NIST wants help building the one ID proofing system to rule them all

The U.S. government wants to solve the weaknesses in online ID proofing systems, but it needs the help of enterprise and security professionals in order to overcome privacy concerns and other issues.

San Francisco -- The U.S. government is trying to build the perfect online identity proofing system for the government and the private sector, but has also admitted that it needs the help of enterprise and security professionals to succeed in that goal.

At the 2015 RSA Conference, Paul Grassi, senior standards and technology advisor for the National Institute of Standards and Technology (NIST) within the U.S. Department of Commerce, said that the impetus for the ID proofing system that NIST is attempting to create is Executive Order 13681, which calls for multifactor authentication and "an effective identity proofing process" for citizens attempting to access personal data from government agencies. There are challenges facing the project, however.

According to co-presenter Chi Hickey, director of ICAM technology and procurement for the U.S. General Services Administration, the aim of any ID proofing system is to prove someone's identity using three methods: 1) identity resolution, or uniquely identifying people who share the same name through the use of other attributes (address, date of birth, and the like) from so-called authoritative sources; 2) identity validation, or certifying those attributes as accurate; and 3) identity verification, or confirming this information is being attributed to the correct person, usually through the use of knowledge-based authentication (KBA), like the subject's mother's birthday, or biometric data.

Grassi said that the ultimate aim is to design a system that anyone can use, and that would include potentially opening up attribute data from authoritative sources. That is where challenges arise.

Opening up authoritative data

"There is some conversation around opening up some of our authoritative sources," Grassi said, "so it's clear that the attribute values that are used to improve or at least assert some of the confidence about the person on the other end of the transaction are coming from authoritative sources. But some of that opening up is going to require law; a White House policy can't do that."

There are a number of ways that ID proofing systems can have issues, Grassi said. For instance, many answers to KBA questions can be found online now, making it easier to impersonate someone. Additionally, different agencies may disagree on the strength of questions asked to pass KBA or if ID data should be kept or deleted.

Grassi said that NIST is attempting to build a system on, which would be an identity proofing hub. This would mean that a broker ( in this case) would provide identity proofing and secure connections between customer sign-in partners (CSPs) like Google, PayPal, and Yahoo and relying parties, which would be government agency sites at first.

Grassi said that the idea is "connect once, get access to many," but that this design has the inherent risk of giving one major entity potential access to personal data.

The system also has numerous potential threat vectors that must be secured against. For instance, guarantees must be established that any attribute data used to resolve identity is completely hidden from all involved (CSPs, broker and relying parties) and that encryption cannot be bypassed either through the use of public keys or an "honest-but-curious broker."

Not for government use only

Grassi said NIST wants to enlist the help of enterprise and security professionals, because the government wants this architecture to be used by the private sector as well.

"We do not want to pretend we're special. We do not want to just buy this capability because we're the government and we have the purchasing power to do so. We'd like to see the industry adopt something like this," Grassi said. "We want to do something that's open, that's adopted in market, that we're not paying for just because we're the government, and we want to make sure that what we're doing is actually leveraged out there in the private sector as well."

To that end, NIST has reopened its Electronic Authentication Guideline (SP-800-63-2) for comments. Questions and comments are due by May 22, 2015.

Dig Deeper on Security operations and management