Identity Verification for People w/o Paper Trail (Open Discussion)
Session Topic: How do we authenticate w/o a paper trail?
Convener: Chris Papazian, Yoz
Notes-taker: Sarah Allen
Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:
Many systems are built around challenge questions that rely on information about buying a house, having multiple permanent addresses, etc. There are people who don’t have that history. How do we verify them?
How do you do identity verification for new immigrants or other people without financial history?
UK Government — (Link coming soon) gov.uk working on an online identity verification system, historical the UK government
Texas allows 6 forms of identification to get a voter ID card; however, people who are new to this country may have none of them
In the US, we typically assume that people have:
a single, exact birth date
name that conforms to first name & last name
take an online persona and match them to a real-world identity
Consider alternate real-world authentication?
such as: real-life in-person verification
Is it ok if one person creates multiple accounts? for buying a house, sure. For a gun registry, that would be a problem.
- banks use this to verify identity
- was fully breached and all of the data was taken — all that data is now in the wild
Another use case IDP (Identity Provider)
want to know that I’m taking to the same person that created the account — biometrics are perfect for this, since you can’t lose that like a password
I don’t actually need to know your true identity
“abidingness” is more important than identity, it’s tough to be anonymous and non-ephemeral
not we require another channel in addition to a password (email or cell phone)
calculations: 200 friends, had the account for 10 years, some score that its a legitimate identity
Voting needs to be anonymous, but also secure and provable
in Arizona you can look up voter record by voter ID or driver’s license
Levels of Establishing Trustworthy Accounts
Self-attested (enter your own data)
KBA - knowledge based authentication
Social Scoring or Account Consolidation (Klout, TrustCloud, LendDo, length of time? # friends?)
External Validation (miCard, or verification of deposit in an account - prove you have that acct)
Sponsored Member or Employee Accounts
Identity Proofing to get an Account (show up in person with evidence of paper trail)
it’s like the problem where spam email is more email than real email
there was an idea about “proof of work” — where you would have to do something computationally intensive to send an email
the levels about are identity verification is based on proof-of work
could create a distributed system where local governments verify that someone is a real per on
Could we have some organization that is non-profit and trusted by the people? you go there and they take your fingerprint and they give you a cryptographic ID that you can use, they don’t reveal your fingerprint. That org could verify that the IDs were unique.
new crypto algorithm LRSW - person sets up their identity, then organizations verify something about that identity
Pseudonym Systems, Lysyanskaya, Rivest, Sahai, Wolf, MIT LCS paper
Oakland and NY, EBT cards (cash cards) incent someone to retain one identity
16,000 years of human interactions, if I was a shopkeeper, I know whether to trust someone because I recognize them and pattern of interactions — certain pattern of speech, look a certain way
BC government has done a lot of work on these issues. Population that loses their ID cards. Biometrics is a photograph. They have a chip-enabled ID card. Chip is a random number. If you lose it then it gets turned off. Thought through use cases for marginalized populations. A unique identifier for each system — linked to an individual identity.
polymorphic identification — one card, diff IDs for diff systems
Can you assert the unique ID? (or do you care who this person actually is)
Can you recover the ID? (how important is persistence?)
Can you rotate your credential?
Can you have privacy through pari-wise identifiers?
New York City did a trial where people had to check into a homeless shelter.
They goal was to study the length of the average stay. (3 days, only 5% chronically return)
You need someone to vouch for the people who no one will vouch for — you need a social organization or government organization.
Concept of vouching
I know someone who is ok, so I am ok
People vouching for people. Could work for undocumented people. Immigrants or homeless.
Could there be an internet-equivalent of a notary?
We don’t need a situation where people trust the government? Instead the government needs to know that it can trust a particular person. However, this is a very narrow sense of trust — have you received these benefits before? Are you a veteran?
There are ways to imagine this being solved by personal cloud. Your personal cloud knows your birthday and will tell the store you are over 21 so you can buy alcohol, without revealing my birthday.
The block chain (like bitcoin), append only, distributed, encrypted.
When I am born, that fact is logged and encrypted and I’m the only one who can de-crypt it. I can give select people a secret decoder ring to decrypt that piece of personal data and they could verify it.