Pomcor

Remote Identity Proofing

Identity proofing is the process of verifying the identity of a
person, who is referred to as the subject of the proofing. The
term may have originated with the Electronic Authentication
Guideline, NIST SP 800-63 (current version
SP 800-63-2,
next version
SP-800-63-3 in
preparation).

Remote identity proofing is therefore the process of verifying
the identity of a person by interacting with the person remotely,
i.e. over the Internet. Today it is typically carried out by a
technique known as Knowledge-Based Authentication (KBA) or, more
appropriately, Knowledge-Based Verification (KBV), where a verifier
asks the subject of the proofing multiple choice questions such
as “which of the of the following zip codes have you resided
in during the last five years?”. KBV, however has become
ineffective due to the large troves of personally identifiable
information (PII) captured by criminals in several security breaches
over the last few years, and the large amounts of PII that can be
found in social networks. Also, KBV is a very bad thing for privacy,
since it relies on databases of PII collected and held by the
verifiers, whose mere existence is a privacy intrusion, and which may
fall into the hands of criminals in future security breaches. Better
ways of performing remote identity proofing are needed.

Remote identity proofing is mostly used today by Government agencies
to identify applicants for services. But a secure and
privacy-respecting method of remote identity proofing could have many
useful applications in the private sector as well, in situations where
correct identification over the Internet is essential for security or
privacy reasons. It could be used for remote execution of
transactions such as opening a bank account or applying for a
mortgage. It could be used for enrolling in professional
organizations or being hired by a company with a geographically
distributed workforce. It could be used by a doctor to obtain the
medical records of a patient who needs treatment while traveling, or
by a patient to access his or her own records.

We have conducted a
six-month research
project whose goal was to identify alternatives to KBV for remote
identity proofing. There had not been much work on remote identity
proofing before that, most recent work on Internet identity having
focused instead on authentication, which crucially differs from
identity proofing in that the subject of authentication has a prior
relationship with the verifier while the subject of identity proofing
may not have one. This gave us room to innovate, which we took
advantage of.

Among other innovations:

  • We invented a kind of credential, which we call a
    rich credential, that
    enables three-factor identification of a subject to a remote verifier with
    something that the user has (a private key), something that user knows
    (a password) and something that the user “is” (a biometric
    trait) even if the subject has no prior relationship with the
    verifier.
  • We invented a method of asserting credentials on a blockchain with
    on-chain storage and backing them with a
    Public Key Infrastructure
    (PKI) implemented on the blockchain    , in a manner that enables
    revocation checks without using Certificate Revocation Lists (CRLs) or
    Online Certificate Status Protocol (OCSP) queries.
  • We invented techniques for
    using Near-Field
    Communication (NFC) for remote identity proofing     by repurposing
    existing NFC payment or identity hardware tokens originally intended
    for in-person transactions.

At the end of the project we published our results in the following
blog posts:

and technical reports:

See also: