Anil John
Making Digital Services Secure and Trustworthy

Anil John

Identity Validation as a Public Sector Digital Service?

 Tweet  Share  Share  Comment  Print  Email

I’ve written before about the role that the public sector currently has in identity establishment, but not in identity validation. This absence has led to an online ecosystem in the U.S. that depends on non-authoritative information for identity validation. These are some initial thoughts on what an attribute validation service, which provides validation of identity attributes using authoritative public sector sources, could look like.

I consider the inability to gain access to our own identity data held in public sector authoritative sources, or grant a third party permission to validate that information when conducting an online transaction with them, a factor that has contributed greatly to the increasing levels of identity theft as well as benefit and account opening fraud we are currently experiencing.

Technology and standards that can enable such a service in a manner that is secure, privacy respecting, interoperable, and with the explicit in-the-loop permission of the customer exists and is mature.

Given all of that, here are some key characteristics that I would embed in the design, implementation and usage of such a service:

  • The transaction is about the customer gaining access to their own data or granting a third party permission to validate their data, which means that real-time permission for a specific and limited purpose (identity validation) MUST be obtained from the customer, managed through its life cycle, and conveyed to the authoritative source
  • The implementation should return a MATCH / NO-MATCH on customer asserted attributes using the information in the authoritative source. No actual data elements are returned by the authoritative source
  • The privacy and security policies of the authoritative sources, which may vary across organizations and jurisdictions, must be respected. In particular, the MATCH / NO-MATCH decision should happen at the authoritative source and not at the service to ensure authoritative source operational control
  • The service must offer a standardized API on the customer “front-end” but be able to accommodate the protocol and data format mediation on the "back-end" to integrate with a diverse range of authoritative sources
  • The service should, as a starting point, offer connectivity to the following authoritative sources:
    • Address of Record (USPS)
    • Driver’s License (State DMVs via AAMVA)
    • Passport (State Department)

From an offering perspective, I would expect this service to be targeted towards Credential Issuers i.e. Entities who need to issue a credential to a customer, and need to link the token issued to a validated and verified identity.

Such entities could include financial institutions, telcos and commercial and public sector service providers who are opening an account for a customer. Or they could be dedicated Credential Service Providers (CSPs) who, by having access to such a service, can strengthen their identity proofing and credential offerings to public and private sector relying parties.

BTW, a critical point to note is that this service ONLY does identity validation. Identity verification i.e. confirming that the validated information belongs to a particular person is something that MUST be done separately as part of an end-to-end enrollment process. Fortunately, there are many providers in the public and private sector who have extensive capabilities to do that piece.

Question: Do you believe that a service as envisioned here would increase the value of a 'credential' or reduce the risk of high value online transactions? Who do you see as the clients of such a service? What do you see as challenges in bringing such a service to market?

RELATED INFO


Did you find this interesting? Don't miss any new posts. Sign up to automatically receive them now!

I will never share, rent, or sell your information to anyone. Cancel anytime.

This blog post first appeared on Anil John | Blog (https://blog.aniljohn.com). The opinions expressed here are my own and do not represent my employer’s view in any way.

Topic(s):
By on |

Continue The Conversation ...

I would love to know your thoughts on this blog post. Please leave a comment below!

I am a digital security coach. I help technical leaders make digital services secure and trustworthy. Learn more »

Free Updates

I will never share, rent, or sell your information to anyone