Fri Apr 8 06:51:39 PDT 2016
Control Architecture: Identity proofing: How are asserted identities proofed after originally identified?
Options:
Alternatives include:
- 0: No proof needed
- 1: Identity token (of type)
- 2: Biometric (of type)
- 3: Repository check
Token types have characteristics allowing evidence of:
- A: Unique identifier
- B: Electronic information (O: optionally with integrity protection)
- C: Proprietary knowledge required to reproduce it
- D: Proprietary apparatus required to reproduce it
- E: Authenticatable as to token source
- F: Controlled issuing process based on original identity
- G: Real name of the individual
- H: Knowledge base for verification
- I: Token was issued to the individual possessing it
Biometric evidence types include:
- R: Photograph
- S: Fingerprint
- T: DNA information
- U: Eye print
- V: Facial characteristics
- W: Hand geometry
- X: Physical description
- Y: Identifying marks
- Z: Other physical information
Decision:
The individual being identified produces evidence of
their identity that is tested according to evidence as follows:
Consequence | Minimum Ratings | Example |
High | 123ABOCDEFGHIR[S/T/U/V/W]XYZ | Common Access Card with biometrics used |
Med | 13ABOGHIRX | [Passport / Drivers license] and Verification Check |
Low | 1AIR | [Membership / Credit] card with Photo |
Authentication process minimums
Basis:
Identity proofing is a process by which original
identity is tied to an individual at a subsequent time. This is
typically done through the use of identity tokens of some sort (e.g.,
a passport, drivers license, or other issued identity), an optional
biometrics (e.g., picture on the identifier, fingerprint, retinal
print, DNA analysis, etc.), and optional verification against a
repository.
From: "Identity proofing: How are asserted
identities proofed after originally identified" - the UK government
standard - and an excellent description of a workable process.
Key Principles:
- The process should enable a legitimate individual to
prove their identity in a straightforward manner whilst creating
significant barriers to those trying to claim to be somebody they are
not.
- The individual shall expressly declare their identity.
- The individual shall provide evidence to prove their identity.
- The evidence shall be confirmed as being Valid
and/or Genuine and belonging to the individual.
- Checks against the identity confirm whether it
exists in the real world.
- The breadth and depth of evidence and checking
required shall differ depending on the level of assurance needed in
that the identity is real and belongs to the individual.
Process
- The Applicant shall be required to declare the name, date of
birth and address that they wish to be known as so that there is no
ambiguity about the identity that is going to be used (Claimed
Identity).
- The Applicant shall be required to provide evidence that the
Claimed Identity exists (Identity Evidence Package). This may be
provided electronically or physically depending on the level of
assurance required and the capabilities of the organization that is
going to proof the Applicant.
- The evidence provided shall be checked in order to determine
whether it is Genuine and/or Valid (Validation).
- The Applicant shall be compared to the provided evidence and/or
knowledge about the Claimed Identity to determine whether it relates
to them (Verification).
- The Claimed Identity shall be subjected to checks to determine
whether it has had an existence in the real world over a period of
time (Activity History).
- The Claimed Identity shall be checked with various counter-fraud
services to ensure that it is not a known fraudulent identity and to
help protect individuals who have been victims of identity theft
(Counter-Fraud Checks).
- At the end of the process there is an Assured Identity that
describes the level of confidence that the Applicant is the owner of
the Claimed Identity and that identity is genuine.
Level | Details | Situation |
1 |
No requirement for the identity of the
Applicant to be proved so no declaration of a Claimed Identity is
made, no evidence is needed and no proofing is performed. The
Applicant provides an Identifier that can be used to confirm an
individual as the Applicant. The Identifier is been checked to ensure
that it is in the possession and/or control of the Applicant.
| Nominal identity check. |
2 |
Identity is a Claimed Identity with evidence that supports the
real world existence and activity of that identity. The steps taken to
determine that the identity relates to a real person and that the
Applicant is owner of that identity. |
This is intended to give sufficient confidence for identity
to be offered in support of civil proceedings. |
3 |
Identity is a Claimed Identity with evidence that supports the
real world existence and activity of that identity and physically
identifies the person to whom the identity belongs. The steps taken to
determine that the identity relates to a real person and that the
Applicant is owner of that identity. |
This is intended to give sufficient confidence for identity to be
offered in support of criminal proceedings. |
4 |
Identity that is required to meet all Level 3 requirements AND
provide further evidence and is subjected to additional and specific
processes, including the use of Biometrics, to further protect the
identity from impersonation or fabrication. |
This is intended for those persons who may be in a position of
trust or situations where compromise could represent a danger to life.
|
Levels of Identity Proofing Assurance
Score | Properties of the Identity Evidence |
0 | No compliant Identity Evidence provided.
|
1 | The issuing source of the Identity Evidence performed no identity checking
The issuing process for the Identity Evidence means that it can reasonably be
assumed to have been delivered into possession of an individual.
The issued Identity Evidence contains at least one reference number that uniquely
identifies itself or the person to whom it relates.
| 2 | The Issuing Source of the Identity Evidence confirmed the applicant's identity
through an identity checking process.
The issuing process for the Identity Evidence means that it can reasonably be
assumed to have been delivered into possession of the person to whom it relates.
The issued Identity Evidence contains at least one reference number that uniquely
identifies itself or the person to whom it relates.
Where the issued Identity Evidence is, or includes, electronic information that
information is protected using cryptographic methods and those methods ensure
the integrity of the information and enable the authenticity of the claimed Issuing
Source to be confirmed.
Where the issued Identity Evidence is, or includes, a physical object it
requires Proprietary Knowledge to be able to reproduce it.
|
3 | The Issuing Source of the Identity Evidence confirmed the applicant's identity in a
manner that complies with the identity checking requirements of The Money
Laundering Regulations 2007.
The issuing process for the Identity Evidence ensured that it was delivered into the
possession of the person to whom it relates.
The issued Identity Evidence contains at least one reference number that uniquely
identifies itself or the person to whom it relates.
The Personal Name on the issued Identity Evidence must be the name that the
identity was officially known at the time of issuance. Pseudonyms, aliases and
initials for forenames and surnames are not permitted.
The issued Identity Evidence contains a photograph/image of the person to whom it
was issued OR the issued Identity Evidence can be used to identify its owner
through a Knowledge Based Verification.
Where the issued Identity Evidence is, or includes, electronic information that
information is protected using cryptographic methods and those methods ensure
the integrity of the information and enable the authenticity of the claimed Issuing
Source to be confirmed.
Where the issued Identity Evidence is, or includes, a physical object it contains
developed security features that requires Proprietary Knowledge and
Proprietary Apparatus to be able to reproduce it.
|
4 | The Issuing Source of the Identity Evidence confirmed the applicant's identity in a
manner that complies with the identity checking requirements of The Money
Laundering Regulations 2007.
The Issuing Source visually identified the applicant and performed further checks to
confirm the existence of that identity.
The issuing process for the Identity Evidence ensured that it was delivered into
possession of the person to whom it relates.
The issued Identity Evidence contains at least one reference number that uniquely
identifies itself or the person to whom it relates.
The Personal Name on the issued Identity Evidence must be the name that the
identity was officially known at the time of issuance. Pseudonyms, aliases and
initials for forenames and surnames are not permitted.
The issued Identity Evidence contains a photograph/image of the person to whom it
was issued.
The issued Identity Evidence contains a Biometric that was captured at registration
that can be used to identify the person to whom it was issued.
Where the issued Identity Evidence is, or includes, electronic information that
information is protected using cryptographic methods and those methods ensure
the integrity of the information and enable the authenticity of the claimed Issuing
Source to be confirmed.
Where the issued Identity Evidence is, or includes, a physical object it contains
developed security features that requires Proprietary Knowledge and
Proprietary Apparatus to be able to reproduce it.
|
Strength of Evidence of Identity Proof
Copyright(c) Fred Cohen, 1988-2015 - All Rights Reserved
|