Home : News : Blog : Technical
Anakam Blog - Technical
Insights into Authentication, Identity Management and Trusted Access
Tuesday, June 8, 2010

Context-based Identity Proofing
by Brent Williams, Anakam CTO

What is identity?  Is your identity created when you register for school and build an academic record…in kindergarten, seventh grade, high school?  What about your identity when you get your drivers permit?  Do you tie your identity to your first bank accounts, your employment, your social networking?  Thinking about these questions brings to mind that what makes identity useful depends on why the identity is needed.  Additionally, the context and the level of risk associated with the wrong person getting to the data or systems being protected determine the appropriate level of verifying that an identity is real and tying it to a particular individual, i.e., identity proofing.

Context-based identity proofing acknowledges how an identity will be used and is tailored to meet the levels of risk associated with the identity and the transaction.  It builds from existing levels of trust already established within an industry vertical or a group within a circle of trust.

To conduct a remote identity proofing using context, an organization needs:

  • Basic biographic information – This information is used to resolve identity or create a unique identity – typically it should be: name, address, date of birth, and, in some cases, an additional identifier like a Social Security number.  This information should not be assumed to be secret; it isn’t.  However, it does establish uniqueness to drive the next steps of the process.
  • Knowledge-Based Authentication – This is the information used to reduce the risk that the person on the other end of the transaction is falsely claiming the identity, and includes demographic, financial, or other personal information from the individual’s life.  There is certainly risk in using this data, as by definition, it is known by somebody and aggregated somewhere.  Risk is reduced by maximizing the diversity of the data sources and the types of questions presented.
  • Context-based Authentication – This is the information that is specific to the context of the enterprise using the identity.  It can be derived from health history, banking history, or service history with the particular enterprise.  The information is usually contained within the enterprise, but also might be held or tracked as part of the industry (insurance, real estate, etc).

In a context-based identity proofing scheme, when a person—Joe Smith—calls a taxation agency on the telephone to ask for information related to his tax return, the representative on the phone will ask a few questions to ascertain if Joe Smith is the person the representative is reviewing in her system.  She may ask for an address, date of birth, and also specific questions about the context, such as adjusted gross income for the prior year.  If the caller answers the questions correctly, the agency will provide personal and sensitive tax information about Joe Smith to the person on the phone.

Several people may legitimately have all the information used to proof the identity of Joe Smith in this context—his spouse, accountant, banker, loan officer.   In this situation, someone who attempts to impersonate Joe Smith may have the data in order to do so, but only within a limited context and therefore their access is limited only to things to which they already have contextual knowledge.  Nevertheless, the number of people who may be expected to know this information is much smaller than the number of people who might be expected to know the information in public databases.

A fraudster who gets access to financial information about Joe Smith would not be able to contact a healthcare provider and get Joe’s sensitive healthcare information because they would not have the contextual knowledge used to proof the identity within the healthcare context.  And the reverse is true as well; someone with information from his medical records to get access to his bank account, even though he or she knows basic biographical data about Joe.

The combination of biographical data, general KBA, and the specific context-based knowledge limits the number of people who have all the necessary information, and hampers those who are maliciously trying to gain access to another’s identity.  Context-based identity proofing can be another risk management tool for the enterprise.  The processes of establishing initial trust with an individual – whether face-to-face or electronically – is complex and depends upon the acceptance of risks that are impossible to fully mitigate in today’s society. 





Wednesday, May 26, 2010

Federation vs. Single Sign On
by Brent Williams, Anakam CTO
As mobile banking webs, cloud-based databases, and electronic transaction applications continue to proliferate, the knowledge of who has access to the system and who verified the user’s identity will be essential. The trust fabric between organizations needs to leverage identity proofing, professional credentialing, and authentication as part of a comprehensive approach to risk management.

Read More



Wednesday, April 21, 2010

Protecting Against Willful Compromise
by Brent Williams, Anakam CTO
A lock is easily opened when the owner gives the key to somebody else. This is true for gaining access to online accounts with passwords as well as second factor authentication tokens and smart cards. The act of token fraud may increase the likelihood of identity fraud, but it is fundamentally different from identity fraud, and different means of risk mitigation are needed to counter the fraud if it is a concern for the enterprise.

Read More



Tuesday, March 2, 2010

Understanding the Identity Lifecycle—Part 3
by Brent Williams, Anakam CTO
The identity lifecycle involves a series of different processes, each with its own essential role. These processes can be classified into identity creation and validation (sometimes also called “registration”), authentication, and identity change management. In this final installment in the series we will discuss how identities change and how the changes are managed over time.

Read More



Monday, February 22, 2010

Understanding the Identity Lifecycle—Part 2
by Brent Williams, Anakam CTO
The identity lifecycle involves a series of different processes, each with its own essential role. These processes can be classified into identity creation and validation, authentication, and identity change management. In Part 1 of this blog series we discussed how an identity is created and validated within the enterprise. In this post we will discuss how registered identities are used to gain access to systems, applications and data.

Read More



Tuesday, February 9, 2010

Understanding the Identity Lifecycle—Part 1
by Brent Williams, Anakam CTO
Terminology used in the marketplace for identity management solutions is can be confusing. In some cases, the same word is used to refer to more than one element of the identity lifecycle; in other cases, a certain concept or process may be referred to by varying terms depending on the person speaking or the situation.

Read More



Friday, January 29, 2010

Multiple First Factor Questions Do Not Equal Multi-factor Authentication
by Robert Daugherty, Anakam Sr. Systems Engineer
The FBI recently reported that the surge of Automated Clearing House (ACH) fraud committed by criminals stealing the online banking credentials of small and midsize businesses has resulted in approximately $100 million in attempted losses. As these losses have been discovered and the online security practices at the banks or credit unions in question are examined, it has become apparent that there is cause for concern in the way multi-factor authentication schemes are implemented.

Read More



Tuesday, January 19, 2010

Authentication and "Defense-in-Depth"
by Jose Jimenez, Anakam Sr. Director, Systems Engineering
In all successful data security systems, the goal of the organization should be to combine multiple authentication strategies with the right combination of enterprise security solutions to better assure the organization that the user on the opposite end of the online transaction is the person the company expects to be executing that specific transaction.

Read More



Wednesday, January 13, 2010

PKI Is Not User Authentication
by Brent Williams, Anakam CTO
We need to take a fresh look at user identity and how electronic systems establish, validate, exchange, and trust identities as more and more transactions move to the Web, and the sensitivity of those transactions grows significantly. There are choices that need to be made about how a user is authenticated in a transaction that are separate from how the transaction itself is authenticated.

Read More



Tuesday, January 5, 2010

Federated: Identity or Search?
by Brent Williams, Anakam CTO
The differences and best application of Federated Identity verses Federated Search can sometimes be difficult to understand and apply. An enterprise truly needs to know what they are asking for and what they will get with each of the Federated solutions.

Read More



12
Anakam Blog
return
Policy
Technical
Product Demo
Want to learn more about our products in the Anakam Identity Suite®? Request an online demo or contact us directly at (888) 826-2526.
Product Demo
RSSSubscribe to this blog
Enter your email address:



Delivered by FeedBurner
Blogroll
Burton Group Blogs: Identity and Privacy
FTC Privacy
Gartner Blog Network
Kim Cameron's Identity Weblog
Life as a Healthcare CIO
NIST Computer Security Division
Opus Research
Privacy Rights Clearinghouse