09 Sep 2019
Session Block—Standards and Applications 14:40 - 15:00

Remote identity vetting techniques are important to ensure that relying parties are enrolling the right individual during the enrollment stage. For consumer identity management systems, there has been a traditional reliance on the use of knowledge based authentication (KBA) systems to complete the know your customer (KYC) process.There are many problems with the use of KBA for user identification and enrollment in the age of massive data breaches and social networks. Static KBA methods are losing their effectiveness to identify legitimate people as opposed to fraudsters. 

In order to improve on the accuracy of static KBA methods, the industry has shifted into the use of Dynamic KBA methods. The idea here is to rely on more recent and changing information about individuals to solve the main issues of static KBA where the information tends to be commonly known and stale. The problem with dynamic KBA is it intrudes in principle on the privacy of individual whereby companies start building profiles about those individuals without the upfront consent and participation of the affected individuals. 

Current identity systems expect people to correctly answer questions relate d to a model that is built about them without their consent and active participation. The models do not allow for adjustments due to errors, effect of identity theft on individuals and miss information. In short, these approaches are inducing friction to users and are easily defeated by fraudsters. Using static or dynamic KBA for account protection leads to severe security limitations. Account takeover is a real problem for those systems that rely on user name and password for basic security. However, even with technologies such as Fast Identity Online (FIDO) that eliminates the need of using password for authentication, the need for strong privacy enhancing identity vetting is a must. The advent of decentralized identity systems coupled with distributed ledger technologies provide a real opportunity to help companies solve the identity vetting problem in a privacy enhancing and interoperable fashion. In this presentation, we take a closer look on how new standards that are being developed at organizations such as W3C could be used to enable an echo system of trusted relationships to balance the playing field where individuals play an active role in asserting their identities online. 

The presentation will look at circles of trust based on the use of verifiable claims (self sovereign) identity, distributed ledgers and industry specific coalitions to create foundation of privacy enhancing vetting systems. Examples of how these new methods are being used today in the health care industry will be presented.

Senior Security Advisor


Discussion not started yet.