Multiple applications within the government and the private sector require some level of knowledge of the individual they are interacting with to provide specialized services. This paper begins to explore this issue and aims to initiate further dialogue.
Levels of Identity Discovery
One or more of the PDF files on this page fall under E202.2 Legacy Exceptions and may not be completely accessible. You may request an accessible version of a PDF using the form on the Contact Us page.
The basic premise behind this paper is that various applications require differing levels of assurance to know who is standing before them (physically or remotely for online applications) upon initial enrollment. A free online gaming portal does not have a definitive need to know the true identity of the person requesting an account, but a bank certainly wants to ensure that it is granting access to a 401k account to which an employer is depositing funds. Applications today use some form of graduated levels to establish a user's initial identity through some combination of selected identity attributes. There is just no consensus on how these levels are defined or implemented. This creates privacy issues, as personally identifiable information (PII) is often requested when it really is not needed. It also creates unnecessary economic burdens as application managers perform individual assessments instead of simply leveraging an assessment someone else performed previously.
This paper begins to explore this issue and aims to initiate further dialogue. It does not propose a detailed, peer-reviewed process that the authors feel solves this issue. Multiple parties with disconnected interests would need to first study the problem and voice constructive needs before a solution could be proposed. Rather, this paper provides a starting point so that those studies can take place, and provides data to enable discussions to begin with a common foundation.