As high value public sector digital services become the norm rather than the exception, the current bias towards documentary evidence and in-person encounters to identity proof an individual will become a limiting factor. To be successful, we need to break apart “Identity Proofing” into its components such that the registration process is consistent across delivery channels.
I believe that the three fundamental components needed by a Relying Party (RP) to process a high value identity enabled transaction are:
- Confirmation of the accuracy of identity information claimed by an individual
- Confirmation that the claimed identity information is linked to the individual making the claim
- Confirmation of additional personal information needed to meet the RP's business process requirements
A registration process should encompass all three of these components and be delivery channel neutral:
#1 a.k.a Identity Validation is the confirmation of the accuracy of the identity information as established by an authoritative source or by corroborating different sources of information when no single authoritative source is available
- Identity validation ensures that the claimed identity information actually exists (i.e. is not a ‘synthetic’ identity) and matches the information found in the authoritative source.
- An individual may or may not be directly involved in an identity validation transaction
#2 a.k.a Identity Verification is the confirmation that the identity information relates to a specific individual
- Identity verification ensures that the identity information is linked to the specific individual making the claim, and is not being fraudulently used by another individual.
- An individual, or an authorized agent on behalf of the individual, must be directly involved in an identity verification transaction.
#3 a.k.a Business Process Data Collection and Validation. I’ve written about this before, so won’t repeat here.
The implementation and sequencing of the components of the registration process may well be channel specific. Ensuring consistency in what is asked for and what is checked allows us to incorporate innovative technologies and approaches into the registration process irrespective of the channel used to deliver the service.
- Identity Establishment, Verification and Validation
- Does KBA and Public Sector Online Services Have a Future?
- NIST SP 800-63-2: Electronic Authentication Guideline (PDF)
- Should RP Business Process Data Collection and Validation be Outsourced to a CSP?
Did you find this interesting? Don't miss any new posts. Sign up to automatically receive them now!
This blog post first appeared on Anil John | Blog (https://blog.aniljohn.com). The opinions expressed here are my own and do not represent my employer’s view in any way.