There’s a lot of talk about getting rid of passwords and issuing high-assurance identity credentials for accessing information. A major stumbling block in this equation, however, is getting those credentials into the hands of consumers.
Prevailing wisdom suggests that asking consumers to go to a physical location to apply for credentials is out of the question, and even if they would, it would be incredibly time consuming and costly.
Instead many sites are starting to use step-up authentication. This enables a consumer to use an identity they already have – Google, Facebook, Twitter, etc. – answer some questions and have an increased level of assurance associated with the credential at various relying parties that opt to accept it.
The basic idea is to enable customers to do simple things without much of a hassle, but as the risk level goes up so must the assurance of the identity. “Step-up is about offering higher levels of security and low levels of annoyance for users,” says Mary Ruddy, research director at Gartner. “Instead of having the person do lots of work up front you let people come in and do simple things, and then if they want to do something sensitive, ask for more information.”
Case study: ID.me
ID.me uses step-up authentication to grant higher levels of assurance for its users, says Matt Thompson, COO at the digital credential provider. It’s one of three companies – along with Verizon and Symantec – approved to offer level one through three, non-PKI credentials for use on federal government sites.
The company started out verifying benefits for veterans, enabling them to be identified at web sites and receive discounts without having to give up any more data than necessary. Later, they expanded the offering enabling students, teachers and first responders to apply and receive discounts. Recently, the company opened the credential to anyone. To date, ID.me has issued more than 1 million credentials, and consumers can use it for services from discounted online shopping to accessing secure government web services.
“We started by enabling people to prove a specific attribute in exchange for a discount and benefit,” Thompson explains. “Now we’ve expanded the network of where people can use ID.me and it’s not just around Veteran’s Affairs.”
A $1.2 million grant from the National Strategy for Trusted Identities in Cyberspace enabled ID.me to open up the site and add the identity assurance element, Thompson says. Members have the option of whether to step up their identity with the site.
What the individual wants to do with the credential will dictate the level of assurance, Thompson says. “Making a purchase or verifying you’re a veteran will be different than someone needing a level-three credential for access to a government site,” he adds.
Here’s how step-up authentication commonly works. A consumer accessing a site that requires a high-assurance credential first chooses a credential provider. For example, if an ID.me credential is chosen and they don’t already have a credential, they are asked to pick a user name and password.
An email is then sent to the user for confirmation. The user clicks on the link to validate the email and is taken to a page where they are prompted for more information, name, address, date of birth and other basic demographic data.
In order to get the higher assurance credentials the individual must also provide a Social Security number and credit card number. Once that information is verified – and as long as the identity hasn’t been flagged – a series of knowledge-based questions are generated from data in the individual’s credit report.
If the knowledge-based questions are answered correctly, the user can then set up multi-factor authentication, Thompson explains. The individual provides a phone number to receive either texts or calls with one-time passwords for use during future transactions.
When returning to the site that consumes the newly issued high-assurance credential, the individual enters their user name and password and receives a one-time password for multi-factor authentication.
ID.me aims for transparency when consumers are using the credential on other sites as well. When a relying party requests use of the credential a window pops up letting the consumer know exactly what information is being requested. Even ID.me does not know what transactions are being performed with the credential.