usnistgov/800-63-3

IAL2 Evidence Validation and Identity Verification

Opened this issue · 0 comments

regenscheid commented

This one has been discussed before, but I wanted to capture it here.

The evidence validation and identity verification requirements at IAL2 are unclear, particularly as they relate to the use of a driver's license photo. I see this issue came up in the public comments (see #582), but I don't see a clear resolution.

At IAL2, validating evidence documents at STRONG implies both:

  1. authenticating the document either cryptographically or by inspecting physical anti-counterfeiting features, and
  2. verifying "all personal details and evidence details" with an authoritative source.

I don't see how either of these is practically satisfied with the "driver's license/selfie comparison" scenario envisioned at IAL2. I don't see how you can meaningfully validate anti-counterfeiting security features by looking at a regular photo/scan of a license from an untrusted end-user device. And, I believe it's understood that you're not going to get digital driver's license photos from authoritative sources.

It appears that, in practice, item 1) is largely ignored, and item 2) is met on a subset of personal details that do not include the photograph.

Identity verification via a selfie, then, occurs against an unverified photograph off an unverified identity document.

If that's right, it seems the driver's license-- and particularly the photograph-- are providing little value in this process.

I'm not suggesting that we should strengthen either of those requirements. It seems unrealistic to think you can strongly validate a driver's license from a photo. It also seems unrealistic to think you could verify photographs against an authoritative source, at least for a large segment of the population.

So, I'm suggesting we consider whether photo/biometric comparison should even be required at IAL2 (and, perhaps even more controversially, the driver's license scan as a whole). Perhaps there are other procedures/processes that mitigate the need for this (which may already be in -63-3).

In practice, it seems like identity verification at IAL2 is largely assured through address confirmation. Maybe that's enough.