Once a digital identity has been issued, unless those attributes include biometrics, there is nothing that specifically ensures that a digital identity is owned and used by the individual to which it pertains. The issue for both business and government is that if one person can impersonate another (real or fictitious) during the process of acquiring a digital identity, that person will subsequently be able to gain access to systems and data that he or she is not authorized to access.
Identity proofing is the process of assuring that a digital identity is granted only to the real world individual it purports to identify. CESG, the UK’s technical authority for information assurance, together with the Cabinet Office, has now published a good practice guide (GPG) on the Identity proofing and verification of an individual.
The guide provides four separate levels or degrees of proofing. Level 1 requires no actual proof of identity, merely confirmation of a relationship between the applicant and the claimed identity via a unique identifier.
Level 2 proofing requires further evidence that “ supports the real world existence and activity of that identity.” Here, the additional presentation of one or more utility bills with the applicant’s name and address would support real world existence and activity. In legal terms, this level of proofing provides sufficient confidence for it to be offered in support of civil proceedings.
Level 3 adds the additional requirement to physically identify the applicant as the real world person to whom the identity belongs (such as a drivers license with photograph). The whole process must comply with the identity checking requirements of The Money Laundering Regulations 2007; the identity must be delivered into the hand of the applicant; and the identity must be in the full official name of the applicant (pseudonyms and aliases are not permissible). This level of proofing provides sufficient confidence for it to be offered in support of criminal proceedings.
Level 4 proofing is “intended for those persons who may be in a position of trust or situations where compromise could represent a danger to life.” It requires “a Biometric that was captured at registration,” cryptographic protection, and “security features that requires Proprietary Knowledge and Proprietary Apparatus to be able to reproduce it.”
Such general guidance is necessary because, as the guide states, there is no “single official or statutory issued document whose primary purpose is that of identifying an individual.” Had the previous administration’s plans for a national identity card proceeded, proofing (probably to Level 4) could have been done just once centrally, and the subsequent ID card used to provide proof on all subsequent occasions. Without that ‘statutory attribute,’ this guide “is designed to demonstrate how a combination of the breadth of evidence provided, the strength of the evidence itself, the validation and verification processes conducted, and a history of activity can provide various levels of assurance around the legitimacy of an identity.”