Last December we saw a Small Business Innovation Research (SBIR)
Solicitation
from the Department of Homeland Security (DHS) where topic
H-SB016.1-010 called for identifying five or more alternatives to
knowledge-based verification (KBV) for remote identity proofing. The
topic was motivated by multiple data breaches, which, as stated in
the Solicitation, showed that “KBV is broken and rapidly becoming less
effective as a verification tool as a by-product of the availability
of personal information on social media as well as the variety of data
breaches of credit bureaus and data brokers”.
We found the topic very interesting for several reasons:
-
In countries like the United States where residents do not have a
national identity card, secure identity proofing is difficult but
essential for cybersecurity. -
Effective methods of remote identity proofing would not only make it
easier for residents to seek government services, but would also
enable new ways of doing business, such as remotely opening a bank
account or applying for a mortgage. -
Reducing the reliance on
knowledge-based verification would reduce identity theft, mitigate its
damage, and increase privacy by shrinking the market for personally
identifiable information (PII). And, - Remote identity proofing has been neglected as a research topic.
Identity management is today a hot topic, but most work in identity
management is focusing on authentication rather than identity
proofing. Most authentication techniques require prior registration
of the person to be authenticated either with a service provider that
requires authentication in order to provide a service, or with an
identity provider that the service provider relies upon to
authenticate the subscriber. Hence such techniques require a
prior relationship between the subscriber and the party that
performs the authentication. By contrast, in identity proofing the
subject to be identified may have no prior relationship with the
verifier that performs the proofing. Therefore most authentication
techniques are not applicable to identity proofing.
Traditionally, identity proofing has been performed either in-person,
relying primarily on a picture ID, or remotely, relying primarily on
knowledge-based verification. Now that knowledge-based verification
is no longer effective, remote identity proofing calls for research on
brand new methods of identification. By asking for no less that five
alternatives to remote identity proofing, the DHS solicitation issued
what promised to be a most stimulating challenge.
We applied for the SBIR grant and were gratified to receive it and be
able to take up the challenge. We are now half-way through the six
month project. When we are a little further along we plan to start a
series of blog posts where we will share the new ideas that the
project has generated and ask for feedback.