Identification Proofing

Credential issuance is a process and credential uniqueness become important. Again, for the accountability we need any credential that’s issued to be unique. If we allow for duplicate identities, then we have a problem in terms of enforcing accountability later on. The issuance process has to be secure as well. I, at one point in my career, was issued the password to my account to an email that was sent to that account, so very poorly thought through processes there in terms of credential management. How do we manage to recover our credentials? How are the credentials issued? The United Kingdom has a Good Practice Guide, GPG 45, currently in its third version.

There’s some great documentation out there from organizations like NCSC in the United Kingdom, who issue the good practice guides. In America, NIST. And these documents are very, very high quality, have been tested and reviewed, usually through a combination of public and private sector practice and are free to download. So these are really good starting points if you’re looking to explore identity and access management. With the Good Practice Guide 45, it aims to provide organizations with an understanding of the capabilities that they will need to demonstrate in order to perform identity proofing.

It also provides information to allow the independent assessment processes to inform the assessment processes that you would undertake within an organization to allow for benchmarks or profiles to be established. So depending on the type of identity that you’re establishing, you can create a different set of processes. So this gives us the ability to establish a common framework with a defined set of processes around them for managing our identification, proofing our issuance, our uniqueness, establishing uniqueness.

The GPG guide offers four levels of assurance,: a level 1 identity, level 2 identity, level 3 identity, and level 4. So this is the proofing and verification processes associated with each of those levels. At level 1, there’s no requirement for the identity of the applicant to be proven. The applicant has provided an identifier that can be used to confirm an individual as the applicant, and the identifier has been checked to ensure that it’s in the possession and/or control of the applicant. So this is a very, very low level of assurance that we’re requiring. This allows for self-enrollment with online services.

And what we’re looking to do with level 1 is to establish some kind of outline trust, some kind of outline link between an individual and the identity that we’re creating for them. A level 2 identity is a claimed identity with evidence that supports real-world existence. So now we’re creating a much stronger link between the individual asserting a claim to an identity and the identity, with some historical evidence linking to the individual. And we’re looking at some evidence that has transactional history in the real world. And the steps taken to determine the identity are looking to be informed that that individual is a real person and that real person is linked to the identity.

A level 3 identity is a claimed identity with evidence that supports the real-world existence, as with level two. So these are kind of cumulative. And here we’re looking to physically identify the person to whom the identity belongs. So here we’re looking at, again, an increase in terms of the strength of the evidence that’s required. Here the steps taken to determine the identity relate to a real person. And we want to ensure that the applicant is the owner of that identity. So here we’re looking at the level of proof that would support criminal proceedings, for example. So we have a high level of accountability. A level 4 identity, we’re seeing increasingly at a nation state level with services like passports.

A level 4 identity contains all of the requirements of the first three levels. But again, to provide further evidence, further assurance, is subjected to additional and specific processes. This would include the use of biometrics to further protect the identity from impersonation or fabrication. So not only here are we looking to establish the identity, at this stage, we’re also looking to use biometrics to help protect that identity in the future. So this is intended for people involved in a position of trust, situations which could compromise or could represent a danger to life.

So we see this with the use of biometrics in passports, for example, where governments are trying to establish a strong identity with the individual, but also to protect the use of the ongoing identity in different transactions, in the creation of accounts. Bear in mind that a passport becomes something of a foundation document for other identity processes. We’ve said, for example, when you commence employment with an organization, they will often ask to see your passport. If the controls around a nation state’s passports are not strong enough, then we can allow for subsequent fraudulent identities to be created from that single government-based identity. So governments have a real challenge in this space.

They need a high level of assurance around some of these documents.