Identity & Access Forum Fall Market Snapshot: NIST’s Evolving Digital Identity Guidelines, Momentum for Mobile Driver’s Licenses and Healthcare Identities


REDWOOD CITY, Calif., Sept. 09, 2024 (GLOBE NEWSWIRE) -- The Identity and Access Forum, a nonprofit association focused on the convergence of identity and access and organized under the auspices of the Secure Technology Alliance, today announced its fall market snapshot. It provides perspectives on the latest developments in the sector including NIST’s evolving digital identity guidelines, momentum for mobile drivers’ licenses and more that were shared during its members-only meeting in August.

NIST’s Evolving Digital Identity Guidelines
Keynote speaker Ryan Galluzzo, NIST’s Digital Identity Program Lead, provided a preview of the soon-to-be-published second public comment draft of the fourth revision of Digital Identity Guidelines SP-800-63-4.

He highlighted Syncable Authenticators as one important addition amongst many in the latest update. These are software or hardware cryptographic authenticators for which authentication keys can be exported to other storage and synced to other authenticators/devices. The guidance will provide requirements and considerations for the use of these multifactor authentication technologies to replace passwords and better protect against phishing and replay attacks. “We want to open the door to some of the few phishing-resistant options, like passkeys, as an allowable form of identity at AAL2 that agencies can now deploy at scale for consumers,” said Galluzzo. Since AAL3 still prohibits the export of keys, the maximum achievable AAL for syncable authenticators is AAL2, he added, noting this does not make them suitable for higher security authentication use cases.

Other topics of note include revamped risk management process and assurance level selections, and new organization of proofing rules by type of identity. The four identity types are remote unattended (traditional automated proofing), remote attended (video- based proofing), onsite attended (traditional in person identity proofing) and onsite unattended (kiosk-based without agent). “We structured all requirements around identity proofing to four types of identity to make sure we have clear pathways agencies can take for different ways to deploy identity proofing,” he said.

Interested parties can watch for the second comment draft publication announcement on the NIST Identity and Access Management web page.

With more issuers greenlighting mobile driver’s licenses, focus switches to new use cases
The consensus on the Mobile drivers’ licenses (mDLs) panel was that issuing authorities are committed, consumers are on board and the industry must now turn its attention to education, communication and developing programs with relying parties.

AAMVA’s representative reported a further uptick in momentum among license-issuing jurisdictions in recent months, with 28 of its 69 jurisdictions (including Canada) already issuing mDLs or implementing their programs. Almost all of the others have at least initiated legislative and/or study activity, leaving only a handful with no publicly stated activity. The IAF’s mDLConnection implementation map shows that 40% of the U.S. population have an mDL, often referred to as a digital identity, available to them.

Both the IAF’s mDL Jumpstart Committee and AAMVA are working to develop additional use cases with relying parties. The IAF published an mDL use case template to guide relying parties through the requirements and processes for accepting mobile driver’s licenses. In the coming months, working groups plan to use the template to publish use cases including casino and gaming; mobile KYC and onboarding; banking and FIs; age verification for alcohol; and retail and payment.

“Online fraud will be a big driver of adoption," predicted David Kelts, a mobile identity expert and co-chair of the mDL Committee.

His co-chair colleague, Mark Dale of XTec, also forecasts that the IAF mDL Technical Integrations Working Group, which helps coordinate collaborative industry efforts for testing, certification and implementation guidance, will attract new members as stakeholders start to work through the implementation requirements and challenges for the different mDL use cases.

Identity in healthcare
Preventable medical errors are the third leading cause of death in the U.S. according to research from the Johns Hopkins University School of Medicine. This is due in large part to identity problems causing incomplete, poorly coordinated and delayed access to an individual’s medical information and history at the time and point of care, according to Linda Van Horn, CEO of iShare Medical and member of four ANSI healthcare identity standards bodies.

Matching patients based on patient name and date of birth does not work, Van Horn maintains. She cited a study in one Texas county where of the 2,488 people named Maria Garcia, 231 had the same date of birth. The same study showed that roughly 70,000 identity pairs shared the same names and dates of birth. The root of the problem is faced with too many possible matches in the admission process, the common practice is to create a new duplicate identity.

The problem this creates is that healthcare professionals don't have access to accurate information about patient histories, which leads to medical errors. “Data should be moving at the speed of care in real time when attending healthcare professionals need it. That's just not happening," said Van Horn.

The industry is responding with DirectTrust, a non-profit organization that creates standards for digital healthcare identities bound to a Real ID-proofed identity that can be used for authentication and interoperability, enabling a real-time exchange of accurate healthcare information between authenticated caregivers.

Public trust and ethical use of identities
A common theme at the event was the responsibility of industry stakeholders to ensure the public’s trust and corporate responsibility in the use of digital identities, verification methods and the use of people’s data.

Working toward these goals in Canada, more than 85 public and private organizations are collaboratively involved in the Digital ID and Authentication Council of Canada (DIACC). Joni Brennan, the organization’s executive director, stressed that words matter, and communications and education are essential. Their research showed that while only 14 percent of Canadians did not know what a digital wallet was, 50 percent were not familiar with the term digital ID and 70 percent wanted to know more about it. To accelerate adoption, the DIACC established the Pan-Canadian Trust Framework (PCTF), a set of digital ID and authentication industry standards that will define how digital ID will roll out across Canada.

In the United States, a group of industry leaders have formed the International Biometrics Industry Association (IBIA) to advance the adoption and responsible use of technologies for managing human identity. Rob Tappan, executive director of the IBIA, said the member driven organization focuses on public policy and strives to create a code of ethics to allow the industry to self-govern and grow in ways that enhance security while ensuring privacy, productivity and convenience for individuals, organizations, and governments. He also stated that while individual state efforts to establish personal information privacy standards are a good start, what the United States really needs to make digital identity privacy protection work is a uniform, 50-state approach with one law, not a patchwork of different standards.

Neville Pattinson, head of digital identity strategy at Thales, chair of IBIA’s board of directors and a former executive chairman of the STA, stressed that digital identities are essential to affirming someone is who they say they are in our digitally interconnected world. In his view, trust begins with standards for acceptable breeder documents to affirm an identity. Once created, digital identities require machine-verifiable, authentic, tamper-proof credentials that also protect an individual’s PII against misuse throughout their lifecycle.

The moderator of the session, Teresa Wu, vice president of smart credentials for IDEMIA, stressed the importance of the industry to self-govern the ethical use of the fast-moving development of identity technologies. Industry stakeholders need to reset their trust level standards above and beyond the baseline requirements to maintain consumer confidence, she stated.

Resource recap
Only six months after its inaugural event, the Identity and Access Forum has already created a number of white papers and executive briefs, including:

  • mDL Infographic. Answers consumer questions about trust reliability and privacy in a sharable, one-page view. It resolves the concerns we all share about mDL.
  • Device Identification and Authentication (white paper). The consistent and reliable identification of a consumer’s device and association of that device to the legitimate consumer are key tools in creating a more secure environment for online commerce.
  • mDL Use Case Template (white paper and guideline). A roadmap for relying parties who are interested in accepting mobile driver’s licenses to improve efficiency, security and convenience in the use of identities. A companion to the Secure Technology Alliance’s white paper, “The Mobile Driver’s License and Ecosystem.”

Coming soon are two executive briefs to help educate stakeholders on hot topics in identity and access:

  • What is Identity Assurance? (executive brief)
  • Digital ID vs. Digital Identity (executive brief)

Additionally, the latest white paper from the U.S. Payments Forum, The Role of Mobile IDs in Payments, is a valuable resource for IAF members and the community.

Organizations, associations, government agencies and individuals interested in participating in upcoming Identity and Access Forum projects can learn more online. Your participation and interest are welcome!

By joining the Secure Technology Alliance, members will have access to activities within the Identity and Access Forum, the U.S. Payments Forum and additional Alliance working committees.

About the Identity and Access Forum
The Identity and Access Forum is a cooperative, cross-industry body dedicated to advancing the adoption and development of secure identification including physical and logical access. Through the collaborative efforts of a diverse group of stakeholders and the publication of educational resources, the Forum advocates for market adoption of trusted, user-centric and interoperable digital identities to ensure safe and seamless access to services across all interactions. Areas of focus are identity credentials such as mobile drivers’ licenses and IDs for provisioning, IoT security and access control, among others. The organization operates within the Secure Technology Alliance, an association that encompasses all aspects of secure digital technologies.

About the Secure Technology Alliance
The Secure Technology Alliance is the digital security industry’s premier association. Through its U.S. Payments Forum, Identity and Access Forum and its collaborative working groups, the Alliance fosters open dialogue among industry stakeholders to explore and develop secure technology innovations in the payments, identity and access markets. By collaborating on education and guidance, the Alliance helps enable efficient, timely and effective implementation of large-scale, disruptive technologies.

Contact
Sherlyn Rijos-Altman
Montner Tech PR
203-226-9290
srijos@montner.com