Remote Identity Proofing

Identity proofing is the process of verifying the identity of a person, who is referred to as the subject of the proofing. The term may have originated with the Electronic Authentication Guideline, NIST SP 800-63 (current version SP 800-63-2, next version SP-800-63-3 in preparation).

Remote identity proofing is therefore the process of verifying the identity of a person by interacting with the person remotely, i.e. over the Internet. Today it is typically carried out by a technique known as Knowledge-Based Authentication (KBA) or, more appropriately, Knowledge-Based Verification (KBV), where a verifier asks the subject of the proofing multiple choice questions such as “which of the of the following zip codes have you resided in during the last five years?”. KBV, however has become ineffective due to the large troves of personally identifiable information (PII) captured by criminals in several security breaches over the last few years, and the large amounts of PII that can be found in social networks. Also, KBV is a very bad thing for privacy, since it relies on databases of PII collected and held by the verifiers, whose mere existence is a privacy intrusion, and which may fall into the hands of criminals in future security breaches. Better ways of performing remote identity proofing are needed.

Remote identity proofing is mostly used today by Government agencies to identify applicants for services. But a secure and privacy-respecting method of remote identity proofing could have many useful applications in the private sector as well, in situations where correct identification over the Internet is essential for security or privacy reasons. It could be used for remote execution of transactions such as opening a bank account or applying for a mortgage. It could be used for enrolling in professional organizations or being hired by a company with a geographically distributed workforce. It could be used by a doctor to obtain the medical records of a patient who needs treatment while traveling, or by a patient to access his or her own records.

We have conducted a six-month research project whose goal was to identify alternatives to KBV for remote identity proofing. There had not been much work on remote identity proofing before that, most recent work on Internet identity having focused instead on authentication, which crucially differs from identity proofing in that the subject of authentication has a prior relationship with the verifier while the subject of identity proofing may not have one. This gave us room to innovate, which we took advantage of.

Among other innovations:

  • We invented a kind of credential, which we call a rich credential, that enables three-factor identification of a subject to a remote verifier with something that the user has (a private key), something that user knows (a password) and something that the user “is” (a biometric trait) even if the subject has no prior relationship with the verifier.
  • We invented a method of asserting credentials on a blockchain with on-chain storage and backing them with a Public Key Infrastructure (PKI) implemented on the blockchain, in a manner that enables revocation checks without using Certificate Revocation Lists (CRLs) or Online Certificate Status Protocol (OCSP) queries.
  • We invented techniques for using Near-Field Communication (NFC) for remote identity proofing by repurposing existing NFC payment or identity hardware tokens originally intended for in-person transactions.

At the end of the project we published our results in the following blog posts:

and technical reports:

See also: