Overview of NIST Workshop: Applying Measurement Science in the Identity Ecosystem
Written by Paul Caskey, Internet2
The NIST Workshop: “Applying Measurement Science in the Identity Ecosystem," took place in Gaithersburg, MD in January and provided a forum for discussion around a breakdown of the various components of assurance, focusing on three main areas:
- Identity Verification
- Attribute Metadata
The goal of the workshop was to explore ways of making assurance more measurable by decomposing assurance into the above broad categories. Each category was first introduced and the relative problem spaces explored by a panel of experts. This panel discussion was then followed by open group discussion in smaller breakout groups. Each breakout group was facilitated by a NIST representative.
This category focuses on how to breakdown traditional notions of identity verification/vetting. How can this be decomposed? Aspects of this category which were explored included:
- What source documents were used?
- Was vetting was done in-person and, if not, was video used?
- What other documents were used?
- Which financial/utility accounts were used and how were they verified?
- How long are the records stored?
As one might expect, discussions on authentication quickly gravitated towards the use of multi-factor authentication. Legacy authentications methods seem to be reaching the end of their utility. But, what does the term ‘multifactor’ mean to relying parties? How can the federal PIV cards be used universally for this purpose? What other technologies are available? How can we allow for innovation?
This was clearly the most controversial of the discussion areas. The proposal aims to develop a set of metadata around attributes that detail the provenance of the attribute, its lifespan, how often it is refreshed, and so on. The controversy centered around who is going to take on the responsibility of maintaining this data. Typical HR departments are not concerned about these issues and will be extremely reluctant to take on the burden of maintaining this metadata. It was clear that most everyone could see the benefit of having such metadata, but the maintenance burden is not trivial.
Overall, this was an excellent workshop. NIST is to be commended for bringing this group of people together and for providing a forum that encouraged open discussion. It is clear that traditional monolithic levels of assurance have not been very successful in the marketplace and that something different must be done. Decomposing those levels into various measurable sub-components is an admirable approach to the problem and NIST seems very energized to do something in that space.