NIST Level 3 Registration – Doing What’s Right
We are talking to quite a few government CIOs about remote authentication and seeing an uptick in requests for high assurance identity. While a greater focus on identity is a step in the right direction, many of these requests are framed in the context of “Level of Assurance 3”. NIST Level of Assurance 3 remote identity registration requires that a government issued ID and a financial account number be validated. The bare bones of this requirement is a great place to start, but may not provide complete trust.
Unfortunately, the confidentiality and ubiquity of government IDs can be called into question. Social Security numbers are often revealed through their use all sorts of applications and forms outside of their stated purpose. In fact, many people used to have their Social Security number on their checks, and in many states the number on a driver’s license was the SSN. Driver’s licenses suffer from a lack of state level reporting – currently only about half the states officially share driver’s license information. Also, driving is a privilege, not a right, and an optional activity. Not everyone has or is allowed to have a driver’s license.
Financial account numbers have their own set of problems. Financial account numbers and the corresponding basic personally identifiable information (PII) is a primary target for cyber-thieves. Only a small percentage of ID theft investigations reveal the source of the stolen data, but followers of the black market show that the prices on credit card numbers and PII are at an all-time low, making identity fraud a crime that really pays.
What these facts mean is that validating only these two inputs can’t assure a government organization that the person supplying them is who they say they are, or that a particular applicant can be uniquely identified. From a fraudster’s perspective, all it validates is that is that the stolen identity is the identity they think they are using. Not very helpful if your agency is a prime target of fraud.
When talking to our customers and listening to the public statements from our leading departments and agencies, we know that agencies don’t want to limit service because of limitations in the security of online transactions. Unfortunately, meeting only minimum identity registration criteria creates minimum standard of trust and raises the risk of fraud. That can then lead to a scaled back level of service to keep systems secure.
As we’ve said before, not all KBA is equal. Dynamic, out of wallet questions based on deep secrets raises identity registration to a significantly higher level and should be a requirement in any remote proofing solution for government or private enterprise.
If you are interested in providing a high assurance environment that goes beyond the basic requirements, contact one our specialists.
Recommended For You
Approximately $12 billion has been stolen by identity thieves over the past six years[i], and consumers are increasingly aware of […]
Online consumers can make their purchase with various payment options, like credit card, Apple Pay or PayPal. As a result, […]
As an HR professional, it’s your priority to protect employee data. You may not realize it, but responding to employment […]
The CERCA Spring Conference, held on May 16, capped a broadly successful 2018 filing season that saw tax identity theft reduced by […]