Can Identity Proofing Eventually Replace Authen?

Session Topic: ''' Can Identity Proofing Eventually Replace Authen? '''

Thursday 1 I

Convener: Rick K (NetIQ)

Notes-taker(s): Kirk Brown

 Tags for the session - technology discussed/ideas considered: Identity, Proofing, personas, contextual

Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps: Identity Proofing Definition – The “Who” of Identity. Pubblic or semi-public context-based attributes. Proofing means – compare the risk of who? To the risk to the resource in determining the appropriate authentication levels, forms/process. As well as the appropriate access (continuous, just once).

The value is – ease of use to the end user and reduces risk. Less need for layers of Authn.

Who you say you are? – prove it!

And prove it within a particular context based on risk levels of access.

Two step Authentication:
 * 1st Step – Who are you? Or who do you say I am?
 * 2nd Step – Prove it by ….

Why would I ask a user to prove something?

The user tells you who they are. Then you proof it (step 1). Then determine the strength needed of the proofing (2nd Step).

Would you treat an existing user differently? No, always assume it is a new user unless the user asks you to remember them.

Authentication vs ID Proofing

These are all Authentication (adaptive, risk-based, step up).

At HP the user says “Here I am” and the provider responds “Are you allowed to be here?

But there are some providers who don’t care. Like Loyalty Card (Safeway, CVS, etc.)

They don’t check your driver’s license ( Step 2). In reality, nobody cares.

Identity Proofing is more about “Who you are not”.

Identity Proofing types:
 * 1.	Knowledge based – focused about the person. What’s your mother’s maiden name, etc.
 * 2.	Attribute mashup – determines who I am. Like my AD group, personal data, context at that moment, etc.
 * 3.	Out-of-band – using data that is not normal. Such as banks use for fraud detection. You are asked to call back when activity breaks policy.

Most of these attributes the user has no control over. What if the user could choose their own proofing?

Example:

Make it easier to allow a student to pay tuition. Sally’s grandmother wants to pay her tuition. Typical systms would force the grandmother to register and be associated with Sally.

Why should grandma need to prove herself to give someone money? Who cares?

Sally defined the contextual context and defined the security policy.

Grandma used her facebook ID. OAuth was used to define the attributes of the token.

Should Sally have control and define her own Authn policies? Historic Process – Register + Sign In + Authn Vs Identity Proofing – User defines authn policy, attributes and ID Proofing type.

Analogy – Amazon Shopping A new user can show as a “guest” on amazon. Add products to their shopping cart. They can leave the site and come back days later and their context and shopping cart are as they left it. Amazon remembers. Only when the user decides to “checkout” and make the purchase does Identity Proofing occur.

Implementation Ideas

Current method needs to be more circular. Possibly a policy engine that can issue a token based on user created policy. UMA tries to solve some of this.

Problems & Challenges

Persona mapping is difficult via a policy engine

Identity Proofing Value

Replace authentication with Identity Proofing.