no identity left behindlearn.id.me › rs › 801-jls-289 › images › idme no identity...

Copyright © 2018 ID.me, Inc.

No Identity Left BehindEnabling Access for All with Call Center

and In-Person Identity Proofing


I. Ensuring Secure Digital Access for All ..............................................3

Millennials and Generation Z ....................................................................................3

Seniors ..........................................................................................................................3

Low Income ..................................................................................................................4

New Immigrants .........................................................................................................4

II. Leveraging Authoritative Standards for Interoperable Access ..........................................................................5

a. NISTStandardsforDigitalIdentityProofingandAuthentication .................5

b. SupportforIdentityProtocols .............................................................................6

IV.TrustedRefereeIdentityProofing ....................................................7

a. ProcesstoDesignateaTrustedReferee .............................................................8

b. TrainingforDesignatedTrustedReferees ..........................................................8

c. ExampleUserInteractionwithaTrustedReferee ............................................9

V. KioskBasedIn-PersonIdentityProofing with Remote Assistance ...................................................................10

StrongandFairTypesofDocumentEvidence .......................................................11

NoIdentityLeftBehindEnablingAccessforAllwithCallCenter andIn-PersonIdentityProofing

3No Identity Left Behind Enabling Access for All with Call Center and In-Person Identity Proofing

MILLENNIALS AND GENERATION Z Youngerindividualswhodonothaveanestablishedhistoryoffinancialtransactionsdonothaveidentitiesthatcanbereferencedthroughdataaggregatorslikecreditbureaus.Thus,eventhoughyoungerindividualsbetweentheagesof18–29aredigitalnativeswithcellphoneownershipratesof100%1andarecapableofsecuringtheiraccountswithtwo-factorauthentication,theyoftenlackthemeanstoprovetheirlegalidentityexists–anecessarystepbeforetheycanbegintoverifythattheyaretherightfulownerofthatidentity.

SENIORS Olderindividualsaredisproportionatelychallengedwithrespecttotwo-factorauthenticationandcomputerliteracy.Only80%ofAmericansovertheageof65yearsoldownacellphone.Additionally,PewResearchnotes:“Manyseniorsremainlargelyunattachedfromonlineandmobilelife–41%donotusetheinternetatall,53%donothavebroadbandaccessathome,and23%donotusecellphones.”2Thus,whilecreditbureausandutilitiestendtohaverecordsofindividualsinthisgroup,itisrelativelyharderforseniorstonavigatetheuserexperiencetoprovetheiridentityandtoprotecttheiraccountfromtakeoverwithtwo-factorauthentication.

1 MobileFactSheet.PewResearchCenter.AvailableonlineasofAugust31,2017at: http://www.pewinternet.org/fact-sheet/mobile/

2 OlderAdultsandTechnologyUse.PewResearchCenter.AvailableonlineasofAugust31,2017at:http://www.pewinternet.org/2014/04/03/older-adults-and-technology-use/

I. EnsuringSecureDigitalAccessforAllDeliveringconsumer-facinghigh-valueservicesonlineimposestwinimperativesonorganizations:accessandsecurity.High-valuedigitalservicessuchasplatformaccesstomanagepersonalhealthcarebenefitsortoperformfinancialtransactionsrequireadherence torigoroussecurityrequirementsinordertoprotectindividualsfromidentitytheftandfraud.Unfortunately,thesesamesecurityrequirementscancompromiseaccessforcertaindemographicgroups.Forexample,young,old,lessaffluentandrecentlymigratedindividualsareparticularlydisadvantagedwhenitcomestoprovingtheiridentityonline.

4

www.ID.me | Copyright © 2018 ID.me, Inc.

No Identity Left Behind Enabling Access for All with Call Center and In-Person Identity Proofing

LOW INCOME “Roughlythree-in-tenadultswithhouseholdincomesbelow$30,000ayeardon’townasmartphone.Nearlyhalfdon’thavehomebroadbandservicesoratraditionalcomputer.Andamajorityoflower-incomeAmericansarenottabletowners.Bycomparison,manyofthesedevicesarenearlyubiquitousamongadultsfromhouseholdsearning$100,000ormoreayear.”3PhoneownershipandMobileNetworkOperator(MNO)dataisusefulforbothidentityproofingandauthentication,sothisdemographicisparticularlychallengedwhenattemptingtoaccesshigh-valueservicesonline.

NEW IMMIGRANTS Similartoyoungerindividuals,newimmigrantsoftendonothaveidentitiesthatcanbereferencedthroughU.S.-baseddataaggregatorslikecreditbureausandutilities.TheircreditandfinancialhistoryintheU.S.issparseduetotheirlackoftenure,andtheyarealsomorelikelytouseaprepaidphone.Asaresult,likeyoungerindividuals,theyoftenlackthemeanstoprovetheirlegalidentityexists.

ID.mereferstoaffectedindividualswithinthesegroupsas“lastfrontierindividuals.”Byprovidingapathwaytosecureaccessforeveryindividualinthegroupsdescribedabove,organizationscanmoreeffectivelydistributethebenefitofeasy-to-use,cost-effective,andconvenientonlineservices.Additionally,organizationscantakeadvantageofin-persontransactionsthatoccurasanaturalpartofservicedeliveryinordertocheaplyandproactivelysolveidentityverificationissues.

Access for All

This document provides a path to extend online services to “last frontier individuals” while simultaneously leveraging call center and in-person interactions to increase access.

3 Anderson,Monica.Digitaldividepersistsevenaslower-incomeAmericansmakegainsintechadoption.PewResearchCenter.AvailableonlineasofAugust31,2017at: http://www.pewresearch.org/fact-tank/2017/03/22/digital-divide-persists-even-as-lower-income-americans-make-gains-in-tech-adoption/


Standardizingdigitalcredentialsprovidesmanybenefitstoindividualsandorganizations.Organizationscaneliminateredundantloginandidentityproofingsystemsbyacceptingcredentialsfromotherorganizations.Individualscancreateasingleloginandverifytheiridentityonetimeandthenusethatlogintoprovetheiridentityacrossmultiplewebsites.Thislastbenefitisparticularlyimportantformembersofcommunitieswhomayhaveahardertimeprovingtheiridentityonline.

Unfortunately,digitalidentityischaracterizedbyenterprise,notindividual,controloftheloginandassociatedpersonaldata.ConsumersintuitivelyrealizethataVisacreditcardismorevaluablethanamerchant-issuedstorecard,likeaMacy’screditcard,becausetheformercredentialmaybeusedwherevertheygotoconductcommerce,whereasthelatterisrestrictedforpaymentsonlyatMacy’s.Toincreaseaccesstohigh-valueservices,themodelfordigitalidentitymustmoveawayfromanenterprise-centricmodelofdatacontroltoauser-centricmodelofdatacontrol.

a. NISTStandardsforDigitalIdentityProofingandAuthentication

TheNationalInstituteofStandardsandTechnology(NIST),anagencyoftheUnitedStatesDepartmentofCommerce,publishesfederalstandardsforidentityproofingandauthentication.ThesestandardsarecodifiedinNISTSpecialPublication800-63-2andNISTSpecialPublication800-63-3.TheGeneralServicesAdministration(GSA)runstheFederalandIdentityCredentialAccessManagement(FICAM)programthatauditsidentityprovidersagainstNISTstandardstosetthestageforinteroperability.

ID.meistheonlyidentityproviderinAmericatoachievethehighestlevelofcertificationthatNISTsetsforcitizenfacingidentityproviders:LevelofAssurance3againstNIST800-63-2andIdentityAssuranceLevel2andAuthenticatorAssuranceLevel2againstNIST800-63-3.(Note,NIST’s800-63-3standardsrefertoLevelofAssurance3asIAL2andAAL2.Forefficiency,LevelofAssurance3isusedinthisdocumentinterchangeablyforIAL2andAAL2).AtLevelofAssurance3,thefederalgovernmentrecognizesdigitalcredentialsasalegalformofidentification.

II. LeveragingAuthoritativeStandardsfor InteroperableAccess

Standardsunlockvalueintheeconomybytakingcostandfrictionoutofthemarket.Inthepaymentssector,Visa’sabilitytostandardizecreditanddebitcardsfromissuingbanksempowersindividualstoeasilycompletepaymentsatmanyorganizationsthroughasinglepaymentcredential.Intheshippingindustry,thestandardizationofshippingcontainerspecificationsallowsshipstocarrymorecargomoreefficientlyresultinginlowerprices forconsumers.

6



Afteridentityproofingauser,theidentityprovidermustprotecttheloginwithmultifactorauthentication:softorhardtokensthatfallintoatleasttwoofthreecategoriesofsomethingtheuserknows(passwords),somethingtheuserhas(aphoneorasecuritykey),andsomethingtheuseris(fingerprintorfacialauthentication).OnceauserobtainsacredentialthatmeetsNIST’sstandards,theresultisauser-centricSingleSignOnthatdeliversthesameutilityindividualsassociatewiththeirphysicaldriver’slicense.

Unfortunately,“lastfrontierindividuals”struggletoreachLevelofAssurance3viaunassistedonlinecredentialissuancemethods.ID.me’sexperienceindicatesthatupto90%ofAmericansareabletoobtainaLevelofAssurance3credentialviaafinelytunedremotecredentialissuanceexperience.However,thoseratescanfalltolessthan70%formembersofdisadvantagedcommunities.

Fortunately,NISThasestablishedstandardsthatallowforassistedonlineproofingflowsaswellasin-personinteractionswithtrustedrefereestocreateapathwayfor“lastfrontierindividuals”toachieveLevelofAssurance3.

b. SupportforIdentityProtocols

Unlikephysicalcredentialsthatareinherentlyportableonanindividual’sperson,digitalcredentialsrequireanetworkinordertotransmitdatainaninteroperablefashion.Identityprotocolsmakeiteasierfororganizationstoconsumeinteroperablecredentialsinanefficientandsecurefashion.Forthatreason,ID.mesupportsOAuth2.0,SAML2.0,andOpenIDConnect.

III.


5.3.4 Trusted Referee Requirements

1. The CSP MAY use trusted referees — such as notaries, legal guardians, medical professionals, conservators, persons with power of attorney, or some other form of trained and approved or certified individuals — that can vouch for or act on behalf of the applicant in accordance with applicable laws, regulations, or agency policy. The CSP MAY use a trusted referee for both remote and in-person processes.

2. The CSP SHALL establish written policy and procedures as to how a trusted referee is determined and the lifecycle by which the trusted referee retains their status as a valid referee, to include any restrictions, as well as any revocation and suspension requirements.

3. The CSP SHALL proof the trusted referee at the same IAL as the applicant proofing. In addition, the CSP SHALL determine the minimum evidence required to bind the relationship between the trusted referee and the applicant.

4. The CSP SHOULD perform re-proofing of the subscriber at regular intervals defined in the written policy specified in item 1 above, with the goal of satisfying the requirements of Section 4.4.1.

Callcenterandin-personproofingthroughtrustedrefereesclosesthegapfor“lastfrontierindividuals”byallowingorganizationsandtheidentityprovidertodecidethecertificationofindividualswhomayserveastrustedreferees.5Additionally,documentspresentedtoatrustedrefereein-personare“stand-alone”becausetheRefereecanreviewtheapplicantsfaceanddocumentsin-personorthroughthelivevirtualchat.Whileidentityprovidersareencouragedto“re-proof”theindividualtosatisfySection4.4.1,thisstepisnotmandatory–aparticularlyimportantfactforyoungerindividualswhomaynothaveanidentityregisteredinfinancialrecords.IntheeventusersneedahardtokentoachieveMFA,trustedrefereesmayalsoserveasadistributionpointforhardtokens.

5 Whilenotarypublicsareusefulexamplesoftrustedreferees,stateregulationsfornotariesvarydramaticallywiththecostofanotarizeddocumentrangingfromlessthanadollartomorethan$20dependingonthestate.Forthatreason,notariesprovideahelpfulexampleofatrustedpersonbutdonotrepresentaneconomicallyviablepathformost“lastfrontierindividuals.”

IV. TrustedRefereeIdentityProofingID.me’sRefereeappallowsforindividualstoproofatLevelofAssurance3throughalive,videochatbypresentingthesamedocumentstheywouldtypicallybringtoaDMV.ID.me’sRefereeappmayalsobeusedin-personsuchasinhealthcaresettingstoincreaseaccesspointsforREALIDissuance.Sections4.4.2and5.3.4ofNIST800-63-34addressin-personproofingthroughtrustedreferees.TheguidelinesandrequirementssetforthinSection5.3.4arelistedbelow.SubsequenttotheNISTstandards,thissectiondescribeshowID.meimplementstrustedrefereeproofing.

4 AvailableonlineasofAugust31,2017at:https://pages.nist.gov/800-63-3/sp800-63a.html

8



a. ProcesstoDesignateaTrustedReferee

Organizationsmaydesignatepeoplewithcertaincertificationsastrustedrefereeseveniftheyareexternaltotheorganization.Thisisparticularlytrueforindividualswhooccupypositionsoftrustinsociety.Forexample,anorganizationcoulddesignateanycredentialedhealthcareproviderasapotentialtrustedrefereebyrequiringID.metouseHealthandHumanServices’(HHS)NPPESwebservicetovalidateaNationalProviderIdentifier(NPI)afterauserfinishesidentityproofingtheirlegalidentityandbindstokenstoachieveMFA.Similarly,anorganizationcoulddesignateanyattorneywhoisanactivememberofthebarinagivenstateasatrustedrefereebyrequiringID.metoverifythatauserisanattorney.

ID.meaccomplishesthesetasksthroughanattributeexchangethatqueriesauthoritativeregistrationauthoritiesasdictatedbyanorganization’spolicy.Todesignateemployeesandcontractorsincertainrolesastrustedreferees,anorganizationmayalsolinkanLDAPorActiveDirectorytoID.mesoID.memayvalidatetheroleoftheuserintheorganization.

b. TrainingforDesignatedTrustedReferees

Onceatrustedrefereeiscredentialed,therefereemustcompletetrainingtoensureasufficientlyrigorousandfairexperienceforusersinteractingwithtrustedreferees.ID.meusesdocumentsacceptedbyREALIDcompliantDMVsinordertotakeadvantageofwidelydocumentedandaccessibleprocessforRefereebasedidentityproofing.Insimpleterms:ID.mesawnoneedtore-inventthewheel.

Trustedrefereescompleteanonlinetrainingmoduletoactivatetheirabilitytocredentialusersin-person.Additionally,ID.meleveragesin-apppromptstoguidethetrustedrefereethroughawizardlikeexperienceso

thetrustedrefereeisremindedateachstepoftheappropriateprotocoltofollow.

9



c. ExampleUserInteractionwithaTrustedReferee

Theprocessforuserstocompleteidentityproofingwithatrustedrefereeisstraightforward. AlltrustedrefereesmusthaveID.me’snativeiOSorAndroidapplicationinstalledontheirsmartphone. UsersdonotneedtohaveID.me’snativeapplicationinstalledortohaveasmartphone.

The average call center based identity proofing session lasts less than five minutes.


V. KioskBasedIn-PersonIdentityProofing withRemoteAssistance

Forhightrafficlocations,ID.meiscapableofdeployingself-servekiosks.NISTusedthisparticularkioskmodeltodevelopthein-personproofingstandardswithremotesupervisioninNIST800-63-a.ID.me’sself-servicekioskshaveadvancedcapabilitiesforidentitydocumentverification,biometrictraitcapture,andreal-timecustomersupport.Inattendedmode,thesekiosksarecapableofsupportingtheissuanceofPIVandPIV-iPKIcredentials.Inunattendedmode,ID.meprovidesreal-timecustomersupporttoenrollingusersremotelythroughavideofeedonthekiosktoanID.memembersupportrepresentative.SanDiegoisdeployingID.mekioskstocredentialSanDiegoresidentsonNovember15,2018.

11



STRONG AND FAIR TYPES OF DOCUMENT EVIDENCE

Reference for Trusted Referee

• Driver’s license from a U.S. state

• U.S. passport

• U.S. military ID card

• U.S. military dependent ID card

• HSPD 12 PIV card

• U.S. passport card

• Permanent resident card (I-551)

• Employment authorization card (I-766)

• Federal or state ID

• Foreign passport with I-551 stamp

• Veteran’s health ID card

• Transportation Security Administration (TSA) ID Card

• DHS trusted traveler cards (Global Entry, NEXUS, SENTRI)

• Canadian driver’s license

• Certificate of Naturalization (Form N-550 or N-570)

• Alien registration receipt card

Primary Identification Documents

To have identity verified through ID.me, an applicant must bring either two primary documents, or one primary and two secondary documents to their Identity Proofing session.

12



Reference for Trusted Referee

• Credit card

• Health insurance card

• Social security card

• DD214 – U.S. DoD certificate of discharge or release

• U.S. birth certificate

• School ID with photograph

• Voter registration card

• U.S. Coast Guard merchant mariner card

• U.S. citizen ID card – Form I-197

• U.S. DoD Certificate of Birth Abroad (FS-545)

• U.S. DoS Certification of Report of Birth (DS-1350)

• Consular Report of Birth Abroad (FS-240)

• Border crossing card

• Native American tribal document

• Tribal-issued photo ID card

• Canadian Indian and Northern Affairs card

• School record or report card

• Clinic, doctor or hospital record

Secondary Identification Documents

To have identity verified through ID.me, an applicant must bring either two primary documents, or one primary and two secondary documents to their Identity Proofing session.


TrustedOnlineIdentityVerificationID.meprovidesfast,secureandcompliantidentityverificationusingafederatedapproach

tocredentialing.Itisalreadytrustedbyfederalagenciesandcorporationstosecurelymanagemillionsofindividualidentities.Formoreinformation,visitbusiness.ID.me.

CONTAC T INFO :

[email protected]