no identity left behindlearn.id.me › rs › 801-jls-289 › images › idme no identity...
TRANSCRIPT
Copyright © 2018 ID.me, Inc.
No Identity Left BehindEnabling Access for All with Call Center
and In-Person Identity Proofing
Copyright © 2018 ID.me, Inc.
I. Ensuring Secure Digital Access for All ..............................................3
Millennials and Generation Z ....................................................................................3
Seniors ..........................................................................................................................3
Low Income ..................................................................................................................4
New Immigrants .........................................................................................................4
II. Leveraging Authoritative Standards for Interoperable Access ..........................................................................5
a. NISTStandardsforDigitalIdentityProofingandAuthentication .................5
b. SupportforIdentityProtocols .............................................................................6
IV.TrustedRefereeIdentityProofing ....................................................7
a. ProcesstoDesignateaTrustedReferee .............................................................8
b. TrainingforDesignatedTrustedReferees ..........................................................8
c. ExampleUserInteractionwithaTrustedReferee ............................................9
V. KioskBasedIn-PersonIdentityProofing with Remote Assistance ...................................................................10
StrongandFairTypesofDocumentEvidence .......................................................11
NoIdentityLeftBehindEnablingAccessforAllwithCallCenter andIn-PersonIdentityProofing
3No Identity Left Behind Enabling Access for All with Call Center and In-Person Identity Proofing
MILLENNIALS AND GENERATION Z Youngerindividualswhodonothaveanestablishedhistoryoffinancialtransactionsdonothaveidentitiesthatcanbereferencedthroughdataaggregatorslikecreditbureaus.Thus,eventhoughyoungerindividualsbetweentheagesof18–29aredigitalnativeswithcellphoneownershipratesof100%1andarecapableofsecuringtheiraccountswithtwo-factorauthentication,theyoftenlackthemeanstoprovetheirlegalidentityexists–anecessarystepbeforetheycanbegintoverifythattheyaretherightfulownerofthatidentity.
SENIORS Olderindividualsaredisproportionatelychallengedwithrespecttotwo-factorauthenticationandcomputerliteracy.Only80%ofAmericansovertheageof65yearsoldownacellphone.Additionally,PewResearchnotes:“Manyseniorsremainlargelyunattachedfromonlineandmobilelife–41%donotusetheinternetatall,53%donothavebroadbandaccessathome,and23%donotusecellphones.”2Thus,whilecreditbureausandutilitiestendtohaverecordsofindividualsinthisgroup,itisrelativelyharderforseniorstonavigatetheuserexperiencetoprovetheiridentityandtoprotecttheiraccountfromtakeoverwithtwo-factorauthentication.
1 MobileFactSheet.PewResearchCenter.AvailableonlineasofAugust31,2017at: http://www.pewinternet.org/fact-sheet/mobile/
2 OlderAdultsandTechnologyUse.PewResearchCenter.AvailableonlineasofAugust31,2017at:http://www.pewinternet.org/2014/04/03/older-adults-and-technology-use/
I. EnsuringSecureDigitalAccessforAllDeliveringconsumer-facinghigh-valueservicesonlineimposestwinimperativesonorganizations:accessandsecurity.High-valuedigitalservicessuchasplatformaccesstomanagepersonalhealthcarebenefitsortoperformfinancialtransactionsrequireadherence torigoroussecurityrequirementsinordertoprotectindividualsfromidentitytheftandfraud.Unfortunately,thesesamesecurityrequirementscancompromiseaccessforcertaindemographicgroups.Forexample,young,old,lessaffluentandrecentlymigratedindividualsareparticularlydisadvantagedwhenitcomestoprovingtheiridentityonline.
4
www.ID.me | Copyright © 2018 ID.me, Inc.
No Identity Left Behind Enabling Access for All with Call Center and In-Person Identity Proofing
LOW INCOME “Roughlythree-in-tenadultswithhouseholdincomesbelow$30,000ayeardon’townasmartphone.Nearlyhalfdon’thavehomebroadbandservicesoratraditionalcomputer.Andamajorityoflower-incomeAmericansarenottabletowners.Bycomparison,manyofthesedevicesarenearlyubiquitousamongadultsfromhouseholdsearning$100,000ormoreayear.”3PhoneownershipandMobileNetworkOperator(MNO)dataisusefulforbothidentityproofingandauthentication,sothisdemographicisparticularlychallengedwhenattemptingtoaccesshigh-valueservicesonline.
NEW IMMIGRANTS Similartoyoungerindividuals,newimmigrantsoftendonothaveidentitiesthatcanbereferencedthroughU.S.-baseddataaggregatorslikecreditbureausandutilities.TheircreditandfinancialhistoryintheU.S.issparseduetotheirlackoftenure,andtheyarealsomorelikelytouseaprepaidphone.Asaresult,likeyoungerindividuals,theyoftenlackthemeanstoprovetheirlegalidentityexists.
ID.mereferstoaffectedindividualswithinthesegroupsas“lastfrontierindividuals.”Byprovidingapathwaytosecureaccessforeveryindividualinthegroupsdescribedabove,organizationscanmoreeffectivelydistributethebenefitofeasy-to-use,cost-effective,andconvenientonlineservices.Additionally,organizationscantakeadvantageofin-persontransactionsthatoccurasanaturalpartofservicedeliveryinordertocheaplyandproactivelysolveidentityverificationissues.
Access for All
This document provides a path to extend online services to “last frontier individuals” while simultaneously leveraging call center and in-person interactions to increase access.
3 Anderson,Monica.Digitaldividepersistsevenaslower-incomeAmericansmakegainsintechadoption.PewResearchCenter.AvailableonlineasofAugust31,2017at: http://www.pewresearch.org/fact-tank/2017/03/22/digital-divide-persists-even-as-lower-income-americans-make-gains-in-tech-adoption/
5No Identity Left Behind Enabling Access for All with Call Center and In-Person Identity Proofing
Standardizingdigitalcredentialsprovidesmanybenefitstoindividualsandorganizations.Organizationscaneliminateredundantloginandidentityproofingsystemsbyacceptingcredentialsfromotherorganizations.Individualscancreateasingleloginandverifytheiridentityonetimeandthenusethatlogintoprovetheiridentityacrossmultiplewebsites.Thislastbenefitisparticularlyimportantformembersofcommunitieswhomayhaveahardertimeprovingtheiridentityonline.
Unfortunately,digitalidentityischaracterizedbyenterprise,notindividual,controloftheloginandassociatedpersonaldata.ConsumersintuitivelyrealizethataVisacreditcardismorevaluablethanamerchant-issuedstorecard,likeaMacy’screditcard,becausetheformercredentialmaybeusedwherevertheygotoconductcommerce,whereasthelatterisrestrictedforpaymentsonlyatMacy’s.Toincreaseaccesstohigh-valueservices,themodelfordigitalidentitymustmoveawayfromanenterprise-centricmodelofdatacontroltoauser-centricmodelofdatacontrol.
a. NISTStandardsforDigitalIdentityProofingandAuthentication
TheNationalInstituteofStandardsandTechnology(NIST),anagencyoftheUnitedStatesDepartmentofCommerce,publishesfederalstandardsforidentityproofingandauthentication.ThesestandardsarecodifiedinNISTSpecialPublication800-63-2andNISTSpecialPublication800-63-3.TheGeneralServicesAdministration(GSA)runstheFederalandIdentityCredentialAccessManagement(FICAM)programthatauditsidentityprovidersagainstNISTstandardstosetthestageforinteroperability.
ID.meistheonlyidentityproviderinAmericatoachievethehighestlevelofcertificationthatNISTsetsforcitizenfacingidentityproviders:LevelofAssurance3againstNIST800-63-2andIdentityAssuranceLevel2andAuthenticatorAssuranceLevel2againstNIST800-63-3.(Note,NIST’s800-63-3standardsrefertoLevelofAssurance3asIAL2andAAL2.Forefficiency,LevelofAssurance3isusedinthisdocumentinterchangeablyforIAL2andAAL2).AtLevelofAssurance3,thefederalgovernmentrecognizesdigitalcredentialsasalegalformofidentification.
II. LeveragingAuthoritativeStandardsfor InteroperableAccess
Standardsunlockvalueintheeconomybytakingcostandfrictionoutofthemarket.Inthepaymentssector,Visa’sabilitytostandardizecreditanddebitcardsfromissuingbanksempowersindividualstoeasilycompletepaymentsatmanyorganizationsthroughasinglepaymentcredential.Intheshippingindustry,thestandardizationofshippingcontainerspecificationsallowsshipstocarrymorecargomoreefficientlyresultinginlowerprices forconsumers.
6
www.ID.me | Copyright © 2018 ID.me, Inc.
No Identity Left Behind Enabling Access for All with Call Center and In-Person Identity Proofing
Afteridentityproofingauser,theidentityprovidermustprotecttheloginwithmultifactorauthentication:softorhardtokensthatfallintoatleasttwoofthreecategoriesofsomethingtheuserknows(passwords),somethingtheuserhas(aphoneorasecuritykey),andsomethingtheuseris(fingerprintorfacialauthentication).OnceauserobtainsacredentialthatmeetsNIST’sstandards,theresultisauser-centricSingleSignOnthatdeliversthesameutilityindividualsassociatewiththeirphysicaldriver’slicense.
Unfortunately,“lastfrontierindividuals”struggletoreachLevelofAssurance3viaunassistedonlinecredentialissuancemethods.ID.me’sexperienceindicatesthatupto90%ofAmericansareabletoobtainaLevelofAssurance3credentialviaafinelytunedremotecredentialissuanceexperience.However,thoseratescanfalltolessthan70%formembersofdisadvantagedcommunities.
Fortunately,NISThasestablishedstandardsthatallowforassistedonlineproofingflowsaswellasin-personinteractionswithtrustedrefereestocreateapathwayfor“lastfrontierindividuals”toachieveLevelofAssurance3.
b. SupportforIdentityProtocols
Unlikephysicalcredentialsthatareinherentlyportableonanindividual’sperson,digitalcredentialsrequireanetworkinordertotransmitdatainaninteroperablefashion.Identityprotocolsmakeiteasierfororganizationstoconsumeinteroperablecredentialsinanefficientandsecurefashion.Forthatreason,ID.mesupportsOAuth2.0,SAML2.0,andOpenIDConnect.
III.
7No Identity Left Behind Enabling Access for All with Call Center and In-Person Identity Proofing
5.3.4 Trusted Referee Requirements
1. The CSP MAY use trusted referees — such as notaries, legal guardians, medical professionals, conservators, persons with power of attorney, or some other form of trained and approved or certified individuals — that can vouch for or act on behalf of the applicant in accordance with applicable laws, regulations, or agency policy. The CSP MAY use a trusted referee for both remote and in-person processes.
2. The CSP SHALL establish written policy and procedures as to how a trusted referee is determined and the lifecycle by which the trusted referee retains their status as a valid referee, to include any restrictions, as well as any revocation and suspension requirements.
3. The CSP SHALL proof the trusted referee at the same IAL as the applicant proofing. In addition, the CSP SHALL determine the minimum evidence required to bind the relationship between the trusted referee and the applicant.
4. The CSP SHOULD perform re-proofing of the subscriber at regular intervals defined in the written policy specified in item 1 above, with the goal of satisfying the requirements of Section 4.4.1.
Callcenterandin-personproofingthroughtrustedrefereesclosesthegapfor“lastfrontierindividuals”byallowingorganizationsandtheidentityprovidertodecidethecertificationofindividualswhomayserveastrustedreferees.5Additionally,documentspresentedtoatrustedrefereein-personare“stand-alone”becausetheRefereecanreviewtheapplicantsfaceanddocumentsin-personorthroughthelivevirtualchat.Whileidentityprovidersareencouragedto“re-proof”theindividualtosatisfySection4.4.1,thisstepisnotmandatory–aparticularlyimportantfactforyoungerindividualswhomaynothaveanidentityregisteredinfinancialrecords.IntheeventusersneedahardtokentoachieveMFA,trustedrefereesmayalsoserveasadistributionpointforhardtokens.
5 Whilenotarypublicsareusefulexamplesoftrustedreferees,stateregulationsfornotariesvarydramaticallywiththecostofanotarizeddocumentrangingfromlessthanadollartomorethan$20dependingonthestate.Forthatreason,notariesprovideahelpfulexampleofatrustedpersonbutdonotrepresentaneconomicallyviablepathformost“lastfrontierindividuals.”
IV. TrustedRefereeIdentityProofingID.me’sRefereeappallowsforindividualstoproofatLevelofAssurance3throughalive,videochatbypresentingthesamedocumentstheywouldtypicallybringtoaDMV.ID.me’sRefereeappmayalsobeusedin-personsuchasinhealthcaresettingstoincreaseaccesspointsforREALIDissuance.Sections4.4.2and5.3.4ofNIST800-63-34addressin-personproofingthroughtrustedreferees.TheguidelinesandrequirementssetforthinSection5.3.4arelistedbelow.SubsequenttotheNISTstandards,thissectiondescribeshowID.meimplementstrustedrefereeproofing.
4 AvailableonlineasofAugust31,2017at:https://pages.nist.gov/800-63-3/sp800-63a.html
8
www.ID.me | Copyright © 2018 ID.me, Inc.
No Identity Left Behind Enabling Access for All with Call Center and In-Person Identity Proofing
a. ProcesstoDesignateaTrustedReferee
Organizationsmaydesignatepeoplewithcertaincertificationsastrustedrefereeseveniftheyareexternaltotheorganization.Thisisparticularlytrueforindividualswhooccupypositionsoftrustinsociety.Forexample,anorganizationcoulddesignateanycredentialedhealthcareproviderasapotentialtrustedrefereebyrequiringID.metouseHealthandHumanServices’(HHS)NPPESwebservicetovalidateaNationalProviderIdentifier(NPI)afterauserfinishesidentityproofingtheirlegalidentityandbindstokenstoachieveMFA.Similarly,anorganizationcoulddesignateanyattorneywhoisanactivememberofthebarinagivenstateasatrustedrefereebyrequiringID.metoverifythatauserisanattorney.
ID.meaccomplishesthesetasksthroughanattributeexchangethatqueriesauthoritativeregistrationauthoritiesasdictatedbyanorganization’spolicy.Todesignateemployeesandcontractorsincertainrolesastrustedreferees,anorganizationmayalsolinkanLDAPorActiveDirectorytoID.mesoID.memayvalidatetheroleoftheuserintheorganization.
b. TrainingforDesignatedTrustedReferees
Onceatrustedrefereeiscredentialed,therefereemustcompletetrainingtoensureasufficientlyrigorousandfairexperienceforusersinteractingwithtrustedreferees.ID.meusesdocumentsacceptedbyREALIDcompliantDMVsinordertotakeadvantageofwidelydocumentedandaccessibleprocessforRefereebasedidentityproofing.Insimpleterms:ID.mesawnoneedtore-inventthewheel.
Trustedrefereescompleteanonlinetrainingmoduletoactivatetheirabilitytocredentialusersin-person.Additionally,ID.meleveragesin-apppromptstoguidethetrustedrefereethroughawizardlikeexperienceso
thetrustedrefereeisremindedateachstepoftheappropriateprotocoltofollow.
9
www.ID.me | Copyright © 2018 ID.me, Inc.
No Identity Left Behind Enabling Access for All with Call Center and In-Person Identity Proofing
c. ExampleUserInteractionwithaTrustedReferee
Theprocessforuserstocompleteidentityproofingwithatrustedrefereeisstraightforward. AlltrustedrefereesmusthaveID.me’snativeiOSorAndroidapplicationinstalledontheirsmartphone. UsersdonotneedtohaveID.me’snativeapplicationinstalledortohaveasmartphone.
The average call center based identity proofing session lasts less than five minutes.
10No Identity Left Behind Enabling Access for All with Call Center and In-Person Identity Proofing
V. KioskBasedIn-PersonIdentityProofing withRemoteAssistance
Forhightrafficlocations,ID.meiscapableofdeployingself-servekiosks.NISTusedthisparticularkioskmodeltodevelopthein-personproofingstandardswithremotesupervisioninNIST800-63-a.ID.me’sself-servicekioskshaveadvancedcapabilitiesforidentitydocumentverification,biometrictraitcapture,andreal-timecustomersupport.Inattendedmode,thesekiosksarecapableofsupportingtheissuanceofPIVandPIV-iPKIcredentials.Inunattendedmode,ID.meprovidesreal-timecustomersupporttoenrollingusersremotelythroughavideofeedonthekiosktoanID.memembersupportrepresentative.SanDiegoisdeployingID.mekioskstocredentialSanDiegoresidentsonNovember15,2018.
11
www.ID.me | Copyright © 2018 ID.me, Inc.
No Identity Left Behind Enabling Access for All with Call Center and In-Person Identity Proofing
STRONG AND FAIR TYPES OF DOCUMENT EVIDENCE
Reference for Trusted Referee
• Driver’s license from a U.S. state
• U.S. passport
• U.S. military ID card
• U.S. military dependent ID card
• HSPD 12 PIV card
• U.S. passport card
• Permanent resident card (I-551)
• Employment authorization card (I-766)
• Federal or state ID
• Foreign passport with I-551 stamp
• Veteran’s health ID card
• Transportation Security Administration (TSA) ID Card
• DHS trusted traveler cards (Global Entry, NEXUS, SENTRI)
• Canadian driver’s license
• Certificate of Naturalization (Form N-550 or N-570)
• Alien registration receipt card
Primary Identification Documents
To have identity verified through ID.me, an applicant must bring either two primary documents, or one primary and two secondary documents to their Identity Proofing session.
12
www.ID.me | Copyright © 2018 ID.me, Inc.
No Identity Left Behind Enabling Access for All with Call Center and In-Person Identity Proofing
Reference for Trusted Referee
• Credit card
• Health insurance card
• Social security card
• DD214 – U.S. DoD certificate of discharge or release
• U.S. birth certificate
• School ID with photograph
• Voter registration card
• U.S. Coast Guard merchant mariner card
• U.S. citizen ID card – Form I-197
• U.S. DoD Certificate of Birth Abroad (FS-545)
• U.S. DoS Certification of Report of Birth (DS-1350)
• Consular Report of Birth Abroad (FS-240)
• Border crossing card
• Native American tribal document
• Tribal-issued photo ID card
• Canadian Indian and Northern Affairs card
• School record or report card
• Clinic, doctor or hospital record
Secondary Identification Documents
To have identity verified through ID.me, an applicant must bring either two primary documents, or one primary and two secondary documents to their Identity Proofing session.
Copyright © 2018 ID.me, Inc.
TrustedOnlineIdentityVerificationID.meprovidesfast,secureandcompliantidentityverificationusingafederatedapproach
tocredentialing.Itisalreadytrustedbyfederalagenciesandcorporationstosecurelymanagemillionsofindividualidentities.Formoreinformation,visitbusiness.ID.me.
CONTAC T INFO :