Digital Identity Proofing – Identity Triangles
As the services accessible online continue to grow at a steady rate, the question of digital identity and how it is implemented is becoming increasingly important.
With the rise in the number of transactions being undertaken online, there has been a corresponding increase in identity fraud often as a result of personal information acquired during hacking cyberattacks. It is due to this increased threat of identity fraud that the issue Digital Identity has come to the forefront.
Typically, people’s ideas of what constitutes an identity can vary significantly depending on their cultural background as well as previous exposure to identity proofing. What constitutes an identity can be interpreted in many ways, for example, as the physical characteristics of a person or perhaps a person’s name, address and age, it is important to establish a consistent and reliable method for establishing an identity to ensure that it can be reused and is appropriately robust for the information or transaction it is being used to protect or conduct respectively.
As mentioned previously, a Digital Identity and its associated framework should be scalable, providing an appropriate level of security for both lower risk and higher risk information and transactions that an identity may wish to access or undertake, in addition to improving user friendliness and the corresponding adoption rates of the service (which should always be a consideration, a framework with no users is next to worthless).
A common and effective model used to manage the identity proofing process is the ‘Identity Triangle’. The Identity Triangle consists of 3 key elements: The Person, Information and the Token. In addition to these elements there are two main processes that form the identity proofing framework using the aforementioned elements, these processes include Enrolment (which consists of Registration, Validation and Verification) and Checking (Verification, Authentication, Identification).
Of the key elements, the Person is the easiest to define – it is the real-life person who is the holder of the identity. The Information is any official, validated information that exists about the person. The Token is the identity document(s) or device(s) (this can be any number of actual items) that are used by the identity.
All of these key elements are important in verifying and authenticating an identity and impact the Identity Triangle process throughout its varying stages.
Enrolment, as the first stage occurs when a Person is joining the identity proofing system. This stage usually involves a set of three steps involving the elements mentioned previously.
Registration – Moving from the Person element to the information element (about the person). This step involves collecting information that can include biographical data such as Names, addresses, an associated number (such as a Tax File Number) but may also include biometrical data such as finger print, facial, iris or DNA.
Validation – Validation typically consists of collecting data from an individual and validating and verifying it the collected data with the individual person that is involved. This information is then used to create a token that has the correct attributes and/or details for that person assigned to it. The token has all the relevant information connected to it about the person who is to be issued it.
Verification – After the production of the token, it should not be given to anyone other than the individual whose information it contains. It should be confirmed that the token was provided to the correct person. Once this is confirmed then the enrolment process is complete.
The next stage is the previously mentioned Checking process which is used to determine whether a person really belongs to the identity they are claiming. This process consists of 3 main stages.
Verification – The person must be verified against the token they are presenting
Authentication – The token must be checked for authenticity (there should be no alterations and it should be checked for forgery).
Identification – The token and the person should be checked against the database that is storing the identity details to ensure that they match.
These stages do not necessarily have to occur in the same order in each identity management system. For example, in Australian border situations persons are identified first as either Australians, New Zealanders or Registered Visa Travellers OR Unknown persons who may be undocumented or incorrectly documented.
Not all identity proofing systems will fully use all of the elements mentioned in this article , some such as those relying on simple access cards only really use the token element in the checking stage for authentication and as such are significantly weaker in terms of identity proofing.
However, for he highest level of security all elements should be used and the processes followed completely for each person. Typically, this is how identity is managed in border control with a passport as the token.
If you would like to learn more or require assistance in establishing an Identify Proofing Framework within your organisation, do not hesitate to contact Agilient.
The Agilient Team