IdMIdentity Proofing & Registration

Gary Chapman

David Millman

September 2006

CSG 2006/9--2

Agenda

• Context: IdM elements & processes• Definitions• How things are mostly done today• Internal & external drivers for change• How to approach next gen designs• Relationship to other IdM concepts• Sample documents

CSG 2006/9--3

Context

• Identification and Registration are basic components of an overall IdM system.

• They are fundamental at the beginning of bringing people into a community, but their role continues…

• Other IdM functions rely on Identification and Registration processes and data.

• Goal: provide trustworthy electronic and physical credentials to members of a community

CSG 2006/9--4

Overview of IdM Elements

CSG 2006/9--5

We digress… a couple comments on that diagram…

• Has some good aspects… e.g. the common understanding we have today that authentication is something to be largely handled outside an app, and is something different from authorization

• But still misses many very important aspects of Identity Management, e.g.– Directory Services

– Federation

– Policy and Governance

– Data structures, including roles and groups

– Recurrent / cyclical processes

– Devilish details!

CSG 2006/9--6

Definitions

Identification is the process by which information about a person is gathered and used to provide some level of assurance that the person is who they claim to be. Generally, this identity verification takes place within the office (e.g. Human Resources or Student Services) that first encounters the individual and creates their record within the institutional system(s) of record. The next step is Registration.

Registration (credentialing) is the process whereby users are given electronic credentials, leveraging the identification process above to ensure that they are coupled with the correct electronic identity information. For example, many campuses use a web-based mechanism to reset an initial password and establish a permanent one, ensuring a correct mapping by requiring the user to enter additional information validated against that which is contained in their record. It is important for institutions to establish rules that govern the processes used by the department or office that assigns and distributes credentials.

(from the NMI-Edit Authentication Roadmap)

CSG 2006/9--7

Current Methods - BPR Analysis

CSG 2006/9--8

Current Methods - BPR Analysis

CSG 2006/9--9

Some medical “special” cases

• Dr’s, repeated credentialing– Require updated certification– Significant credentialing infrastructure– QC dependency on IT– Credentialing tools (nurses can check Dr’s certifications)

• Students– Can recommend tests & drugs– Short rotations (month-ish)– 50% visiting students– Become Residents (hospital employees x 2)– Then become Attending (univ employees x 2)

• “Vendors”– Medical secretaries in private practice offices

CSG 2006/9--10

Drivers for Change

• Security: identification and registration are foundational -- the rest of “the system” is only as strong as its foundation

• Challenge: increasingly diverse community - increasingly seeing new populations with varying identification characteristics

• Challenge: increasingly diverse applications to support having different security requirements

• Challenge: both internal and external applications to support

CSG 2006/9--11

Guiding Concepts

• Risk management– In relation to a given system, how serious is a compromise or a data

spill relating to inappropriate/unauthorized access? – The greater the risk, the greater the requirement for confidence that a

person accessing the system is who they claim to be• Levels of assurance

– Increasingly common to characterize systems as requiring credentials which provide a high (or low) “level of assurance”

– Identification and registration processes may be geared to provide higher or lower levels of assurance

– The more rigorous the identification and registration processes in effect, the higher the level of assurance provided by issued credentials

– But, of course, not all credentials are equally good (e.g. username/password versus two-factor authentication token)

– So: roughly, reliability of a credential = Rigor of Process + Credential characteristics

CSG 2006/9--12

Levels of Assurance

Token type Level 1 Level 2 Level 3 Level 4

Hard crypto token X X X X

One-time password device

X X X

Soft crypto token X X X

Passwords & PIN’s X X

Token-types allowed at each assurance level

NIST SP 800-63

example,

CSG 2006/9--13

Levels of Assurance

Protect against Level 1 Level 2 Level 3 Level 4

On-line guessing X X X X

Replay X X X X

Eavesdropper X X X

Verifier impersonation X X

Man-in-the-middle X X

Session hijacking X

Required protections

NIST SP 800-63

example,

CSG 2006/9--14

Ties to other IdM issues

• Certificate Authorities (levels of assurance in Federal PKI Certificate Policies)

• Document authenticity (diplomatics)

CSG 2006/9--15

Where to go for ideas, guidance?

• In evaluating your identification and registration processes, take a look at

– InCommon Federation Participant Operational Practices document -- filled out by participating institutions to describe institutional policies and practiceshttp://www.incommonfederation.org/docs/policies/incommonpop.pdf

– FIPS 201 standard -- federal standard for “Personal Identity Verification (PIV) of Federal Employees and contractors”(http://csrc.nist.gov/publications/fips/fips201-1/FIPS-201-1-chng1.pdf)

CSG 2006/9--16

InCommon POP

• Your community - how do you define set of people who are eligible to receive credentials?

• Your credentials - what is the administrative process used to establish electronic identities? What is (are) the office(s) of record for this purpose? What technologies are used for your identity credentials? Ever transmitted in plain text across your network?

• Your identifiers - everlasting or re-used?• Maintaining and updating information - how is information in your

identity datase acquired and updated? How can update? Any self-service?

(Surprisingly, doesn’t seem to ask about registration processes, credential distribution methods, credential de-provisioning…)

CSG 2006/9--17

FIPS 201 standard

• Describes the very elaborate processes and procedures deemed appropriate post-911 to control access to federal facilities and electronic resources… the bar is set high! (And so presents many excellent points of comparison with existing or desired practices at one’s home institution.)

• Goal: issue credentials -- secure and reliable forms of identification -– based on sound criteria for verifying employee’s identity– are strongly resistant to identify fraud, tempering, counterfeiting– Can be rapidly validated electronically– Issued by accredited providers– Having graduated criteria (from least secure to most) to ensure flexibility in

selecting the appropriate level of security for each application

• Rigorous processes, e.g. --

CSG 2006/9--18

• The process shall begin with initiation of a National Agency Check with Written Inquiries…

• The applicant must appear in-person at least once before the issuance of a PIV credential.

• During identity proofing, the applicant shall be required to provide two forms of identity source documents in original form…

• The PIV identity proofing, registration and issuance process shall adhere to the principle of separation of duties to ensure that no single individual has the capability to issue a PIV credential without the cooperation of another authorized person.

• The PIV Sponsor shall complete a PIV Request for a particular Applicant, and submit the PIV Request to the PIV Registrar and the PIV Issuer. The PIV Request shall include the following:

– Name, organization, and contact information of the PIV Sponsor– Name, date of birth, position, and contact information of the Applicant– Name and contact information of the designated PIV Registrar – Name and contact information of the designated PIV Issuer– Signature of the PIV Sponsor

• Etc etc etc etc etc

CSG 2006/9--19

Further Reading

• The Enterprise Authentication Implementation Roadmap (nmi-edit)

• EDUCAUSE/I2 Risk Assessment Framework

• eAuthentication, password credential assessment (cio.gov)

• Electronic Authentication Guideline (NIST SP 800-63)

CSG 2006/9--20

Conclusion

• Not simple.

• Cannot be done in isolation.

• Many contexts to consider simultaneously.

• One size does Not fit all.