CT2: Authentication of Consumers

Common Framework for Networked Personal Health Information

You are viewing:

CT2: Authentication of Consumers
(Page 7 of 8)

Return to Main Page

Glossary
Acknowledgements

This practice area addresses the following Connecting for Health Core Principles for a Networked Environment^*:

6. Data Quality and integrity

7. Security safeguards and controls

* "The Architecture for Privacy in a Networked Health Information Environment," Connecting for Health, June 2006. Available at: http://www.connectingforhealth.org/commonframework/docs/P1_CFH_Architecture.pdf.

Appendix E: EAF/EAP Levels

The following is a very brief description of the E-Authentication Federation (EAF) among U.S. government agencies and its companion organization for private sector organizations, the E-Authentication Partnership (EAP). Please refer to the EAF home page (http://www.cio.gov/eauthentication/) for comprehensive documents and updates.

The National Institute for Standards and Technology (NIST) has documented EAF policies, standards, practices, and technology.

The EAF is designed to create a trust infrastructure for authenticating individuals who wish to connect to Internet-based services from federal agencies. The EAP, which licenses EAF standards, is a partnership attempting to enable interoperability for electronic authentication among public and private sector organizations. The EAF is further developed than the EAP, and for simplicity, we will refer to EAF for the rest of this discussion.

Joining the EAF requires Credential Service Providers and Relying Parties to agree to use the components of the infrastructure, and to abide by the Business Rules and Operating Rules and comply with the requirements of the appropriate documents such as NIST SP 800-53 or NIST SP 800-63.

Credential Service Provider: – An organization that offers one or more credential services (i.e., proofs and provides credential to individuals).
Relying Party: – A person or agency that relies on the credentials issued by a Credential Service Provider.

There are many technology, security, privacy, business, and operating requirements for all participating organizations covered by the suite of documents and components used to guide the implementation of the EAF. The following discussion will focus on those specific to identity proofing and credentials of individual users.

Relying parties within the EAF self-assess the risk associated with reliance upon e-authentication credentials.See Electronic Risk and Requirements Assessment (e-RA). Accessed online on May 9, 2007, at: http://www.cio.gov/eauthentication/era.htm. Based upon this risk assessment, the relying party chooses which of four designated levels of authentication stringency will be required for accessing one or more of its online resources such as web sites, applications, or information.

Level 1 has no level-specific requirements for proofing or issuance (and thus does not have a section in the chart below). This level can be employed when the Relying Party does not have a need to ascertain the identity of the person accessing a resource. The consumer employs self-assertion, and she may employ a pseudonym. Due to the lack of identity proofing, the low level of security provided by Level 1 authentication is inappropriate for use in facilitating access to personal health information.

Proofing Requirements Under EAF

The table belowTable is adapted from NIST Special Publication 800-63, Version 1.0.2, Electronic Authentication Guideline. (April 2006). Accessed online on May 9, 2007, at: http://csrc.nist.gov/publications/nistpubs/800-63/SP800-63V1_0_2.pdf summarizes the requirements of Levels 2-4. Both in-person and remote identity proofing methods are permitted for Levels 2 and 3. Explicit requirements are specified for each scenario in Levels 2 and 3. Only in-person initial proofing is permitted at Level 4.

Level 2
	In-Person	Remote
Basis for issuing credentials	Possession of a valid current primary Government Photo-ID that contains applicant's picture and either address of record or nationality (e.g., driver's license or passport)	Possession of a valid Government ID (e.g., a driver's license or passport) number and a financial account number (e.g., checking account, savings account, loan, or credit card) with confirmation via records of either number.
Registration Authority Actions (Proofing)	Inspects Photo-ID, compares picture to applicant, records ID number, address, and DoB. If ID appears valid and photo matches, applicant then: If ID confirms address of record, authorizes or issues credentials and sends notice to address of record, or; If ID does not confirm address of record, issues credentials in a manner that confirms the address of record.	Inspects both ID number and account number supplied by applicant. Verifies information provided by applicant including ID number or account number through record checks either with the applicable agency or institution, or through credit bureaus or similar databases, and confirms that: name, DoB, address, other personal information in records are on balance consistent with the application and sufficient to identify a unique individual. Address confirmation and notification: Sends notice to an address of record confirmed in the records check or; Issues credentials in a manner that confirms the address of record supplied by the applicant; or Issues credentials in a manner that confirms the ability of the applicant to receive telephone communications or e-mail at number or e-mail address associated with the applicant in records.

Level 3
	In-Person	Remote
Basis for issuing credentials	Possession of verified current primary Government Photo-ID that contains applicant's picture and either address of record or nationality (e.g., driver's license or passport)	Possession of a valid Government ID (e.g., a driver's license or passport) number and a financial account number (e.g., checking account, savings account, loan, or credit card) with confirmation via records of both numbers.
Registration Authority Actions (Proofing)	Inspects Photo-ID and verifies via the issuing government agency or through credit bureaus or similar databases. Confirms that: name, DoB, address, and other personal information in record are consistent with the application. Compares picture to applicant, records ID number, address, and DoB. If ID is valid and photo matches applicant then: If ID confirms address of record, authorizes or issues credentials and sends notice to address of record, or; If ID does not confirm address of record, issues credentials in a manner that confirms address of record	Verifies information provided by applicant including ID number and account number through record checks, either with the applicable agency or institution, or through credit bureaus or similar databases, and confirms that: name, DoB, address, and other personal information in records are consistent with the application and sufficient to identify a unique individual. Address confirmation: Issues credentials in a manner that confirms the address of record supplied by the applicant; or Issues credentials in a manner that confirms the ability of the applicant to receive telephone communications at a number associated with the applicant in records, while recording the applicant's voice.

Level 4
	In-Person	Remote
Basis for issuing credentials	In person appearance and verification of two independent ID documents or accounts, meeting the requirements of Level 3 (in person and remote), one of which must be current primary Government Photo-ID that contains applicant's picture and either address of record or nationality (e.g., driver's license or passport), and a new recording of a biometric of the applicant at the time of application	Not applicable
Registration Authority Actions (Proofing)	Primary Photo-ID: Inspects Photo-ID and verifies via the issuing government agency, compares picture to applicant, records ID number, address, and DoB. Secondary Government ID or financial account Inspects Photo-ID and if apparently valid, compares picture to applicant, record ID number, address, and DoB, or; Verifies financial account number supplied by applicant through record checks or through credit bureaus or similar databases, and confirms that: name, DoB, address, other personal information in records are on balance consistent with the application and sufficient to identify a unique individual. Records Current Biometric Record - a current biometric (e.g., photograph or fingerprints to ensure that applicant cannot repudiate application). Confirms Address - Issues credentials in a manner that confirms address of record.	Not applicable

Ongoing Tokens Under EAF

The following tables describe the allowable uses of tokens under EAF levels 2-4. Table 2 shows the types of tokens that may be used at each authentication assurance level. Table 3 identifies the protections that are required at each level.

Table 2. Token Types Allowed at Each Assurance Level
Token type	Level 1	Level 2	Level 3	Level 4
Hard crypto token	√	√	√	√
One-time password device	√	√	√
Soft crypto token	√	√	√
Passwords & PINs	√	√

Table 3. Required Protections
Protect against	Level 1	Level 2	Level 3	Level 4
Online guessing	√	√	√	√
Replay	√	√	√	√
Eavesdropper		√	√	√
Verifier impersonation			√	√
Man-in-the-middle			√	√
Session hijacking				√

©2008-2009, Markle Foundation.
This work was originally published in January 2008 as part of a compendium called The Connecting for Health Common Framework for Private and Secure Health Information Exchange and is made available subject to the terms of a license (License) which may be viewed in its entirety at: http://www.connectingforhealth.org/license.html. You may make copies of this work; however, by copying or exercising any other rights to the work, you accept and agree to be bound by the terms of the License. All copies of this work must reproduce this copyright information and notice.