TECHNOLOGY AREAS: Identity, Fraud, and Cybersecurity
OBJECTIVE: Design and demonstrate the feasibility of high assurance alternatives to knowledgebased verification techniques for population scale remote identity proofing.
DESCRIPTION: The vast majority of organizations remotely identity proof an individual using a Knowledge Based Verification (KBV) or Knowledge Based Authentication (KBA) technique; i.e., by asking them “secret” questions that only they can supposedly answer to prove their identity.
As shown by the recent Internal Revenue Service (IRS) data breach, KBV is broken and rapidly becoming less effective as a verification tool as a by-product of the availability of personal information on social media as well as the variety of data breaches of credit bureaus and data brokers. This availability of personal information has led to situations where answers to these “secret” questions can easily be discovered with a minimal level of effort by a determined fraudster who can then use that information to impersonate an individual.
At a high level, identity proofing of an individual is a three step process consisting of (1.) identity resolution (confirmation that an identity has been resolved to a unique individual within a particular context, i.e., no other individual has the same set of attributes), (2.) identity validation (confirmation of the accuracy of the identity as established by an authoritative source) and, (3.) identity verification (confirmation that the identity is claimed by the rightful individual).
This SBIR topic is focused on investigating identity verification alternatives to KBV/KBA that provide varying levels of assurances of identity for remote identity proofing. Potential techniques to be explored include, but are not limited to, biological or behavioral characteristic confirmation - a process that compares biological (anatomical and physiological) characteristics in order to establish a link to an individual where facial photo comparison, trusted referee confirmation - a process that relies on a trusted referee to establish a link to an individual (guarantors, notaries and certified agents are examples of trusted referees), and physical possession confirmation - a process that requires physical possession or presentation of evidence to establish an individual’s identity.
PHASE I: Identify and define five or more non-KBV/KBA approaches that exist in practice and in theory to establish a link between a particular set of data and an individual. Perform an analysis to determine the technical feasibility of each approach as well as the threats and potential mitigations for each approach.
PHASE II: Analyze and rank the approaches, or combination of approaches, identified in Phase I based on the assurances of identity they provide.
In addition, to the extent feasible, provide a mapping to the levels of identity assurances as articulated by standards organizations such as International Organization for Standardization (ISO) and National Institute of Standards and Technology (NIST). Provide an analysis of the various approaches that take into account identity assurance, data privacy, and user experience. Using data from the analysis, develop, demonstrate, and validate the most promising approaches that provide the best combination of identity assurance, privacy and user experience via a prototype using existing standardized identity protocols such as Security Assertion Markup Language 2.0 (SAML 2.0) or OpenID Connect / OAUTH2.
PHASE III: COMMERCIAL OR GOVERNMENT APPLICATIONS: Potential Homeland Security Enterprise (HSE) Applications of this technology include all digital services delivered by government to its citizens, employees or partners that require remote identity proofing.
Commercial applications include all high assurance applications requiring proof of identity.
- Office of Management and Budget. E-Authentication Guidance for Federal Agencies (OMB-MO4-O4) http://csrc.nist.gov/drivers/documents/m04-04.pdf
- NIST, Electronic Authentication Guideline (NIST SP-800-63-2) http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63-2.pdf
- ISO/IEC 29115: Information technology -- Security techniques -- Entity authentication assurance framework http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=45138
- IRS Statement on the “Get Transcript” Application. (May 26, 2015). Retrieved from: https://www.irs.gov/uac/Newsroom/IRS-Statement-on-the-Get-Transcript-Application
KEY WORDS: identity, proofing, Knowledge Based Verification, KBV, Biometrics
TECHNICAL POINT OF CONTACT: Anil John, 202-254-8789, email@example.com