Identity verification is the confirmation that the claimed identity information is linked to the individual making the claim. The techniques used for verification have a direct bearing on the confidence you can have in that link. But there is often a blurring between what is accepted as verification techniques and what could be considered compensating controls.
I am struggling with this. Whenever I hear about a technique to link a carbon based life-form to a set of identity data, I tend to go into an evaluation mode to determine if what is being discussed is an actual verification technique or a compensating control to mitigate risk. I believe it is important to make such a distinction because it has direct implications for accountability and liability.
My current thinking on this is to look at a particular technique and ask the following questions:
- Does the information provided allow me to make a binary decision?
- Does the information provided narrow or eliminate a particular subset of the population?
- Could the information provided apply to more than one person?
- Is the information coming directly from a person, or from a proxy for the person?
- How was the binding between the person and the proxy done?
- Is the information provided related to the person or the transaction context?
At the end of the day, I am trying to draw a distinction between techniques that could result in a binary decision and techniques that narrow or eliminate a portion of the population. The former I consider to be candidates for verification techniques and the latter for compensating controls.
The interesting aspect here is that biometric techniques will have a much easier time ending up in the verification bucket than knowledge based techniques. And techniques and controls such as those provided in the FFIEC guidance will fall into the compensating control category.
While this may not be applicable in the commercial eco-system (contra-indicator being the popularity of Apple's TouchID), for high value digital public services this may very well be a consideration.
Question: What decision frame/lens do you use to distinguish between identity verification techniques and compensating controls?
- Identity Establishment, Verification and Validation
- These Are Not The LOAs (1+,2+,3+) You Are Looking For. Move Along
- Identity Validation as a Public Sector Digital Service?
- Does KBA and Public Sector Online Services Have a Future?
- What are KBA Metrics?
- Are Federated Credentials and Continuous Identity Verification Compatible?
- Near Real-Time Anomaly Detection and Remediation
Did you find this interesting? Don't miss any new posts. Sign up to automatically receive them now!
This blog post first appeared on Anil John | Blog (https://blog.aniljohn.com). The opinions expressed here are my own and do not represent my employer’s view in any way.