls within the authentication process itself. For citizen and business facing public sector services, I believe that the strong processes outlined in NIST Electronic Authentication Guideline SP-800-63-2 (PDF) should only be one layer in a comprehensive authentication strategy.

But when adding compensating controls to a federation environment, the following questions come to mind:

  • What guidance can serve as a starting point?
  • What technical controls are recommended?
  • Which entity in a federation is ideally suitable (or capable) of implementing specific controls?

I have found the Federal Financial Institutions Examination Council (FFIEC) authentication guidance (PDF) a good resource on this topic. It identifies the following Technical Controls:

  • Out-of-band identity verification (via a separate channel) to pass through gates related to account maintenance activities (e.g. password reset) performed by customers either online or through customer service channels
  • Device Fingerprinting (including device configuration, IP address, geolocation) with the initial binding of the fingerprint to a user done by leveraging an out-of-band identity verification mechanism
  • Internet protocol (IP) reputation-based tools to block connection to servers from IP addresses known or suspected to be associated with fraudulent activities
  • “Out of Wallet” questions that do not rely on public information (i.e. the entity has a close relationship with the person and can leverage internal data for this purpose) for authorizing higher risk transactions
  • Anomaly detection that looks at velocity of transactions as well as customer history and behavior

In the above table, I’ve also taken an initial cut at mapping the controls to the entities able to implement them (based on policy) in a federation environment.

The answer to the question that I’ve asked as the title of the blog post is “YES”. It does require clear thinking on roles, responsibilities and capabilities, but in order to effectively deliver public sector online services, we need to move away from the waterfall approach to identity proofing that is in place to one that is more agile and responsive to the constantly morphing threats.

RELATED INFO



This blog post first appeared on Anil John | Blog (https://blog.aniljohn.com). The opinions expressed here are my own and do not represent my employer’s view in any way.

Topic(s):
By on |

Continue The Conversation ...

I would love to know your thoughts on this blog post.
Meet me over on Mastodon to join the conversation!

I am a public interest technologist. I help organizations and leaders make digital services secure and trustworthy.
Learn more »