Choosing Evidence for Digital Identity Proofing
Identity proofing is key to starting the relationship between a user and your digital service. This is the “Before we start, I’ll need some information from you… ” part, but what information (evidence) should you ask for? In this post we will discuss how to think about and compare the strengths and weaknesses of possible evidence. I wrote this in the context of public sector service delivery and thinking through how you might enroll individuals in a new public digital service you are contemplating.
Identity Proofing and Assurance Levels
An identity proofing process establishes the uniqueness and validity of an individual’s identity before granting them access to a resource or service. If this process determines that the applicant is who they claim to be, then the individual is typically given a physical or digital credential that shows they have been successfully vetted.
This process takes evidence as input and is designed to achieve a level of assurance, which is an indication of how confident you are that the person presenting evidence of their identity is truly who they claim to be. It is the level of robustness and effectiveness of your identity proofing processes to confidently determine the identity of an individual.
There are various standards defining levels of identity assurance, e.g., NIST 800-63, the Pan-Canadian Trust Framework (PCTF), and the Canadian government’s Guideline on Identity Assurance. There are differences between them, but broadly speaking they define a set of levels between 0 and 3 (or 4), and to reach a level above 1 your proofing process needs to compare at least one piece of evidence against an authoritative source.
So, what do I mean by evidence? Evidence is any information you present to a person or system to prove you are who you say you are. This can be many things, including:
- A physical credential, such as a driver’s license, passport, or credit card.
- A digital credential, such as a digital certificate or self-sovereign verified credential.
- An answer to a question.
- Biometric data, such as a fingerprint, retina scan, photo, or your presence (e.g., at a service counter or over video conference).
Below is a set of criteria to help you think through some of the important aspects of potential evidence and their suitability for your service. Not all of these may apply to your situation and there could be others that warrant consideration, but I hope this provides a solid starting point.
For some projects I have put this list into a spreadsheet and given each type of evidence a score for each aspect, e.g., on a scale from 1-5 where 1 is weak and 5 is very strong. This can give you a quick assessment and allow you to narrow down your search to a few viable candidates.
Coverage – The percentage of your target population who may have this evidence. Not everyone has a driver’s license. Not everyone has a passport.
Shared secrecy – The extent to which the evidence is known only to the individual and the authoritative source. Data that may be public or semi-public, and data that can be easily guessed would of course score low on this dimension.
Resolution – How well the presented evidence uniquely identifies an individual. A credit card with your first and last name, especially when you are David Smith, would not provide strong resolution. Biometric data, like a retina scan, resolves strongly to a single person.
Validation – The ability to detect fraudulent, revoked, or otherwise invalid evidence. A modern passport, for example, has many anti-fraud features that can be checked with the right equipment and training.
Legislative Feasibility – An assessment of how well existing legislation would support the use of this evidence for the purposes of identity verification. Health cards, as one example, warrant a close look because of the sensitivity of personal health information and the presence of healthcare legislation that may limit the use of this data. Evidence that comes from outside the realm of the service you are offering will require closer attention since it may not have been collected for the purpose you have in mind.
Accuracy – The accuracy of the evidence data. When accepting a credential as evidence, for example, does the issuer of the credential perform checks on the data, or is data purely user-submitted?
Underlying Identity Proofing – The identity proofing required (if any is) to get the credential or whatever form of evidence you will ask for. You may be surprised at what you find out when you start asking questions like: what does it take to get a driver’s license? The PCTF’s Public Sector Profile (draft) makes a clear distinction that ties into this criterion, which is the difference between evidence that supports a foundational vs. contextual identity. Foundational identity evidence originates from records of birth, immigration, or business registration (“foundational events”). Contextual identity evidence includes drivers’ licenses, passports, and social media profiles.
Currency – The frequency with which the evidence data is updated.
User Reaction – How comfortable will this be for users? For example, checks involving biometrics, location history, or financial data can be invasive or creepy to some users (by the way, have you talked to your potential users?).
Technical Feasibility – The ease with which the evidence can be gathered from the user and validated. Requiring the latest versions of mobile devices or installation of specialized software can be drawbacks.
Accountability and Incentives – Is the issuer of the evidence accountable (or can they be made accountable) for the quality of their proofing? Are they rewarded for doing a good job and are there consequences for doing a poor job?
Stability – Will this evidence be available for the next 5, 10, 20 years? Will it look the same or is it likely to change?
There are a couple of additional aspects I want to mention that are somewhat broader.
The first is feedback. How will you measure success? Can you tie failures back to the underlying evidence to drive improvements? For example, if an account was created for a fake identity, are you aware of this incident and can you trace it back to the evidence that allowed the account to be provisioned? No identity proofing process is 100% accurate and being aware of how it is performing is critical to identifying issues and knowing whether your improvement efforts have the desired effects.
Secondly, plan for change. What happens when this evidence is no longer available to you or it changes significantly? The UK’s Verify program is instructive in this respect. Their identity verification process relies solely on private companies, many of which have pulled out of the program and caused serious concerns over the program’s long term viability.
I hope you have found some useful perspectives and questions that help with your work. Identity management is constantly changing and we in the field need to share our knowledge and experience to give us all the best chance of getting it right. Best of luck,