The SAFE-BioPharma Identity Proofing Process

The SAFE-BioPharma Identity Proofing Process

Author of Record SWG (Digital Credentials)

October 3, 2012

Peter Alterman, Ph.D.

Chief Operating Officer, SAFE-BioPharma Association

U.S. Government Standards / NIST SP 800-63-1

– Satisfies both Federal Bridge “Medium” requirements and FICAM Trust Framework LOA-3 Requirements for Identity Proofing

– Remote, online, compliant identity proofing using KBA– Extended proofing through Online Antecedent method ties applicant

back to a prior legal, in-person proofing event such as a mortgage application. Method approved by US Federal PKI Policy Authority.

2

Steps 1 & 2

Identity Verification

User asserts identity information (Name, Address, Phone, SSN, DLN, DoB, Medical License Number, etc)

Verify the information provided through record checks either with the applicable agency or institution or through credit bureaus or similar databases

Confirm that Name, DoB, address and other personal information in records are consistent with the asserted information and sufficient to identify a unique individual.

3

Steps 1 & 2

Verify that the identity elements provided by the user match those of a real, legal identity verified through trusted data sources.

Identify at least one antecedent record matching the minimum criteria for an In-Person Identity Proofing antecedent.

Verify that the identity elements provided by the user match those provided by a trusted data source.

4

Steps 1 & 2

Verify that the users SSN exists in public records AND SSN is not deceased AND the last name matches the address

Public and Private database records are searched to verify the identity of the user, as well as community specific (SAFE for example) sources such as: – DEA Controlled Substance License Databases– State Medical License Databases

.

5

Step 3

Identity Authentication Quiz

Generate a KBA quiz based on facts obtained about the user from the public and private databases

The KBA quiz consists of a series of random, multiple choice questions derived from “non-wallet” based data using public and private historical antecedent database records.

Advanced analytics are used to select questions from different domains and sources.

As a result, these questions have a high likelihood of only being correctly answered only by the proper individual.

6

Step 3

KBA Configuration Customer Selection

Minimum Number of Questions displayed 5

Minimum Number of Reserved Questions 2

Minimum Number of multiple choice answers displayed per question 5

Minimum Number of correct Questions which must be answered correctly to pass

4

Maximum Number of attempts to correctly answer KBA 2

Maximum Timeout parameter 5 minutes

Example of KBA quiz parameters – which can be customized for the client:

7

Step 4

Determine Risk

Provide an a “pass” or “fail” score based on the responses to the KBA questions based on the clients parameters

Return as part of the transaction:

– a unique transaction ID number, which ties back to the data used to verify the identity, the results of the verification process, and the results of the authentication quiz

– The date and time of the KBA Retain the The transaction ID number, the results of the verification process, and the results of the authentication process, the verification data sources as stated in the CP (10 1/2 years)

8

NIST 800-63-1 Guideline

The Electronic Authentication Guideline standard states in 6.3.1 Requirements per Assurance Level

“In some contexts, agencies may choose to use additional knowledge based authentication methods to increase their confidence in the registration process. For example, an Applicant could be asked to supply non-public information on his or her past dealing with the agency that could help confirm the Applicant’s identity.”

Only LOA-1, LOA-2 and LOA-3 allow for remote identity proofing

9

Remote Proofing via Enhanced KBA Advantages

Simplify the identity proofing process

Deliver a positive user experience

Enhance security by enabling scalable and easy-to-implement identity proofing

Reduce fraud and associated costs through an enhanced user verification process (e.g. data is validated against trusted sources)

Avoid privacy concerns that result when personal information is requested from users

10

For Further Information

Peter Alterman, Chief Operating Officer: PAlterman@safe-biopharma.org

Gary Wilson, Head, Technical Programs and Operations: Gwilson@safe-biopharma.org

11