Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

IAL2 Evidence Validation and Identity Verification #1958

Open
regenscheid opened this issue Feb 10, 2020 · 0 comments
Open

IAL2 Evidence Validation and Identity Verification #1958

regenscheid opened this issue Feb 10, 2020 · 0 comments
Labels
63A

Comments

@regenscheid
Copy link

This one has been discussed before, but I wanted to capture it here.

The evidence validation and identity verification requirements at IAL2 are unclear, particularly as they relate to the use of a driver's license photo. I see this issue came up in the public comments (see #582), but I don't see a clear resolution.

At IAL2, validating evidence documents at STRONG implies both:

  1. authenticating the document either cryptographically or by inspecting physical anti-counterfeiting features, and
  2. verifying "all personal details and evidence details" with an authoritative source.

I don't see how either of these is practically satisfied with the "driver's license/selfie comparison" scenario envisioned at IAL2. I don't see how you can meaningfully validate anti-counterfeiting security features by looking at a regular photo/scan of a license from an untrusted end-user device. And, I believe it's understood that you're not going to get digital driver's license photos from authoritative sources.

It appears that, in practice, item 1) is largely ignored, and item 2) is met on a subset of personal details that do not include the photograph.

Identity verification via a selfie, then, occurs against an unverified photograph off an unverified identity document.

If that's right, it seems the driver's license-- and particularly the photograph-- are providing little value in this process.

I'm not suggesting that we should strengthen either of those requirements. It seems unrealistic to think you can strongly validate a driver's license from a photo. It also seems unrealistic to think you could verify photographs against an authoritative source, at least for a large segment of the population.

So, I'm suggesting we consider whether photo/biometric comparison should even be required at IAL2 (and, perhaps even more controversially, the driver's license scan as a whole). Perhaps there are other procedures/processes that mitigate the need for this (which may already be in -63-3).

In practice, it seems like identity verification at IAL2 is largely assured through address confirmation. Maybe that's enough.
@jimfenton jimfenton added the 63A label May 1, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
63A
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@jimfenton @regenscheid and others