Identity Assurance Services For Preventing Identity Theft

Bob Pinheiro Robert Pinheiro Consulting LLC

bp@bobpinheiro.com

Types of Identity Theft Considered

• Someone impersonates you to access existing

accounts/resources– Example: break-in to online bank/financial accounts

using stolen passwords or other credentials

• Use of stolen credit card numbers or bank account numbers to make fraudulent purchases

• Someone impersonates you to create new accounts– Example: obtain new credit cards, loans, cell phone

accounts using your identity

• Someone impersonates you to access existing accounts/resources– Service Provider knows you– Service Provider or trusted IdP has issued credentials / tokens

for authentication

• Use of stolen credit card numbers, bank account numbers to make fraudulent purchases– Difficult to know if person using credit card numbers, bank

account numbers online is authorized to do so

• Someone impersonates you to create new accounts– Service Provider doesn’t necessarily know you– Identity claimed using Personally Identifiable Information (PII)– Service Provider can’t easily authenticate a claim of identity

Does the SP Know It’s You?

• A Liberty-accredited IdP/CSP has issued High Assurance digital identity credentials / tokens to you– For authentication to existing accounts– Trust relationship established between SP/RP

and IdP/CSP– The SP/RP can locate the IdP/CSP in several

possible ways:

Key Assumption

•The user tells the RP•The RP is pre-configured to know the IdP•The RP communicates with a separate service that asks the user•The client device tells the RP•The client device is synonymous with the IdP (e.g., self-asserted cards or self-hosted IdPs)•The client device serves as a proxy for the IdP, removing the need for direct RP communication with the IdP (e.g., managed cards)

The Identity Provider Discovery Problemfrom Concordia Website

Use these same digital identity credentials for identity authentication when there is no existing relationship between an identity claimant / new account applicant and a Service Provider.

Goal

• Establish trust relationship between SP/RP and IdP/CSP “on the fly”– Via a brokered trust model using an IdP/CSP

intermediary?

• Ability to discover IdP/CSP on the basis of Personally Identifiable Information (PII) used to establish an identity claim.

Two Advances Needed

ServiceProvider /RelyingParty

DiscoveryService

7. Locate IdP for this identity

Federation of Accredited IdPsExternal

Data/InformationSources

IssuingIdentityProvider

ContractingIdentityProvider

OtherIdPs

2. Enroll, Provide PII, Documenation

3. Verification of PII, documenation

4. Issue Credentials, Tokens

6. Request Service, Provide PII

5. Register identity assurance service for this identity and Assurance Level

1. Establish business relationship with Contracting IdP

8. Authentication request

10. Identity assertion

9. Authenticate