Anil John
Making Digital Services Secure and Trustworthy

Anil John

Are We Conflating Identity Verification and Compensating Controls?

 Tweet  Share  Share  Comment  Print  Email

Identity verification is the confirmation that the claimed identity information is linked to the individual making the claim. The techniques used for verification have a direct bearing on the confidence you can have in that link. But there is often a blurring between what is accepted as verification techniques and what could be considered compensating controls.

I am struggling with this. Whenever I hear about a technique to link a carbon based life-form to a set of identity data, I tend to go into an evaluation mode to determine if what is being discussed is an actual verification technique or a compensating control to mitigate risk. I believe it is important to make such a distinction because it has direct implications for accountability and liability.

My current thinking on this is to look at a particular technique and ask the following questions:

  1. Does the information provided allow me to make a binary decision?
  2. Does the information provided narrow or eliminate a particular subset of the population?
  3. Could the information provided apply to more than one person?
  4. Is the information coming directly from a person, or from a proxy for the person?
  5. How was the binding between the person and the proxy done?
  6. Is the information provided related to the person or the transaction context?

At the end of the day, I am trying to draw a distinction between techniques that could result in a binary decision and techniques that narrow or eliminate a portion of the population. The former I consider to be candidates for verification techniques and the latter for compensating controls.

The interesting aspect here is that biometric techniques will have a much easier time ending up in the verification bucket than knowledge based techniques. And techniques and controls such as those provided in the FFIEC guidance will fall into the compensating control category.

While this may not be applicable in the commercial eco-system (contra-indicator being the popularity of Apple's TouchID), for high value digital public services this may very well be a consideration.

Question: What decision frame/lens do you use to distinguish between identity verification techniques and compensating controls?

RELATED INFO


Did you find this interesting? Don't miss any new posts. Sign up to automatically receive them now!

I will never share, rent, or sell your information to anyone. Cancel anytime.

This blog post first appeared on Anil John | Blog (https://blog.aniljohn.com). The opinions expressed here are my own and do not represent my employer’s view in any way.

Topic(s):
By on |

Continue The Conversation ...

I would love to know your thoughts on this blog post. Please leave a comment below!

I am a digital security coach. I help technical leaders make digital services secure and trustworthy. Learn more »

Free Updates

I will never share, rent, or sell your information to anyone