Identity Assertion, Person Proofing and Registration
(from policy directive 32-110)
1. The implementation of an e-signature system must contain some form of technical non-repudiation services to protect the reliability, authenticity, integrity, and usability, as well as the confidentiality, and legitimate use of the electronically-signed information.
2. The technical non-repudiation services (required in number 1 above) should tie the electronic transaction to the individual or entity in a legally-binding way.
...
Introduction
The requirement to identify and authenticate a particular person establishes a need for an initial person proofing and registration process and an authentication process to support an identity assertion implied in each eSignature transaction. An identity assertion is a statement asserting a subject's identity. Person proofing, also known as identity proofing, is the process of establishing a person's identity to a known level of confidence. Registration, also known as enrollment, is the process of applying person proofing procedures and issuing or registering electronic identity credential(s). Delivery of credentials puts the electronic credentials in the custody of the registrant.
Identity Assertion
An identity assertion is a statement asserting a subject's identity; for example, I am Elvis Presley, or he is Elvis Presley. Discretion or due diligence in acceptance of identity assertions normally depends on context. It is normal to exercise more discretion when accepting an identity assertion about a prospective employee than when making introductions at a social event. Our interest in identity assertions is based on the requirement to identify and authenticate a particular person as the source of the electronic message. Due diligence in accepting the identity assertion may vary depending on the content and context of the electronic message, however, we can assume that for government transactions some proof, or authentication, will be required.
In the electronic transaction arena it is standard practice to exercise due diligence about a subject's self-identity assertion infrequently (usually just once). After establishing a known level of confidence in the self-identity assertion (through person proofing or identity proofing - see below), electronic credential(s) are created and/or registered and delivered into the custody of the registrant. Then in future transactions, the registrant can present those electronic credentials, and the identity system can authenticate those credentials and produce a third-party identity assertion. (Because he has presented electronic credentials that the identity system authenticated as credentials registered to Elvis Presley, the identity system makes the identity assertion that he is Elvis Presley.)
For a more thorough discussion see The Identification Process Deconstructed.
Person Proofing or Identity Proofing
Person proofing, also known as identity proofing, is the process of establishing a person's identity to a known level of confidence. For example, when/if the Real ID Act of 2005 is fully implemented, before issuing a driver license a state shall require the presentation and verification of a photo identity document (except that a non-photo identity document is acceptable if it includes both the person's full legal name and date of birth), documentation showing the person's date of birth, proof of the person's social security account number (SSN) or verification that the person is not eligible for an SSN, and documentation showing the person's name and address of principal residence.
Person proofing can be done in-person or electronically. With in-person person proofing it is feasible to compare a photograph (e.g. a driver license photo or some other trusted identity document) with the person registering. It is also feasible to consider a wide variety of documentation (for example, residence could be established by tax records, rent or utility receipts, lease agreements, etc.) It is feasible to examine identity documents for subtle signs of authenticity or forgery. However, few fishery management processes actually require presentation of photo ID or birth certificates, and even fewer fisheries service employees are trained in examining identity documents. For applications which require high standards of person proofing the U.S. Postal Service offers In-Person Proofing at Post Offices as part of its Electronic Postmark program. In the In-Person Proofing at Post Offices program the people examining identification documents have the same training as those examining U.S. passport applications.
Registration
Registration, also known as enrollment, is the process of applying person proofing procedures and issuing or registering electronic identity credential(s) that will, when authenticated in future transactions, result in a third-party identity assertion. (Because he has presented electronic credentials that the identity system authenticated as credentials registered to Elvis Presley, the identity system makes the identity assertion that he is Elvis Presley.) The significant design decision related to registration concerns the form of credentials to be issued and/or registered. Credentials may be as simple as a personal identification number (PIN), as ubiquitous as a username and password pair, or as sophisticated as a smart card with retinal scan biometrics and one-time-password generation.
Delivery of Credentials
Delivery of credentials puts the electronic credentials in the custody of the registrant. Whatever form credentials take they must be delivered securely to ensure that they get to the registered party and only to the registered party. When the credentials consist of a username and password delivery is typically part of the online registration transaction. Confidence in the identity system may be augmented by delivering credentials to an address-of-record established independently and prior to the electronic person proofing process.
e-Authentication
Most electronic identity and eSignature systems accommodate electronic person proofing, registration, and credential delivery (also known as e-Authentication). According to NIST, e-authentication systems are commonly based on knowledge of shared secrets (knowledge-based authentication). For example, IRS e-File authenticates an individual by knowledge of the person's date of birth and adjusted gross income from their prior-year return. Shared secrets that exist and are already known to the registrant are most convenient, but, confidence in a person's identity may be augmented by creating a new shared secret unique to the registration process, and sending that shared secret to the registrant by traditional letter or email. (This strategy is frequently employed for online consumer banking. The customer first completes a web form specifying an account number and requesting online banking credentials. The bank then sends a letter containing an activation code to the address of record for the account. The customer can then use the activation code to enable delivery of the requested online banking credentials.)
Generally the alternatives that are least expensive, easiest to implement, and most convenient for the registrant are also the alternatives that provide the least confidence in the registrant's identity. The table below summarizes pertinent characteristics of some of the alternatives.
Process or Stage |
Alternative |
Confidence in Registrant Identity |
Characteristics |
|---|---|---|---|
Person Proofing |
unsolicited PIN mailed to address of record |
low |
fast implementation, |
|
knowledge-based e-authentication |
moderate |
inexpensive to implement, |
|
knowledge-based authentication with activation code |
considerable |
moderate cost, |
|
In-Person Person Proofing |
highest |
compare photo or physical description to person, |
Registration Credentials |
PIN |
low |
inexpensive to issue and maintain, |
|
username and password pair |
moderate |
inexpensive to issue, |
|
high |
moderately expensive to maintain, |
|
|
high |
moderately expensive to maintain, |
|
|
high |
expensive and complex, |
|
|
token (smart card, USB, etc.) |
very high |
very expensive and complex, |
|
token with knowledge |
very high |
very expensive and complex |
|
token with biometric |
highest |
very expensive and complex |
Delivery of Credentials |
integral to registration transaction |
moderate |
convenient, |
|
email to address of record |
increased |
complex multi-step process, |
|
postal mail to address of record |
high |
complex multi-step process, |
|
registrant pickup |
highest |
expensive for all parties, |