Protecting High Assurance Commercial Identity Providers

The first Shared Signals Proof of Concept project has successfully concluded in the UK. The report (OIX Shared Signals Proof of Concept) was published by the Open Identity Exchange this week.

Digidentity, UK Post and Confyrm have been working on a Proof of Concept project (an “Alpha Project” for those of you in the UK Verify programme) to provide support for identity alerts for IDPS in the UK Verify identity scheme.

Marcel Wendt from Digidentity  appreciates the complexity and cost of running a high assurance identity service. “With threats from data breach continuing to increase, Digidentity – in common with other IdPs – believes that new models of systemic fraud protection are critical in enhancing security for both users and other providers.  These initial trials provide strong validation for the shared signals approach, and we’re excited to continue to participate with Confyrm and others in improving online safety for all.

This has been the culmination of a huge amount of work starting nearly four years ago with the publication of the original white paper “The Shared Signals Model”. Since that time, two additional OIX Discovery Projects have been run with participation from Experian, Mydex, Verizon, Digidentity, UK Post, Telesign, and several additional reports and white papers have been produced, including Reducing Fraud and Improving Online Safety Through IDP Signal Sharing.

Principals agreed upon during those discovery projects included requirements for: data minimization, consumer privacy protection, IDP and relying party brand protection, closed user groups to facilitate controlled sharing of signals and real time alerting capabilities to support identity fraud use cases.

The follow on Proof of Concept project was the first opportunity we had to demonstrate integration between commercial identity providers utilizing a signal manager.

Although we have over 20 use cases for sharing identity signals, we started from scratch with Digidentity and UK Post to identify and address areas of fraud that could not be handled in any other way. The selected use cases addressed fraud based on Registration Velocity across IDPs, and Account Takeover leading to potential creation of a “Ghost Identity” at a different IDP.

The two use cases were selected on the basis of the following criteria:

  • An IDP must be able to practically generate the event associated with the signal
  • Requisite information to make the signal useful to a recipient must be available and shareable
  • A signal recipient (another IDP) must be able to receive the corresponding signal
  • The information provided to the recipient must allow action to be taken in response to receipt of the signal

The PoC demonstrated: integration with the Confyrm Signal Manager APIs, creation of new event and signal types, appropriate and data minimizing protected payloads, and end-to-end generation of events and multicasting of signals. The Confyrm Sygnal Manager infrastructure has been running as a live service since late September 2015.

The full report on the environment, use cases, signal types and participant experiences is available via the Open Identity Exchange (OIX).

So what are the take aways …

  • Lightweight, privacy preserving identity signals do support new classes of fraud detection and prevention
  • The Confyrm SYgnal Manager provides the policy and distribution support to ensure controlled sharing of alerts
  • Some classes of fraud can not be addressed effectively without sharing information within an identity ecosystem, but signal sharing addresses them
  • Additional use cases that deal with fraud and auditable operational requirements have emerged that are candidates for a second phase of testing

Unfortunately timing did not allow everyone that was interested to integrate with the signal manager, but another participant class called observers was created and Experian, Telesign, Verizon, GB Group, Barclays and the UK Government Digital Services (GDS) actively contributed. Strong support from these folks has been shown for participating in a second phase of PoC testing … stay tuned …

Contact Us

Contact Us