Kyle Kilcoyne By Kyle Kilcoyne • July 17, 2017

Demystifying NIST's Guidelines for Remote Identity Proofing

In 2014, a satirical piece in The New Yorker magazine featured a collection of fictionalized Facebook posts from a dog, that used to be a person, and was claiming to have transformed inexplicably and be trapped in a remote Vermont cabin. In the past few years, this story has become an icon of the internet, showing just how anonymous somebody can remain. A person can claim just about anything and people will ignore it, set it aside like nothing or, in some cases, perhaps believe it - 2016 preseidential election.

This ability to hide behind a computer screen is funny in the case of a person playfully assuming their K9's identity via social media. After all, my Labrador has an Instagram. But it is downright dangerous for regulated industries, such as financial services and health care.

This is where the National Institute of Standards and Technology plays an important role. A unit of the Department of Commerce, the regulatory body has been working to refine its standards around digital identity to address the growing challenge of accurately verifying that who a person claims to be online is, indeed, accurate. This is not as simple as user authentication, which only assures that the individual possesses credentials associated with an account. Instead, it is a matter of definitively determining that a person accessing an electronic service is the same person as the name associated with the account. 

demyst-cross-5.png

 

NIST Standards in a Nutshell

The NIST 800-63-3 standards represent "Digital Identity Guidelines" designed to set a foundation for secure, accurate identity proofing and fraud prevention. In particular, the standards around Identity and Evidence Verification focus on allowing organizations to, when using digital channels, gather the necessary information to confirm a person's identity. They are meant to mitigate the inherent vulnerabilities of online services, and can be incredibly valuable in the correct context. Think of it this way - if you're a dog on Facebook, it doesn't really do any harm, but if you are a dog somehow making your way into financial services accounts, then that's a serious problem.

NIST is countering this issue by offering a set of standards built around the idea of Identity Assurance Levels - sets of standards around the degree to which a user needs to show evidence of identity. These are put forth with two primary levels of verification:

IAL2: A level of identity assurance in which evidence confirms that the person associated with the account exists in the real world and is verified as being attached to this identity. This is what Confirm is able to perform through its digital ID authentication and facial recognition solution. We'll explain how below.

AAL2: A level of assurance designed to provide a high level of confidence that a claimant has control of the authenticators bound to a subscriber's account, typically through at least two distinct authentication methods.

All of these guidelines exist within the context of a restructured identity proofing model established by NIST to focus on digital identity verification, not just authentication.

Screenshot 2017-06-29 15.52.17.pngDownload the full Blue Hill Research Report on NIST-Compliant Document Authentication in KYC Programs

Establishing a Framework for Digital Identity Verification

Obtaining identity assurance is a complex and difficult process that requires careful analysis of a variety of assets within a digital workflow. This can involve face scans, evaluation of government-issued IDs and similar identifiers to verify a person's identity. The challenge comes in doing this to a high degree of accuracy while also offering a positive user experience.

Identity proofing establishes that a subject is who they claim to be. Digital authentication establishes that a subject attempting to access a digital service is in control of one or more valid authenticators associated with that subject’s digital identity.

At Confirm, our industry leading tools are aligned around NIST compliance requirements and are built with the end user in mind. We accomplish this through a combination of machine learning and process automation that can verify IDs without inolving humans.

Understanding Core ID Verification Processes

The NIST standards include a variety of key changes, including new language around processes such as:

  • Enrollment and identity proofing (63A)
  • Authentication and lifecycle management
  • Permissible identity proofing, including new options for in-person proofing

Within these guidelines, many of the alterations being made by the National Institute of Standards and Technology center around the use of biometrics. NIST has overhauled its password guidance, removed secure authenticators and expanded its permissible use requirements around biometrics.

Taken together, these changes boil down to a common theme: NIST is working to ensure organizations do not use biometrics as an exclusive authenticator. Biometrics-only strategies are fraught with the potential for error and manipulation, and NIST is establishing standards to ensure companies put more effective, robust ID authentication policies in place.

Considering the Limitations and Potential Role of Biometrics

NIST has found that the biometric false match rate is high enough that the identification method is not up to the task of authenticating an individual - at least, not when used as the sole method of identity verification. On top of this, the false match rate doesn't account for spoofing attacks. Because of all this, biometrics should only be used as a "something you have" authenticator within a multi-factor authentication strategy.

The NIST "Know Your Customers" guidelines may seem daunting. They're certainly about doing more than just recognizing that your client isn't a dog. However, streamlined biometric analysis that can work alongside other authentication methods can reduce the complexity for security teams, developers and end users alike. This can transform ID verification tasks that may take minutes or hours and make them happen in a couple of seconds, creating a superior user experience while maintaining alignment with industry requirements.

Digital identity document authentication offers perhaps the greatest starting point because of its dual-ability to authenticate secure documents - as part of a KYC document collection process - while also accelerating biometric enrollment.  Because the face is already provided in the government ID document there is no needed first step for enrollment as with other biometrics solutions. This is a huge time-saver and key factor in decreasing signup abandonment.

At Confirm, our industry leading tools are aligned around NIST compliance requirements and are built with the end user in mind.  We have taken a modular approach to our product offering, allowing our customers to mix and match various components of our image capture and ID authentication software, conduct face scans, and perform advanced analysis of government-issued IDs and similar methodologies within a comprehensive authentication process.