This is Part 1 of a series of posts presenting results of a project sponsored by an SBIR Phase I grant from the US Department of Homeland Security. These posts do not necessarily reflect the position or the policy of the US Government.
We have just published a paper on the first of five remote identity proofing solutions, which we have identified as possible alternatives to knowledge-based verification in the course of the research project mentioned in the previous post. The paper describes in detail a new type of credential, which we call a rich credential, that could be issued by an identity source such as a DMV and would enable multifactor identity verification by a remote verifier. In this post I will try to explain the motivations that led us to come up with the concept of a rich credential as the basis of Solution 1.
In-person identity proofing typically relies on the presentation of a picture ID, such as a driver’s license or a passport, as the primary evidence of identity, supplemented by secondary evidence from different identity sources, such as proof of ownership of utility, financial or mobile accounts and address verification. Remote presentation of the secondary evidence is not much of a problem, so in the project we have focused on replacing the picture ID with other kinds of primary evidence that can be presented remotely.
To find techniques for remote identity proofing it makes sense to look at techniques used for authentication, which is typically performed remotely. In authentication, the gold standard is for the subject to present three authentication factors (or factor categories): something that the subject has, such as a device containing a private key; something that the subject knows, a password; and something that the subject “is”, one or more biometric features. In the context of remote identity proofing we shall refer to such factors as verification factors rather than authentication factors.
But there is an essential difference between authentication and remote identity proofing. In remote identity proofing, there is no prior relationship between the subject and the verifier. The subject of a remote identity proofing event cannot have previously registered a password nor enrolled a biometric sample with the verifier.
This difficulty could be circumvented by using a two-stage verification process which is becoming popular for authentication. In a first stage, the subject could present a password and/or a biometric verification factor to a device such as a smart phone to enable the use of a certified key pair, i.e. a public key certificate and its associated private key, contained in the device. In a second stage, the device could then prove knowledge of the private key to the remote verifier. (A commonly used special case of this two-stage process is to use a fingerprint to unlock a smart phone containing a certified key pair that is used to establish a VPN connection.) The difficulty is circumvented because the subject can register a password and/or enroll a biometric sample with the device, and possession of a certified key pair is the one verification factor that is designed to be presented to a remote verifier with which the subject has no prior relationship.
But while this two-step process may be suitable for authentication, it is suboptimal for remote identity proofing, because it is exposed to numerous pitfalls. Suppose that the device is a smart phone that can be unlocked using a fingerprint sensor. The subject may choose to not lock the phone. Or an adversary may be able to capture the phone while unlocked. Or the subject may have a phone with insufficient security and the adversary may be able to unlock the phone or extract the private key from phone while locked or tamper with the fingerprint sensor. Or malware may be able to capture the private key.
In Solution 1 we achieve the three-factor verification standard while avoiding the pitfalls of two-stage verification by using a rich credential. As described in more detail in the paper, a rich credential makes it possible to present all verification factors to a remote verifier without a prior relationship between the subject and the verifier. This is achieved by including verification data for one or more biometric modalities in the credential, in addition to a key pair, subject attributes, and a signature by the issuer on a hash computed from data including the attributes, the public key, the biometric verification data, and the password.
A rich credential also has significant privacy features. It may include both revocable and non-revocable biometric modalities, and it provides selective disclosure of attributes and selective presentation of verification factors. This is achieved by applying the issuer’s signature to data including the root label of a typed hash tree, a new data structured defined in Section 5 of the paper, which provides omission-tolerant integrity protection.
Solution 1 uses a rich credential issued by a DMV and containing as biometric verification data a facial image of the subject, which may be the same image that serves as the digital source of the photo printed on the subject’s physical driver’s license. The rich credential is stored by the DMV in the subject’s browser, where it can only be accessed by the JavaScript front-end of a credential-issuance web app of the DMV, and is presented to the verifier by a service worker registered with the browser by the DMV front-end without any involvement by the DMV back-end. The browser submits to the verifier a rich certificate that is a component of the rich credential, a salted hash of a password that was previously submitted to the issuer and is covered by the issuer’s signature, and a proof of knowledge of the private key component of the rich credential. The subject uses a native app in the same or a different device than the one where the browser is running to submit an audio-visual stream of him or herself reading a prompted text randomly selected or generated by the verifier with high entropy. The verifier matches the face in the video channel to the facial image in the rich certificate, uses speech recognition on the audio channel to verify that the subject is reading the text that was prompted, and verifies the synchrony between the audio and video channels by tracking lip movement and time-correlating distinguishable visemes to corresponding phonemes.
A physical driver’s license used for in-person identity proofing provides two verification factors, possession of the physical license and matching of the subject’s face to the photo on the license, while a rich credential provides three factors, possession of the credential, knowledge of the password and matching of the subject face in the audio-visual stream to the facial image in the credential. And a physical driver’s license can be forged, while a rich credential cannot be. Therefore a rich credential issued by a DMV would provide stronger assurance of identity for remote identity proofing than a physical driver’s license does for in-person proofing.
See also:
- The Remote Identity Proofing page, with links to other materials related to the project.