Last December we saw a Small Business Innovation Research (SBIR) Solicitation from the Department of Homeland Security (DHS) where topic H-SB016.1-010 called for identifying five or more alternatives to knowledge-based verification (KBV) for remote identity proofing. The topic was motivated by multiple data breaches, which, as stated in the Solicitation, showed that “KBV is broken and rapidly becoming less effective as a verification tool as a by-product of the availability of personal information on social media as well as the variety of data breaches of credit bureaus and data brokers”.
We found the topic very interesting for several reasons:
- In countries like the United States where residents do not have a national identity card, secure identity proofing is difficult but essential for cybersecurity.
- Effective methods of remote identity proofing would not only make it easier for residents to seek government services, but would also enable new ways of doing business, such as remotely opening a bank account or applying for a mortgage.
- Reducing the reliance on knowledge-based verification would reduce identity theft, mitigate its damage, and increase privacy by shrinking the market for personally identifiable information (PII). And,
- Remote identity proofing has been neglected as a research topic.
Identity management is today a hot topic, but most work in identity management is focusing on authentication rather than identity proofing. Most authentication techniques require prior registration of the person to be authenticated either with a service provider that requires authentication in order to provide a service, or with an identity provider that the service provider relies upon to authenticate the subscriber. Hence such techniques require a prior relationship between the subscriber and the party that performs the authentication. By contrast, in identity proofing the subject to be identified may have no prior relationship with the verifier that performs the proofing. Therefore most authentication techniques are not applicable to identity proofing.
Traditionally, identity proofing has been performed either in-person, relying primarily on a picture ID, or remotely, relying primarily on knowledge-based verification. Now that knowledge-based verification is no longer effective, remote identity proofing calls for research on brand new methods of identification. By asking for no less that five alternatives to remote identity proofing, the DHS solicitation issued what promised to be a most stimulating challenge.
We applied for the SBIR grant and were gratified to receive it and be able to take up the challenge. We are now half-way through the six month project. When we are a little further along we plan to start a series of blog posts where we will share the new ideas that the project has generated and ask for feedback.