Identity Proofing



What is HSPD-12 HSPD-12 Homeland Security Presidential Directive
Mandates all Federal Agencies issue ID credentials using FIPS-201 identity proofing procedures begining 10/05
Mandates all Federal Agencies begin issuing Smart Cards with medium assurance digital certificates by 10/06
Authorization remains a local prerogative within each participating agencyhttp://csrc.nist.gov/news_events/HIPAA-May2011_workshop/presentations/day1_HIPAA-conference2011-Identity-Healthcare.pdf (original pdf)
Identity Proofing and NIST SP 800-63: Applications in Healthcare


May 10, 2011




© 2010 Experian Information Solutions, Inc. All rights reserved. Experian and the marks used herein are service marks or registered trademarks of Experian Information Solutions, Inc. Other product and company names mentioned herein may be the trademarks of their respective owners. No part of this copyrighted work may be reproduced, modified, or distributed in any form or manner without the prior written permission of Experian Information Solutions, Inc. Experian Public.
Agenda
OMB M-04-04 and NIST 800-63 Overview
Experian and Symantec
Risk-Based Authentication and ID Proofing
Case Studies
SSA
DrFirst
Summary
OMB M-04-04 E-Authentication Guidance
Electronic authentication (E-Authentication) is the process of establishing confidence in identities presented remotely over an open network to an information system.
OMB M-04-04 defines four levels of identity assurance for electronic transactions requiring authentication, where the required level of assurance is defined in terms of the consequences of authentication errors and the misuse of credentials.
Level 1 – Little or no confidence in the asserted identity
Level 2 - Some confidence in the asserted identity
Level 3 - High confidence in the asserted identity
Level 4 - Very high confidence in the asserted identity
© 2010 Experian Information Solutions, Inc. All rights reserved.
3
Experian Public.
OMB M-04-04 E-Authentication Guidance
Requires agencies to review new and existing electronic transactions to ensure that authentication processes provide the appropriate level of assurance.
1.Conduct a risk assessment of the online system.
2.Map identified risks to the applicable assurance level.
3.Select technology based on e-authentication technical guidance.
4.Validate that the implemented system has achieved the required assurance level.
5.Periodically reassess the system to determine technology refresh requirements.
© 2010 Experian Information Solutions, Inc. All rights reserved.
4
Experian Public.
Mapping Impact to Applicable Assurance Level

Assurance Level Impact


Profiles






Potential Impact Categories for
1
2
3
4
Authentication Errors




Inconvenience, distress or damage to standing
Low
Mod
Mod
High
or reputation









Financial loss or agency liability
Low
Mod
Mod
High





Harm to agency programs or public interests
N/A
Low
Mod
High





Unauthorized release of sensitive information
N/A
Low
Mod
High





Personal Safety
N/A
N/A
Low
Mod




High
Civil or criminal violations
N/A
Low
Mod
High





© 2010 Experian Information Solutions, Inc. All rights reserved.
5
Experian Public.
NIST Special Publication SP 800-63-1
Electronic Authentication Guideline
A companion to OMB M-04-04, which provides technical guidelines for Federal agencies to allow an individual to remotely authenticate his/her identity over an open network to a Federal IT system.
NIST SP 800-63 defines technical requirements at the four assurance levels in the areas of :
identity proofing and registration
tokens
management processes
authentication protocols
assertions
© 2010 Experian Information Solutions, Inc. All rights reserved.
6
Experian Public.
Multi-Factor Authentication
A combination of two or more authentication factors (tokens)
Something You
Something You
Something You
Know
Have
Are
Username/Passwords
Hardware OTP Token
Fingerprint
Mother’s Maiden Name
Digital Certificate
Iris Pattern


Smart Card


© 2010 Experian Information Solutions, Inc. All rights reserved.
7
Experian Public.
7
NIST SP 800-63 Technical Guidelines
Levels 1 - 4
Technical Guidelines
1.Little or no confidence that the asserted identity is valid.
2.Some confidence that the asserted identity is accurate.
3.High confidence that the asserted identity is valid.
4.Very high confidence that asserted identity is valid.
ƒIdentity Proofing not required
ƒSingle Factor Authentication
ƒPIN or Knowledge-based Password
ƒOnline verification of identity elements.
ƒSingle Factor Authentication
ƒPIN or Knowledge-based Password
ƒIdentity proofing either in-person or online
ƒOnline verification of identity elements andfinancial account information
ƒMulti-Factor Authentication
ƒPKI digital signature
ƒBiometrics
ƒMulti-factor Hardware token
© 2010 Experian Information Solutions, Inc. All rights reserved.
8
Experian Public.
Experian/Symantec Partnership
Experian is an industry leader in Fraud and Identity Verification solutions, with comprehensive consumer and business databases.
Symantec is a certified provider of authentication solutions for Federal government agencies and organizations needing to interoperate securely with the Federal government.
Symantec provides both managed Public Key Infrastructure (PKI) services and in-the-cloud One-Time-Password Validation services supporting multiple hardware and software token types.
Experian and Symantec have collaborated to provide a comprehensive suite of identity proofing and authentication services that supports the National Institute of Standards and Technology’s (NIST) Electronic Authentication Guideline (Special Publication 800-63).
© 2010 Experian Information Solutions, Inc. All rights reserved.
9
Experian Public.
Risk-Based Authentication and ID Proofing Overview
IDENTITY PROOFING AND NIST SP 800-63:
APPLICATIONS IN HEALTHCARE
© 2010 Experian Information Solutions, Inc. All rights reserved.
10
Experian Public.
What and why risk-based authentication?
Definition
Holistic assessment of a subject and transaction with the end goal of applying proportionate authentication and decisioning treatment
Core value propositions
Efficiency in process and transactional cost
Risk-assessment performance lift over traditional binary rule sets and policies
Customer / subject user experience
Evolutionary adoption of emerging technologies and data assets
Flexibility and interoperability with core platforms and third party partners
© 2010 Experian Information Solutions, Inc. All rights reserved.
11
Experian Public.
What and why risk-based authentication?
Widely-adopted as a best practice in account opening and account management markets
Card issuers
Demand deposit accounts
Personal loans
Mortgage
Gaining broader acceptance


eGovernment
Telecommunications and utilities
Automotive
Healthcare
eCommerce
© 2010 Experian Information Solutions, Inc. All rights reserved.
12
Experian Public.
Comprehensive data to enable on-line ID Proofing
Unparalleled depth and breadth of information


ƒ 27 million active companies
ƒ 425 million vehicles in U.S. & Canada

ƒ Greater than 100 million credit lines
ƒ Title, registration, mileage and key events

ƒ 48 million public records


ƒ 10.2 million collection experiences


ƒ 15 million tax identification numbers
Automotive
Business
ƒ 48 million SIC codes

ƒ235 million consumers;
113 million households
ƒ1,000 demographic attributes
ƒ3.2 million births annually
ƒ16 million moves annually
ƒ20 million new homeowners
ƒ3,200 public and proprietary sources
ƒ100 million subscriptions
ƒ650+ psychographics
Consumer Customer Market
demographicsresearchand lifestyles
Online Transactions
ƒSyndicated research: 30,000 consumers annually; 60,000 data variables
ƒ35 million double opt-in consumer panel 8,000 brands; 450 product categories
ƒMedia viewer-ship across all media
ƒ25 million Internet users
interacting with one million Web sites
ƒ15 million email addresses
ƒ3.6 million businesses
ƒ110 million catalog buyers
ƒ61 million magazine subscriptions
© 2010 Experian Information Solutions, Inc. All rights reserved.
13
Experian Public.
Balance competing forces and resource constraints
Calibrate via detailed output and decisioning
‘More dials to turn’







ra
te
s






l






a






v






ro






p






p






a
























flexible decisioning strategies
detailed authentication results
targeted analytics and performance monitoring
breadth of data
r is k
m
i t ig
a t i on
Compliance (NIST 800-63)
© 2010 Experian Information Solutions, Inc. All rights reserved.
14
Experian Public.
Broader risk-based strategy
KBA as part of an overall fraud process, aiding in both preventing fraud
and reducing manual intervention
On-boarding or



Authentication



account management


scores



authentication process point
Identity element



Referred inquiry processed
match results



Authentication
Accept / refer
through Precise IDSM


detail records

decision

V




i
High-risk fraud



Precise IDSM


a
shield indicators









results and decision


Share application







cross checks




No




Accept
Out-of-wallet questions delivered
Accept
No
Additional
decision

to consumer via Knowledge IQSM
decision

treatment








Process on-boarding and transaction request
Precise IDSM and Knowledge IQSM results archived and monitored for performance
© 2010 Experian Information Solutions, Inc. All rights reserved.
15
Experian Public.
SSA Case Study
IDENTITY PROOFING AND NIST SP 800-63:
APPLICATIONS IN HEALTHCARE
© 2010 Experian Information Solutions, Inc. All rights reserved.
16
Experian Public.
SSA Case Study
Overview
SSA has an internal goal of increasing access of information and services via on-line channel to relieve increasing load on phone and field office resources.
ƒID Proofing of individuals required for SSA on- line account
ƒSSA leverages internal data sources and processes
ƒExperian e-Authentication will augment current SSA processes as part of new initiative
ƒRisk based approach utilizing Precise ID and Knowledge IQ
© 2010 Experian Information Solutions, Inc. All rights reserved.
17
Experian Public.
SSA Case Study
Experian and SSA
Experian and SSA continue to work collaboratively towards definition, development and integration of optimal ID proofing solution. Efforts include:
ƒConsulting support on cross-industry best practices and adapting them for SSA needs
ƒFocus on Level 2 and Level 3 NIST requirements
ƒCustom development to support specific SSA requirements
ƒOn-going performance monitoring and continual process improvement
© 2010 Experian Information Solutions, Inc. All rights reserved.
18
Experian Public.
SSA Case Study
E-Authentication Two-Factor Work Flow
2 6
3
12
1
9
8
513
1011
1User enters name, address and credit card number
2Input data passed to Precise ID & Credit Card Verification
3Precise ID authenticates & verifies credit card
4Results passed to Agency application
5Solution evaluates results, passes user based on decision criteria
6If decision to proceed to OOW question, send request to Knowledge IQ
7KIQ generates OOW questions
8Questions passed to Agency application
9User is prompted to answer questions
10If Solution passes question response to Knowledge IQ
11Knowledge IQ evaluates the answers
12Knowledge IQ passes result to Agency application
13Solution evaluate results, passes or fail user
© 2010 Experian Information Solutions, Inc. All rights reserved.
19
Experian Public.
DrFirst Case Study
IDENTITY PROOFING AND NIST SP 800-63:
APPLICATIONS IN HEALTHCARE
© 2010 Experian Information Solutions, Inc. All rights reserved.
20
Experian Public.
DrFirst Case Study
Overview
DrFirst had a need for a two-factor authentication solution which meets NIST SP 800-63-1 assurance requirements and Drug Enforcement Administration regulations.
ƒID Proofing of physicians for ePrescribing eligibility
ƒDEA requires level 3 NIST assurance
ƒExperian and Symantec partner to providetwo-factor authentication solution to meet NIST level 3
ƒRisk based approach utilizing Precise ID, Knowledge IQ, financial account verification and OTP
© 2010 Experian Information Solutions, Inc. All rights reserved.
21
Experian Public.
DrFirst Case Study
Experian, Symantec and DrFirst
© 2010 Experian Information Solutions, Inc. All rights reserved.
22
Experian Public.
DrFirst Case Study
Experian, Symantec and DrFirst
ƒExperian and Symantec continue to work collaboratively with DrFirst to provide:
Consulting support on cross-industry best practices and adapting them for DrFirst needs
On-going performance monitoring and continual process improvement
ƒThis process will deliver a reusable NIST Level 3 identity authentication solution for healthcare and other applications!
© 2010 Experian Information Solutions, Inc. All rights reserved.
23
Experian Public.
© 2010 Experian Information Solutions, Inc. All rights reserved.

Comments

  1. Finn JordanJanuary 9, 2023 at 10:05 PM

    Thanks for sharing your ideas and thoughts! Fully-automated identity verification, results in seconds. Scale with user demand by removing the requirement for agent and in-person identity verification. If you need more information about please click on Identity Verification.

    ReplyDelete

Post a Comment

Popular posts from this blog

VMware fix for Invalid manifest and ova file import failed errors

Image
Recently we got a OVA file for a virtual machine. The vendor instructions were to import the ova file in vmware Workstation, Player for Windows/Linux, Fusion for Mac, and VirtualBox as well.  The instructions were to take the available package and launch the VM with VMware workstation. The package contained  Module.mf, Module.ovf and Module-disk.vmdk and a Module.ova file. The .mf and .ovf file were 2 KB each whereas the vmdk was several gigs. The package also contained a Module.ova file which was several gigs as well. OVF           Open Virtualization Format MF             Manifest file VMDK       Virtual Machine Disk OVA           Open Virtualization Appliance The ovf file is a xml file that contains metadata for the ovf package The mf file contains the SHA1 hash codes of all files in the package The vmdk file is the disk image of the virtual machine,  VMware Workstation or VirtualBox. (vmdk format was originally developed by VMware and is an open format now). All of
Read more

SOAPUI - import certificate

Image
Note: SoapUI has two versions, one is open source and second Professional version. The open source can be download here . (confirmed link 12/19/2018). SSL Handshake issue:   There is an Issue in SoapUI version 5.3.0 (and 5.2.0 version) with SSL handshake error. It was resolved by updating below in vmoptions file ( refer here ). However, the error that shows up while trying to load wsdl is "Error loading WSDL" as below The fix is to Enable TLS 1.2 protocol for SOAP/REST calls in SoapUI, by ammending the vmoptions file to add the directive for TLS as (-Dsoapui.https.protocols=TLSv1.2). Refer here . Update: Version 5.5.0 does not have this issue. If you are on 5.3.0 better upgrade to 5.5.0 which is available now (Feb 2019). I had above issue as well as another issue reaching to https endpoint. Upgrade to 5.5.0 resolved issue. Select "Check for updates" under the Help menu and you will get option for upgrade. Select upgrade current version and accept all defaul
Read more

Session Timeout in Oracle Access Manager

Image
Session Timeout in Oracle Access Manager (OAM) The session lifetime and Idle timeout entries control how long a user's session is valid. In OAM, a user session is an object which represents an authenticated user. This object is stored in the server memory and if Database session persistence is enabled, this object is stored or available in the database. Each session is unique and is identified by both a userid and Session ID (session identifier), see screenshot below "OAM User Session Management".  A valid session means a user has been authenticated with OAM. A session can have following three states: 1) active 2) inactive 3) expired When a session is created it is in active state and is available as an object in the OAM. After a set time - idle timeout, the session moves or transitions to inactive state. And finally after the Session Lifetime time, the session is marked as expired. Expired sessions are removed from server memory. Read more about Session Lifetime
Read more