Idm identity proofing registration
1 / 20

IdM Identity Proofing & Registration - PowerPoint PPT Presentation

  • Uploaded on

IdM Identity Proofing & Registration. Gary Chapman David Millman September 2006. Agenda. Context: IdM elements & processes Definitions How things are mostly done today Internal & external drivers for change How to approach next gen designs Relationship to other IdM concepts

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'IdM Identity Proofing & Registration' - glenna

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Idm identity proofing registration

IdMIdentity Proofing & Registration

Gary Chapman

David Millman

September 2006


  • Context: IdM elements & processes

  • Definitions

  • How things are mostly done today

  • Internal & external drivers for change

  • How to approach next gen designs

  • Relationship to other IdM concepts

  • Sample documents


  • Identification and Registration are basic components of an overall IdM system.

  • They are fundamental at the beginning of bringing people into a community, but their role continues…

  • Other IdM functions rely on Identification and Registration processes and data.

  • Goal: provide trustworthy electronic and physical credentials to members of a community

We digress a couple com ments on that diagram
We digress… a couple comments on that diagram…

Has some good aspects… e.g. the common understanding we have today that authentication is something to be largely handled outside an app, and is something different from authorization

But still misses many very important aspects of Identity Management, e.g.

Directory Services


Policy and Governance

Data structures, including roles and groups

Recurrent / cyclical processes

Devilish details!


Identification is the process by which information about a person is gathered and used to provide some level of assurance that the person is who they claim to be. Generally, this identity verification takes place within the office (e.g. Human Resources or Student Services) that first encounters the individual and creates their record within the institutional system(s) of record. The next step is Registration.

Registration (credentialing) is the process whereby users are given electronic credentials, leveraging the identification process above to ensure that they are coupled with the correct electronic identity information. For example, many campuses use a web-based mechanism to reset an initial password and establish a permanent one, ensuring a correct mapping by requiring the user to enter additional information validated against that which is contained in their record. It is important for institutions to establish rules that govern the processes used by the department or office that assigns and distributes credentials.

(from the NMI-Edit Authentication Roadmap)

Some medical special cases
Some medical “special” cases

  • Dr’s, repeated credentialing

    • Require updated certification

    • Significant credentialing infrastructure

    • QC dependency on IT

    • Credentialing tools (nurses can check Dr’s certifications)

  • Students

    • Can recommend tests & drugs

    • Short rotations (month-ish)

    • 50% visiting students

    • Become Residents (hospital employees x 2)

    • Then become Attending (univ employees x 2)

  • “Vendors”

    • Medical secretaries in private practice offices

Drivers for change
Drivers for Change

  • Security: identification and registration are foundational -- the rest of “the system” is only as strong as its foundation

  • Challenge: increasingly diverse community - increasingly seeing new populations with varying identification characteristics

  • Challenge: increasingly diverse applications to support having different security requirements

  • Challenge: both internal and external applications to support

Guiding concepts
Guiding Concepts

• Risk management

  • In relation to a given system, how serious is a compromise or a data spill relating to inappropriate/unauthorized access?

  • The greater the risk, the greater the requirement for confidence that a person accessing the system is who they claim to be

  • Levels of assurance

    • Increasingly common to characterize systems as requiring credentials which provide a high (or low) “level of assurance”

    • Identification and registration processes may be geared to provide higher or lower levels of assurance

    • The more rigorous the identification and registration processes in effect, the higher the level of assurance provided by issued credentials

    • But, of course, not all credentials are equally good (e.g. username/password versus two-factor authentication token)

    • So: roughly, reliability of a credential = Rigor of Process + Credential characteristics

  • Levels of assurance
    Levels of Assurance

    NIST SP 800-63


    Token-types allowed at each assurance level

    Levels of assurance1
    Levels of Assurance

    NIST SP 800-63


    Required protections

    Ties to other idm issues
    Ties to other IdM issues

    • Certificate Authorities (levels of assurance in Federal PKI Certificate Policies)

    • Document authenticity (diplomatics)

    Where to go for ideas guidance
    Where to go for ideas, guidance?

    • In evaluating your identification and registration processes, take a look at

      • InCommon Federation Participant Operational Practices document -- filled out by participating institutions to describe institutional policies and practices

      • FIPS 201 standard -- federal standard for “Personal Identity Verification (PIV) of Federal Employees and contractors”


    Incommon pop
    InCommon POP

    • Your community - how do you define set of people who are eligible to receive credentials?

    • Your credentials - what is the administrative process used to establish electronic identities? What is (are) the office(s) of record for this purpose? What technologies are used for your identity credentials? Ever transmitted in plain text across your network?

    • Your identifiers - everlasting or re-used?

    • Maintaining and updating information - how is information in your identity datase acquired and updated? How can update? Any self-service?

      (Surprisingly, doesn’t seem to ask about registration processes, credential distribution methods, credential de-provisioning…)

    Fips 201 standard
    FIPS 201 standard

    • Describes the very elaborate processes and procedures deemed appropriate post-911 to control access to federal facilities and electronic resources… the bar is set high! (And so presents many excellent points of comparison with existing or desired practices at one’s home institution.)

    • Goal: issue credentials -- secure and reliable forms of identification -

      • based on sound criteria for verifying employee’s identity

      • are strongly resistant to identify fraud, tempering, counterfeiting

      • Can be rapidly validated electronically

      • Issued by accredited providers

      • Having graduated criteria (from least secure to most) to ensure flexibility in selecting the appropriate level of security for each application

    • Rigorous processes, e.g. --

    Idm identity proofing registration

    • The process shall begin with initiation of a National Agency Check with Written Inquiries…

    • The applicant must appear in-person at least once before the issuance of a PIV credential.

    • During identity proofing, the applicant shall be required to provide two forms of identity source documents in original form…

    • The PIV identity proofing, registration and issuance process shall adhere to the principle of separation of duties to ensure that no single individual has the capability to issue a PIV credential without the cooperation of another authorized person.

    • The PIV Sponsor shall complete a PIV Request for a particular Applicant, and submit the PIV Request to the PIV Registrar and the PIV Issuer. The PIV Request shall include the following:

      • Name, organization, and contact information of the PIV Sponsor

      • Name, date of birth, position, and contact information of the Applicant

      • Name and contact information of the designated PIV Registrar

      • Name and contact information of the designated PIV Issuer

      • Signature of the PIV Sponsor

    • Etc etc etc etc etc

    Further reading
    Further Reading Check with Written Inquiries…

    • The Enterprise Authentication Implementation Roadmap (nmi-edit)

    • EDUCAUSE/I2 Risk Assessment Framework

    • eAuthentication, password credential assessment (

    • Electronic Authentication Guideline (NIST SP 800-63)

    Conclusion Check with Written Inquiries…

    • Not simple.

    • Cannot be done in isolation.

    • Many contexts to consider simultaneously.

    • One size does Not fit all.