I've been spending a fair amount of time thinking about how to minimize the information asked of a person, to uniquely identify them, in order to deliver a high value public sector service to them. In particular I am interested in the overlap between what is asked for as part of identity proofing at Level 2 and Level 3 in NIST SP 800-63-2, and what studies show is needed for unique identity resolution.
At Level 2 and higher, the Applicant supplies his or her full legal name, an address of record, and date of birth, and may, subject to the policy of the RA or CSP, also supply other PII.
Level 2 - Confirmation via record checks of one ID number and associated personal information to include full legal name, address of record, DOB and other personal information to uniquely identify an individual.
Level 3 - Confirmation via record checks of both ID numbers and associated personal information to include full legal name, address of record, DOB and other personal information to uniquely identify an individual.
The substantive changes in [NIST SP 800-63-2] are intended to facilitate the use of professional credentials in the identity proofing process, and to reduce the need to use postal mail to an address of record to issue credentials for level 3 remote registration.NIST SP 800-63-2
What I have found fascinating is the disconnect between what the document says and what many seem to think it says. For example, many people seem to believe that as you move from Level 2 to Level 3 you need to collect more PII for identity proofing. That is not exactly true; you need additional sources of information to correlate and validate the same data elements, but the number of data elements does not increase. Some additional points to note:
- The record id numbers are important only in that they are pointers to sources that are authoritative and manage “identity records” in such a manner that inspire a high level of confidence
- The records management of those sources is an existing, separate and out-of-scope process that is “trustable” and assures a level of confidence in the identity; leverage and don’t reinvent
- The minimal set of information needed from the record for registration/identity proofing/correlation is the full legal name, address of record, and date of birth
- To mitigate registration threats and attacks, use records that are both Government issued and non-Government issued, and correlate the asked for information across them, to achieve higher levels of confidence
- Phone number and e-mail address are NOT used as part of the identity proofing process, but as part of the token/credential issuance process
I do find the emphasis on the address of record to be interesting and keep wondering about the durability/permanence of that information. Even with that, if you map these attributes to the NASPO IDPV Identity Resolution study, you will find the Venn at Attribute Bundle #2 (Name + DOB) which provides ~ 96% resolution or Attribute Bundle #1 (Name + Partial Address + Partial DOB) which provides ~97% resolution.
Given that, and the address durability question, I would group attributes that an RP would typically ask for into three buckets:
|Identity Attributes||Matching PII Attributes||Personal Attributes|
Identity Attributes would be the minimal and mandatory set asked for by an RP, and matching PII attributes would be additional attributes needed for unique identity resolution (if the mandatory set does not get you there). Both of these categories of attributes would need to be validated. Personal attributes would be something that I would expect the RP to collect and validate on its own.
- HOW TO Choose Attributes to Uniquely Identify a Person
- Breaking Identity Proofing to Enable Online Services
- Identity Establishment, Verification and Validation
- Should RP Business Process Data Collection and Validation be Outsourced to a CSP?
- NIST SP 800-63-2: Electronic Authentication Guideline (PDF)
Did you find this interesting? Don't miss any new posts. Sign up to automatically receive them now!
This blog post first appeared on Anil John | Blog (https://blog.aniljohn.com). The opinions expressed here are my own and do not represent my employer’s view in any way.