260 likes | 439 Views
Report of the IDSP Workshop on Identity Verification. Presented By: Jim McCabe Senior Director, IDSP American National Standards Institute IDtrust 2010 April 13, 2010. What is IDSP?.
E N D
Report of the IDSP Workshop on Identity Verification Presented By: Jim McCabe Senior Director, IDSP American National Standards Institute IDtrust 2010 April 13, 2010
What is IDSP? • ANSI is a not-for-profit membership organization that administers and coordinates the U.S. voluntary standards system • Standards Panels provide a forum where subject matter experts from the private and public sectors work cooperatively to identify standards needed to address emerging national priorities • Identity Theft Prevention and Identity Management Standards Panel (IDSP) is a cross-sector coordinating body whose objective is to facilitate the development, promulgation and use of standards and guidelines to combat ID theft and fraud • Identify existing standards, guidelines and best practices • Analyze gaps, need for new standards, leading to improvements • Make recommendations widely available to businesses, government, consumers
Workshop Participants North American Security Products Organization (NASPO) National Institute of Standards & Technology (NIST) Dept. of Homeland Security (DHS) General Services Administration (GSA) National Assn for Public Health Statistics & Information Systems (NAPHSIS) American Assn of Motor Vehicle Administrators (AAMVA) Colorado Div. of Motor Vehicles Coalition for a Secure Driver’s License Social Security Administration Others
The Identity Verification (ID-V) ProblemStarts at Issuance • Fraudsters exploit circularity of agencies relying on but not authenticating primary USA “identity” documents issued by other agencies (birth certificates, Social Security numbers / cards, state-issued driver’s licenses / ID cards) • Intelligence Reform and Terrorism Prevention Act of 2004 (IRTPA) requires verification of identity prior to issuance of birth certificates • IRTPA regulations have not been released even in draft form • REAL ID Act of 2005 requires verification of identity prior to issuance of driver’s licenses / ID cards • Does not provide guidance on how to corroborate a claim of identity under different circumstances
Birth Certificates Especially Problematic • Birth certificates considered an acceptable breeder document in many states but typically not verified by the issuing agency • No biometric linking individual to birth record • Within 57 jurisdictions, there are 6,400 registrars and 14,000 variations of certified birth certificates • Person obtaining certified copy may not have legal rights to record—some states have “open” records policies • Birth certificate may not be valid for person presenting it • Information on birth certificate may not be factual • Death records may be absent or delayed
Solutions in Progress • National Assn for Public Health Statistics and Information Systems (NAPHSIS) developing security guidelines • Recommending states have “closed” record policies • Focusing on physical security of vital records offices • NAPHSIS looking to expand Electronic Verification of Vital Event (EVVE) system currently only available in some states (Feb 2010 update: 19 states online w/EVVE; implementation in progress in 4 more states and NY City) • Provides government-to-government verification of birth and death information • Earlier IDSP report encouraged this expansion
Solutions in Progress (contd.) • HHS CDC / National Center for Health Statistics charged with rulemaking under section 7211 of IRTPA • Will regulate how states issue vital records but states may decide not to comply • Will reduce number of birth certificate forms to about 57 • Earlier IDSP report noted that rulemaking has been delayed and recommended that these standards are needed now
Workshop Recommendation • Issuers of primary USA “identity” documents need a process by which they can achieve a level of assurance whether to accept or reject a person’s claim of identity • One or more practical methods to verify identity with very high confidence, high confidence, some confidence or low/no confidence • Guidelines on identity verification should be developed with a view toward eventual development of an American National Standard
Envisioned Benefits Enhanced security / credibility of identity vetting processes and foundational identity documents Enhanced security / credibility of credentials issued downstream based on the presentation of these foundational documents as evidence of identity Other government credentials (FIPS 201 PIV cards, U.S. passports, Medicare / Medicaid cards) Commercial credentials (credit / charge cards) Will help to reduce identity theft Will help to protect Americans from terrorist attacks And more . . .
Project Phases Phase 1 – Concept Formulation – 8 months How to build certainty in a claimed identity Criteria for the acceptance/rejection of a claim Methods for the detection of fraud Deliver draft Guideline Phase 2 – Testing – 4 months State vital record offices (birth certificate issuance) State DMVs (DL & ID card issuance) Release of Guideline Phase 3 – Standardization – 8-12 months ANSI/NASPO-IDV-2010 Methods for the Verification of Personal Identity
Timeline • Initial IDSP workshop meetings July – Sept 2008 • Project plan developed / team formed led by NASPO • Concept formulation meetings Oct, Dec 2008, Feb 2009 • IDSP workshop report and NASPO ID-V project then proceeded on parallel tracks. Both released Oct 2009. • March 29, 2010 – NASPO formally announces its intention to develop an American National Standard • Project Initiation Notification System (PINS) 30 day announcement for public comment in April 9 edition of ANSI Standards Actionwww.ansi.org/standardsaction
Conceptual Approach for Identity Verification Guidelines Presented By: Brian Zimmer Panel Member, IDSP President, Coalition for a Secure Driver’s License IDtrust 2010 April 13, 2010
The Chosen Concept for Verified Identity • An aggregation of evidence / adjudication process • Accreditation of Identity Adjudicators • An “Identity Resume” • An in-person meeting & biometric capture • Verification of key items of corroborative evidence • Use of acceptance/rejection criteria • A two step exceptions process • Binding of the person to the verified identity • Possible issuance of a ID-V token or certificate • Detailed procedures to be followed for the whole adjudication process
Key Concepts Selection and training of identity adjudicators to manage, administer and effect the process (Background check) Use of an identity resume to define the identity, gather information, detect fraud and reduce uncertainty An in-person meeting to provide opportunities for candidate / adjudicator interaction, observation and biometric capture Preparation and implementation of a personalized plan for verification of evidence Procedures for verification of the origins and continuous use of identity for both USA and foreign born persons
Key Concepts (cont.) Use of a contra indications format for the documentation and presentation of raw results Procedures for evaluation and aggregation of evidence and mitigation of significant contra indications Procedures for identification of critical combinations of findings to enable fraud detection Criteria (thresholds) for acceptance or rejection of the claimed identity optimized to the needs of the relying party A two step process to deal with problem cases Biometric binding of the person to the verified identity followed by registration of results
Deliverable Content Part 1 – Resume Introduction Part 2 – Identity Resume RFI Part 3 – Resume Preparation Instructions Part 4 – Adjudication Process Description Part 5 – Adjudicator Responsibilities Part 6 – Adjudication Procedures
The Identity Resume This is a request for information that will enable: definition of a person’s identity corroborative evidence to be collected uncertainty inherent in corroborative evidence to be reduced symptoms of identity fraud to be detected Information items c) & d) in the Resume are based on: for c) – an analysis of the uncertainty or risk associated with each item of corroborative evidence and how to reduce it for d) – an analysis of behavior expected by each type of identity fraud leading to the inclusion of “imposter traps”
Resume Content • Your origins • Your early years • Your family • Any name changes? • Your education & training • Places you have lived • Your licenses • Your citizenship • Your work history • Your memberships • Your ownerships • Unique events/experiences • Your special skills • Personal information • Your ID Documents • Additional corrob. evidence
Adjudicator Responsibilities • Prior to the In-Person Meeting • During the In-Person Meeting • Following the In-Person Meeting • Analysis of the Resume • Document Authentication • Verification of Corroborative Evidence • Documentation of Findings & Contra Indications • Assessment of Impacts on Proof of Origin & Use • Evaluation, Decision & Action
Thank You.To obtain the IDSP workshop reporthttp://webstore.ansi.org/identitytheftTo obtain a summary of the NASPO ID-V projecthttp://www.naspo.info/PDFiles/ID-V_Project.pdfFor further information, contact Graham Whitehead, NASPO, gdw@naspo.infoJim McCabe Brian Zimmerjmccabe@ansi.orgBrianZimmer@IDSecurityNow.org212.642.8921 202-312-1540www.ansi.org/idspwww.secure-license.org