What are Identity Attestation Services?
Identity Attestation involves the creation and maintenance of a permanent record of the evidence supporting a person’s claim of identity. That record accompanies the identity claim any time it is asserted in authentication, signing, sharing of encryption keys, or whenever a level of confidence in that identity claim is needed.
The reliability of the claim of identity of an employee, contractor, supplier, etc. is established through the gathering of various forms of Evidence of Identity (EOI), and through their willingness to swear an Oath of Identity. The Identity Attestation session is recorded and retained by the Attestation Officer as a permanent record.
Attestation Services are performed by an experienced Remote Online Notary (RON) who has passed Authenticity University’s Attestation Officer training and certification program using a particular set of standards. The principal sets of standards are NIST 800-63-3 Digital Identity Guidelines and Osmio IDQA (IDentity Quality Assurance).
The various parties that rely on an identity claim (“relying parties”) will have differing identity quality requirements. As an example, the required minimum identity quality score for a customer service rep will typically be lower than that required for a member of the organization’s treasury staff.
The product of the session is a NIST 800-63-3 or Osmio IDQA identity quality record that is sworn by both the Attestation Officer and the affiant (person swearing an oath), that is, the person with the identity claim.
NIST 800-63-3 Digital Identity Guidelines call for a resulting score of 1, 2 or 3, while Osmio IDQA scores consist of eight component scores, each of a scale of 0-9, for an aggregate score of 0-72. Typically, Osmio IDQA scores accompany an x.509 digital identity certificate and corresponding PEN (private key), enabling certificate authentication without passwords, digital signing, and secure sharing of symmetric encryption/decryption keys.
What is the Identity Attestation process?
Identity Quality consultants from a CAO partner organization, Reliable Identities, Inc., will assist the client organization in identifying which internal and external groups need what level of identity quality. Reliable Identities will then set up shared calendars where the affected personnel will schedule Attestation sessions, with higher required scores calling for longer sessions.
Personnel are then directed to use the shared calendar to schedule an appointment with their designated Attestation Officer, and are given instructions on what will be required of them during the appointment. It is explained to them that the session will require some disclosure of personal information, but after the disclosure and the recording of Identity Quality scores, all personal information will be deleted unless they choose to have the Attestation Officer keep an encrypted record of the session in strict confidence, so that later it will be easier to recreate a credential if it is lost or stolen. This is an extra cost service.
Before the appointed time, the person whose identity claim is being attested (the “Affiant”) is asked to complete an email and SMS verification procedure of the type that’s familiar to users of subscription-type websites. The resulting pre-verified email address and phone number becomes the first part of the Attestation record.
At the time of the appointment, the Affiant is brought to a recorded online video session with the appointed Attestation Officer. The session begins with traditional identity verification procedures, where the Affiant is asked to present the front and back of a government-issued identity credential to their webcam. Still images of those are captured and are added to the Attestation record. Depending upon the target Identity Quality score, the Affiant may then be asked to authenticate to various websites including banking sites. After each authentication (so that passwords etc. are not exposed), the Affiant is asked to go to a page that shows their name on the account and are then asked to share their screen with the Attestation Officer, who takes a screenshot. If the Osmio IDQA system is being used, the results of these sessions are used by the Attestation Officer to assign a score between 0 and 9 in Metric 1 and Metric 5 (“Quality of Other Attestations”). If the credential being used is a physical token such as a USB or cryptocurrency wallet, or an Osmio VRD wallet, the Affiant is asked to hold the device up to the webcam and a screenshot of the device is taken by the Attestation Officer in order to generate a score between 0 and 9 for Osmio IDQA Metric 6. The Affiant is asked to authenticate to websites using different authentication standards such as FIDO, OpenID, etc. and share the screen, whereupon the Attestation Officer assigns a score of 0-9 on Osmio DQA Metric 4, (“Variety of Means of Assertion”). If the credential uses an X.509 identity certificate, the Attestation Officer will direct the Affiant to display the certificate contents, which will reveal the name of the certification authority. Using a table of CA quality scores the Attestation Office will assign a score of 0-9 on Osmio IDQA Metric 3 (“Quality of Authoritative Attestation”).
The Attestation Officer then generates an Affidavit of Identity and asks the Affiant to read it, then raise their right hand and recite an oath stating that they have read the affidavit and that all of the information in it is true. The Affiant then digitally signs the affidavit using a supplied private key, or signs it using the PEN accompanying their own x.509 identity certificate after the following step is complete.
When the NIST 800-63-3 or Osmio IDQA record is complete, the Attestation Officer asks the Affiant to specify the disposition of the EOI records: either 1) permanently delete them; 2) generate an encryption key, encrypt them, send the encrypted file to the Affiant, and then permanently delete the original; or save the files and the encryption key to facilitate generating a new credential should the original be lost or stolen. The Attestation Officer then either deletes or encrypts and saves the EOI file, at the direction of the Affiant.
If the purpose of the session includes generating an x.509 identity certificate and accompanying Osmio IDQA record, the Attestation Officer will generate and digitally sign a CSR (certificate signing request) and send it to the Osmio VRD certification authority or other certification authority for signing of the resulting x.509 identity certificate. In that case the Affiant will have generated the asymmetric key pair in their device and will have shared the PCN (Personal Certification Number or “public key) with the Attestation Officer.
How long does it take?
The interview process with an Attestation Officer varies depending on the level of review required. The target length of the interview process can be confirmed as part of the planning process. By using a remote online process through trained RON Attestation Officers we can complete the process on a timelier basis versus a physical face to face meeting.