This is the second post in our series on Identity Credentials. If you missed last month’s blog about unique identifiers and how they differ from identity credentials, you can start there if you like.
Let’s dig deeper into identity credentials and focus on one specific facet of identity credentials: identity proofing. What is it, why is it important, and what risks should we look out for when relying on identity credentials that involve identity proofing?
Why Are Digital Identity Credentials Important to Cybersecurity?
According to the 2022 Verizon Data Breach Investigations Report, identity credentials are the most frequently compromised type of data in North America (66%)[1]. Why are identity credentials such attractive targets for bad actors, since they contain very little data by themselves?
There’s a famous cartoon in The New Yorker by Peter Steiner. In the cartoon, a dog is sitting at a computer while talking to another dog. The computer dog says, “On the Internet, nobody knows you’re a dog.[2]” If New Yorker cartoons aren’t your thing, you might be familiar with the Cybersecurity and Infrastructure Security Agency (CISA), which has stated:
“…identity is everything now. We can talk about our network defenses, we can talk about the importance of firewalls and network segmentation, but really, identity has become the boundary, and we need to start readdressing our infrastructures in that manner.[3]”
In other words, as far as a computer system is concerned, if you can prove that you possess something that only one person (or device) is supposed to have, then you can have access to a set of data. It’s that simple.
Introduction to Risk Category 2: Identity Fraud, Impersonation, and Misissuance
In the first post of this series, we considered Risk Category 1: making an innocent mistake by handing out a banquet badge to the wrong person because the person’s name and birthdate matched your records.
In contrast, Risk Category 2 assumes the person standing in front of you wants to steal credentials for a nefarious aim. There are at least three major types of attacks associated with this risk category, outlined below. We will address Risk Category 2 at greater depth in the next three blog posts of this series.
Attack #1: Identity Proofing Fraud
The scenario where the person standing in front of you is trying to fool you into thinking they are someone else. We will address this here in this blog post.
Attack #2: Impersonation
Our third blog post will focus on the scenario where the person in front of you has stolen someone else’s secret code to get meal tickets – an analogy that will make more sense when we address it.
Attack #3: Misissuance
The fourth blog will focus on a third scenario. This time, the bad actor can generate their own secret codes and get as many meal tickets as they want.
A bad actor can use a variety of attacks to impersonate someone else. This is why the NIST SP 800-63 guidance is so important to follow for Credential Service Providers (CSPs). The same is true for a special class of CSPs called Certificate Authorities (CAs). Unfortunately, these three risk categories only represent a few of the risks associated with identity credentialing and access management (ICAM).
Continuing Our Analogy
Now, onto Identity Proofing Fraud. To set the scene, let’s return to the scenario introduced in the blog 1:
Imagine a nationwide banquet with over 320 million Americans. You are working at the reception desk handing out badges that contain the seating arrangements for each guest. What happens if you give out the wrong badge? The person won’t be seated at the same table as the rest of their family. Your job is to give the right badge to the right person. Now imagine you’re checking someone in who says their name is John Doe, born on July 1, 1985.
Introduction to the Risk that Identity Proofing Mitigates
In a digital world, the risk presented above is even greater than it is in-person. Organizations don’t always have the luxury of physically meeting with the individuals requesting access to the organization’s services. Rather, individuals approach the organization’s digital front door. When they open the front door, they are often greeted by automated or semi-automated software designed to verify their identity.
Attack #1: Identity Proofing Fraud
Imagine, you are now assuming the role of the person checking people in at the banquet. You are approached by a man who claims his name is John Doe born on July 1, 1985. How can you determine if he’s telling the truth?
Identifying someone on the other side of the internet for the first time is called “identity proofing.” Sometimes, the activity is also called “identity verification.” Online, bad actors have more opportunities and techniques to fool you when they are interfacing through a webcam. This is especially true for automated remote ID verification software.
Imagine if a person impersonating John Doe obtains a fake driver’s license. The fake license reflects John Doe’s identity attributes (name, date of birth, etc.) but contains the imposter’s face. Since this is the first interaction you’ve had with the alleged John Doe, you have no reason to believe the imposter isn’t really John Doe. The only way to tell is by evaluating the legitimacy of the evidence the imposter provides. Such evidence might be a fake license. An untrained eye or insufficient software could be fooled.
To make matters worse, all identity evidence is not created equal. For example, the imposter could give you a utility bill containing John Doe’s name and address. While that may instill some semblance of confidence he’s telling the truth, such evidence is not terribly difficult to obtain if he isn’t John Doe. The imposter could also fabricate a utility bill, and you probably would be hard-pressed to tell the difference.
In contrast with a utility bill, a driver’s license contains holographs, other fraud prevention features, and robust identity proofing requirements. These aspects of a driver’s license help you rely on and spot a forged license. This is especially true for driver’s licenses that adhere to the Real ID Act.
The Trade-off Between ID Proofing Confidence and User Experience or Expense
As you might have concluded, confirming that someone is who they claim to be is not a trivial task. It’s wrought with risks, even when presented with the proper evidence. The person (or software) evaluating the evidence must know what fraud prevention features are present on various types of evidence. Passports, driver’s licenses, and government IDs are examples of reliable evidence.
Due to its difficulty, ID proofing adds friction and cost to identity credentials. There are numerous techniques for decreasing cost and user burden. However, in many cases, convenience and confidence (or assurance) in the ID proofing event have a negative relationship. As costs and friction go down, oftentimes, the risk goes up. This is not true in all cases, because software has greatly improved the consumer identity space. Nevertheless, in-person identity proofing, or something like it involving human interaction, is widely regarded as the technique providing the highest identity proofing assurance. Unfortunately, it also often results in higher user burden and cost.
For healthcare, identifying a method to confirm a patient’s identity as part of their first interaction may prove to be a winning strategy. For more information, see this blog post.
Guidance to Help Mitigate Identity Fraud
Luckily, NIST SP 800-63A offers prescriptive guidance on the processes that organizations and/or service providers should follow when identity proofing individuals both in person and remotely. The guidance document is designed to help organizations make risk-based decisions about identity credentials. NIST SP 800-63A divides its guidance into three increasing identity assurance levels (IAL). The assurance level generally accepted by healthcare is IAL2. However, organizations can elect to require variations on this assurance level.
NIST refers to organizations that carry out identity proofing as the initial step for obtaining an identity credential as “Registration Authorities.” These organizations register new users and verify the information users assert about themselves. Choosing a reliable Registration Authority or operating your own Registration Authority can both be daunting tasks.
How Can DirectTrust Help?
To help in your journey, DirectTrust has operated a Registration Authority (RA) accreditation program for many years. As of March 2023, DirectTrust accredited RAs have facilitated the identity proofing of nearly three million individuals and organizations. That number continues to grow every year. DirectTrust has migrated its Registration Authority accreditation to support IAL2, and we’re working on new identity assurance levels that are purpose-built for healthcare.
At DirectTrust, we invite the members of our community to participate with us. All DirectTrust policies are driven and ratified via consensus. One aspect stipulates how identity proofing must be carried out by accredited parties of the DirectTrust community. If you have ideas about how identity proofing could be done better in healthcare, we invite you to participate and help shape the way healthcare gets identity proofed!
Stay tuned for the next blog in this series about authentication (Attack #2) and how it’s related but distinct from identity proofing.
This post was contributed by Kyle Neuman, DirectTrust Director of Trust Framework Development.
References:
- https://www.verizon.com/business/resources/reports/dbir/
- Steiner, Peter. “On the Internet, nobody knows you’re a dog”, The New Yorker, July 5, 1993.
- https://federalnewsnetwork.com/cybersecurity/2021/03/cisa-identity-is-everything-for-cyber-defense-post-solarwinds/