Levels of Identity DiscoveryDecember 2013
Topics: Information Privacy, Information Security Risk Management
The basic premise behind this paper is that various applications require differing levels of assurance to know who is standing before them (physically or remotely for online applications) upon initial enrollment. A free online gaming portal does not have a definitive need to know the true identity of the person requesting an account, but a bank certainly wants to ensure that it is granting access to a 401k account to which an employer is depositing funds. Applications today use some form of graduated levels to establish a user's initial identity through some combination of selected identity attributes. There is just no consensus on how these levels are defined or implemented. This creates privacy issues, as personally identifiable information (PII) is often requested when it really is not needed. It also creates unnecessary economic burdens as application managers perform individual assessments instead of simply leveraging an assessment someone else performed previously.
This paper begins to explore this issue and aims to initiate further dialogue. It does not propose a detailed, peer-reviewed process that the authors feel solves this issue. Multiple parties with disconnected interests would need to first study the problem and voice constructive needs before a solution could be proposed. Rather, this paper provides a starting point so that those studies can take place, and provides data to enable discussions to begin with a common foundation.