Identification Proofing (Continued)

So we have self-assertion as the lightest of the processes. This is typically a process that involves maybe cursory checks or potentially no checks. If you’re signing up to a web-based service where there are, for example, a web forum to enroll in an online service, typically we’re not looking for huge amounts of checks. If you’re creating a social media profile, you just need to be linked usually to an email address. So the social media site owners are looking to create some sense of accountability by linking your identity back to an existing email account. So very, very light levels of checks. Linking to an existing credential or identity, we’ve said, can be through an email.

We can start to use things like mobile telephones, payment cards, or government identities. These last three options allow for a slightly stronger level of assurance. A mobile telephone, in most countries, requires some proof, identity verification already. So to actually own a mobile telephone, to be able to use that to receive a confirmation number that you use as part of an enrollment process actually requires some verification already. Usually, the mobile telephone is linked to a bank account, has had some kind of financial transaction supporting its creation.

Similarly, with a payment card of any kind, a bank card, again, we’ve got some kind of creation there, creation process, verification process, validation process, behind that whereby the bank will have undertaken checks to ensure you are who you say you are. So we’re relying, in these cases, on the checks that other people have made in the creation of those identities. And again, we’ve mentioned the use of passports. This extends out to other identification documents as well. Countries like India, Indonesia have ID cards. And we also have things like driving licences that are frequently used throughout the world. So for strong identity checks, a Good Practice Guide 45, the UK Good Practice Guide 45, offers six prerequisites.

Firstly, that the process should be able to enable a legitimate individual to prove their identity in a straightforward manner, making the process simple and manageable. So this should create significant barriers to those trying to claim to be somebody that they are not but should be straightforward for a legitimate identity owner. Secondly, that the individual shall expressly declare their identity. Thirdly, that the individual shall prove evidence to prove their identity. Fourth, the evidence shall be confirmed as being valid or genuine and that it actually belongs to the individual – there should be some sort of check by some sort of confirmation. Fifth, that checks against the identity confirm whether it exists in the real world.

So here we’re not just looking at the link between the proposed identity and the evidence. Now we’re looking at the identity and the evidence and whether or not that has a footprint in the real world. Typically, this is your government documents or your financial records. And then finally sixth, that the breadth and depth of evidence and checking shall differ depending on the level of assurance needed. So here we see that recognition that the process will be different depending on the level of assurance that we require in creating the identity. So for identity proofing, we generally categorize the evidence into three groups. Citizen evidence – this is something that’s issued by a public authority.

This may be national or regional, something that’s issued by an organization through a process determined by a public authority. So again, here we’re thinking about our national ID cards, our regional ID cards, our driving licences, our passports. These are typically thought to be very strong sources of evidence. And depending on the country that we’re using as an example, it can vary. In most countries, the issuing of these documents is a very strongly managed process. In other countries, it may not be. So again, when we’re considering the use of citizen-based documents, public authority documents, we just need to be careful about the process behind that.

We need to understand the issuance process and whether or not the checks that the nation state has in place are strong enough. Usually, this is one of the strongest sources of evidence for us, though. Financial, here, we’re looking at financial records, something typically linking an individual to a financial organization and ideally a financial organization that is regulated in turn by a public authority. So not just any financial organization, but one that is managed by the public authority within a nation state. Here, we’re thinking about bank accounts, financial trading accounts. We could be looking at a financial organization regulated by a body mandated by a national legislation. So we have some regulatory bodies that help to support and manage financial organizations.

So it may not be directly managed by a public authority. But typically we are looking for a financial organization that is significant enough and is regulated in some way that it can be deemed trustworthy as a source of evidence. Finally, we have living, as a category. And this is a very broad-ranging set of evidence. This can be things that proves the employment, the individual claiming the identity is employed by a particular organization, education-type information, certificates relating to attainment of different education degrees or whatever standards relate to that nation state, evidence relating to training services, or, for example, we have things like utility bills.

Again, a good history of maintaining a utility account, your water, electricity, or gas, can help to prove or establish that that individual is linked to a real-world address and does exist, has a standing within the community. We can look for, excuse me, a presence within social group networks, loyalty programs, subscription services, health services, and accounts with third parties, any kind of a trusted bill that the individual receives. Again, this can link them to an address but also to a set of financial transactions. And usually this is indicative of a relationship over time as well.

The type of evidence from this living category tends to be of a lower level of trust, tends to offer a lower level of assurance for us than the other two categories.