Monday, July 2, 2012

Mobile Device Remote Identity Proofing - Part 5 final thoughts


X.  Token activation

With all of the required elements in place all that is left is to do is to deal with the physical representation of the identity.  The federal government is currently both the largest issuer and relying party in the trusted identity ecosystem.  Programs like the Defense Departments Common Access Card (CAC), Homeland Securities Transportation Worker Identification Card (TWIC), and the Federal Standard FIPS 201 Personal Identity Verification (PIV) credential all have one thing in common.  They all require a physical token in the form of a Smart Card.  A smart card is a plastic card with an embedded microchip(s) that can be loaded with data which in turn can be secured with a Public Key Infrastructure (PKI) certificate or similar technology.  This brings us full circle to the ownership issue.  Having a physical manifestation of the identity can be perceived as a security liability issue as the risk of loss of the token is still inherent in the program. Despite this, current conventions are for token based programs.

It is not currently both technologically and economically feasible to use the mobile device directly for activation of an external token.   The device itself must fulfill that function.  This concept presupposes the phone in a role as a token.  To truly put identity management in the hands of John Q Public we must find a new cost effective way to support current IdM programs by greatly reducing or eliminating the currently accepted hardware intensive infrastructure required.  Because a secure connection between the mobile device and the back end systems, to include the certificate authority (CA), are inherent in the system architecture, it is not necessary to expound on the activation methodology for the device as a token scenario.  For activation of tokens other than the mobile device, the initial premise to be explored should be to leverage the “sync with my pc” capabilities of smart phones.  The synced device will provide application while using the PC in a limited role for network connection and attachments of peripherals like smart card readers, USB flash drives and other potential token variants.

XI. Policy

In theory, current technology supports all of the elements required for identity proofing in a remote or “mobile” environment, in a cost effective manner.  Truly widespread implementation will likely require changes to the currently accepted policy models.  For example, if the capture of information supporting a claimant’s identity is no longer the impediment perhaps it is time to change to change the assurance model to one that is based on the number and type of witnesses to an the initial claim.  Using this model the lowest level of assurance would be assigned to an identity remotely established and witnessed by a non credentialed individual.  A moderate level of assurance would be one based on the “witnessing” of the claim by an individual possessing a credential at a level being requested or higher.  A high level of assurance would be based on the “witnessing” of a specifically designated credentialed authority.  This would in essence be the modern digital equivalent of the traditional notary public.

With the more difficult issue of creation of the claimant’s profile being established, the comparatively easy step of binding the claim to the individual can be addressed.  There are both established precedents and regulatory guidance for this step of the process. Basic documentation proving citizenship for a Passport or eligibility for a Drivers License; I-9 Documentation for purposes of eligibility for employment; the more stringent PIV-I requirements; or the detailed requirements combining breeder documents, knowledge based quizzes and background investigations for PIV are well established.  

Once again camera technology and current application capabilities allow for a document such as a drivers license, passport, birth certificate, and other forms of identity to be captured at resolutions allowing for optical character recognition to be used.  This will speed the process flow and lessen the data exchange requirements between the mobile registration device and the processing program.  

XII. Conclusion 

More than 88% of consumers have made purchases online spending more than 142 billion dollars in 2010 with a 14% increase continuing to trend upwards through the 2nd quarter of 2011 (comScore, Inc., 2011). Within a few years this trend will represent hundreds of billions of dollars of transactions conducted with the barest of security protections.  The logical prophylactic to a multibillion dollar fraud epidemic is biometrics.  Based on physiological or behavior characteristics biometrics are distinctive and attributable to specific individuals.  Unlike the ubiquitous pin and password security that is commonplace in the United States biometrics carries a higher level of trust in information assurance.

It is evident that cell phone technology itself is mature enough to handle the requirements of the emerging need for strong general purpose identity management programs.  The computer age has ushered in an era where our identities, and the most intimate and valued attributes associated with them are immediately accessible on a twenty four seven basis.  Unfortunately we are still guarding our most valued possession with the equivalent of an old skeleton key.  With a little work that single key can open every door in our virtual house.  That house needs to be a vault with a strong identity backed with personal biometrics the only key.  Regardless of the threats, and the validity of the solutions, the one obstacle that technology cannot overcome is the mindset of the American individual.

Works Cited – Complete Paper (2012). The Histories of Polybius published in Vol. III of the Loeb Classical Library edition. In Polybius, The Roman Military System. New York City, United States of America: New York Times Company.

Ashbourn, J. (2000). Biometrics: advanced identity verification. In J. Ashbourn, Biometrics: advanced identity verification (pp. 4-7). London, United Kingdom: Springer-Veriag.

Bronstein, A. M., Bronstein, M. M., & Kimmel, R. (2004). Three-Dimensional Face Recognition. Technion, Israel Institute of Technology, Department of Computer Science. Kluwer Academic Publishers.

Clausen, S., & Christie, N. W. (2005). Live Finger Detection. IDEX ASA. Fornebu, Norway: IDEX ASA.

comScore, Inc. (2011, August 8). comScore Reports $37.5 Billion in Q2 2011 U.S. Retail E-Commerce Spending, Up 14 Percent vs. Year Ago. Retrieved March 1, 2012, from comScore, Press & Events :

Creamer, D. (2006). Understanding Resolution and the meaning of DPI, PPI, SPI, & LPI. Retrieved May 30, 2012, from 

(1966). In G. Deleuze, Bergsonism (H. Tomlinson, & B. Habberjam, Trans.). New York, New York: Zone Publishing Inc.

FBI Biometric COE. (2010, April 27). FBI Biometric Specifications FAQ. Retrieved May 31, 2012, from FBI Biometric Center of Excellence:

Foresman, C. (2012, March 2). Innovation or hype? Ars examines Nokia's 41 megapixel smartphone camera. Retrieved March 5, 2012, from arc technica:

Indovina, M., Hicklin, R. A., & Kiebuzinski, G. I. (2011). Evaluation of Latent Fingerprint Technologies: Extended Feature Sets [Evaluation #1]. U.S. Department of Commerce, National Institute of Science and Tecnhology. Washington D.C.: US Government Printing Office.

Jain, A. K., Flynn, P., & Ross, A. A. (2008). Handbook of Biometrics. New York, NY, USA: Springer Publishing Company.

Jain, A., Hong, L., & Pankanti, S. (2000, February). BIOMETRIC IDENTIFICATION. (W. Sipser, Ed.) COMMUNICATIONS OF THE ACM , 43, pp. p. 91-98.

Javelin Strategy & Research. (2012, February). ITAC Research and Statistics. Retrieved June 5, 2012, from ITAC:

Lee, S., Lee, C., & Kim, J. (2008). Image Preprocessing of Fingerprint Images. Biometrics Engineering Research Center at Yonsei University., Korea Science and Engineering Foundation, Seoul, Korea.

NIST. (2003, February 11). Both Fingerprints, Facial Recognition Needed to Protect U.S. Borders. Retrieved March 5, 2012, from NIST; Public and Business Affairs:

Ortega-Garcia, J., Bigun, J., & Reynold, D. (2004). Authentication Gets Personal with Biometrics; Increasing security in DRM systems through biometric authentication. IEEE Signal Processing Magazine , 1053-5888 (04).

Schmandt-Besserat, D. (1977, June). The Earliest Precursor of Writing. Scientific American , 238 (June), pp. 50-58.

Sinha, P., Balas, B., Ostrovsky, Y., & Russell, R. (2006). Face Recognition by Humans: Nineteen Results All ComputerVision Researchers Should Know About. Proceedings of the IEEE , 94 (11), 1957.

Wing, B. (2011). Data Format for the Interchange of Fingerprint, Facial & Other Biometric Information. US Department of Commerce, National Institute of Science and Technology. Gaithersburg: US Government Printing Office.

1 comment:

Please keep your comments specific to the topic. Requests for a specific topic can be emailed to