[Digital Agency] Summary of the Expert Meeting (FY6) on Revision of Identity Verification Guidelines has been published

On April 4, the Digital Agency published a report from a panel of experts (FY1) on revising identity verification guidelines.DS-500 Guidelines for online identity verification methods in administrative procedures” (commonly known as the "Identity Verification Guidelines") is a compilation of rules and methods for safely verifying identities when digitizing administrative procedures. It is like a "textbook for online identity verification." The guidelines refer to guidelines created by the US organization NIST, but also incorporate methods unique to Japan, such as identity verification using My Number cards.

Recently, the environment surrounding identity verification has been changing dramatically, with administrative procedures increasingly being carried out online, more people using My Number cards, and an increase in online scams.

In the United States, a proposal to revise the NIST guidelines has been put forward, and in Europe, a "Digital Identity Wallet" system of digital IDs that can be used on smartphones is about to be introduced.

Therefore, the Digital Agency gathered experts to hold the "Experts' Conference for Revision of Identity Verification Guidelines," and for the past two years they have been discussing how to revise the guidelines in light of current issues and overseas trends.5th meeting of FY2024English learning is necessary to prepare for life, learning and interaction with the global environment. <br> IT Skills (programming logic) is necessary to prepare for the needs of the future.<br> Financial literacy is necessary to prepare for creating, managing and being smart with time and wealth.<br>

The announcement was made:"Plan for revising identity verification guidelines: FY6 summary (draft)"When,Proposal for revision of identity verification guidelines (as of the time of compilation in FY6)In addition, we have compiled comments from experts in response to these issues.Minutes (These points will likely be reflected.)

Please also take a look at the YouTube version of the commentary at the end of the article.

Document 1: Personal Identification Guidelines Revision Policy Summary for FY6 (Draft)

First,

• Document 1: Personal Information Verification Guidelines Revision Policy FY6 Summary (Draft) (PDF/1,130KB)

However, this is a summary of the results of the 6 expert meeting, and contains ideas on how to change the guidelines. Here is what is written:

Background of the revision

• Online administrative procedures and widespread use of My Number cards
• Increasing sophistication of phishing attacks and increased cases of forged identity documents
• Revision of US NIST guidelines and movement towards introduction of digital ID wallets in Europe

Main points of the revision

1. Review of the scope and name of the guidelines: This also applies to administrative services other than face-to-face identity verification and administrative procedures.
2. Definition of the "basic concept" for considering identity verification methodsWe focus on five areas: accomplishing business objectives, fairness, privacy, usability/accessibility, and security.
3. Defining the basic framework for identity verification: Clarify the concepts of identity verification, personal authentication, and federation, define system implementation models for federated and non-federated models, and base them on the federated model.
4. Updating threats and countermeasures, reviewing assurance levelsTaking into account the latest threat and technological trends, we will review the threats and countermeasures in identity verification and authentication, as well as the positioning of assurance levels and countermeasure standards.
5. Overhauling the risk assessment process: The identity verification method evaluation process is carried out from five perspectives, simplifying the risk assessment process.

Miscellaneous

• In addition to the main guidelines, a new "Identity Verification Guidelines Commentary" will be prepared that will compile specific technologies, methods, and case studies.

Document 2: Proposal for revised identity verification guidelines (as of the time of compilation in FY6)

on the other hand,

• Document 2: Proposal for revised identity verification guidelines (as of the time of compilation in FY6) (PDF/1,838KB)

However, a proposal for actual revision of the guidelines has been presented.

Key PointsThe following is written as such:

1. Select the "right level of assurance" based on risk:
   • In the past, there was a tendency to demand a uniformly high level of assurance, which sometimes led to a loss of convenience.
   • In this revision, the procedureAppropriate assurance levels according to risk (levels of certainty of identity verification) The basis is to select
   • We aim to avoid excessive strictness and provide safe, secure, and convenient administrative services.
2. Five aspects to consider:
   • When selecting an assurance level and identity verification method, consider the following five points:
     • Pursuing business objectives (whether identity verification would be a barrier to processing)
     • Fairness (Are there any unfairness, such as certain people being unable to use the service?)
     • Privacy (Is personal information being handled appropriately?)
     • Usability and accessibility (is it easy for users to use?)
     • Security (is it adequate for the risk?)
3. Identity verification consists of:
   • Identity verification is defined and organized in terms of the following three elements:
     • Identity Proofing: Verify that the applicant is a real, living person (attribute collection, document verification, applicant verification, etc.).
     • Authentication: Verify that the person using the procedure is the same person who was registered during identity verification (knowledge-, possession-, and biometric-based authentication).
     • Federation: It relies on identity verification and authentication performed by another trusted identity provider.
4. Implementation model:
   • Federated Model: A model that uses a common ID provider (first choice for efficiency).
   • Non-Federated Model: A model in which each system builds its own identity verification function.
   • A combination of both is also possible.
5. Threats and Countermeasures:
   • It specifically outlines threats in identity verification, authentication, and federation (spoofing, document forgery, phishing, duplicate registration, etc.), and defines countermeasure processes and examples of methods for dealing with them, as well as countermeasure standards for each assurance level.
   • In particular, with regard to identity verification, methods for authenticity verification (digital signature verification, inquiries to reliable sources, physical inspection, etc.) and methods for verifying applicants (appearance verification, PIN numbers, sending of confirmation codes, etc.) are organized.
   • Regarding identity authentication, the importance of multi-factor authentication and phishing-resistant authentication methods (such as public key authentication) are mentioned.
6. Process for considering identity verification methods:
   • The process presented is as follows: 1) Risk identification → 3) Risk impact assessment (high, medium, low) → 5) Assurance level determination (Level XNUMX to XNUMX) → XNUMX) Evaluation of methods (five perspectives) → XNUMX) Consideration of complementary measures and exceptional measures → XNUMX) Continuous evaluation and improvement.
7. Identification of Corporations, etc. (Appendix 2):
   • It requires a different way of thinking than the individual.
   • The process is organized in three steps: 3) Confirmation of the existence of the corporation etc. (corporate number, name, address, etc.), XNUMX) Confirmation of the existence of the individual applicant, and XNUMX) Confirmation of the link between the corporation etc. and the individual applicant (representative's seal, power of attorney, etc.).

Upcoming

The revised version of the guidelines will be published after the guidelines have been published, opinions have been collected, and discussions have been held among the ministries. I think it is a pretty good document, so I am looking forward to it. I would also like to see an English version.

Details

Below is a more detailed explanation for your reference.

Key themes

Expansion and change of scope and name of the guidelines:

• The scope of application will be expanded from the current "online identity verification" to include face-to-face procedures and administrative services other than administrative procedures.
• The name of the guidelines will be changed to "DS-511 Guidelines for the Handling of Digital Identity in Identity Verification in Administrative Procedures, etc."
• The document number will also be changed from DS-500 to DS-511.
• (Document 1 "In light of the fact that opportunities for identity verification using digital technology are expanding beyond face-to-face and administrative procedures, we intend to expand the scope of application of these guidelines."
• (Document 2 From p.2) "These guidelines apply to identity verification when individuals or corporations, etc. apply, notify, register an account, log in, etc. in administrative procedures or administrative services provided by national administrative agencies (hereinafter referred to as "subject procedures").

Definition of the "basic principles" to be considered:

• In order to select an appropriate method according to the characteristics of the procedure, etc., five perspectives are defined: "achievement of business objectives," "fairness," "privacy," "usability and accessibility," and "security."
• (Document 2 Pi: "In this revision, we have defined five basic concepts to enable the selection of an 'appropriate assurance level' according to the risk of the target procedure: 'accomplishment of business objectives,' 'fairness,' 'privacy,' 'usability and accessibility,' and 'security.'"
• (Document 1 (From the 2013 IEEE International Conference on Personal Information and Communications Technology (IPTC)) "It is not enough to simply choose a method with a high level of security. It is necessary to select an identity verification method at a level appropriate to the risk, taking into consideration the impact on the accomplishment of business objectives, fairness, privacy, usability, and accessibility."

Definition of basic identity verification framework:

• Identity verification is defined as consisting of three elements: "Identity Proofing," "Authentication," and "Federation."
• A "Federated Model" and a "Non-Federated Model" are defined as implementation models.
• (Document 2 From p.9) "In this guideline, we define 'identity verification' and 'authentication of the person' as elements that constitute identity verification. Furthermore, we define 'federation' as an element that realizes identity verification and authentication by relying on a third party (a trusted ID provider)."

Updating threats and countermeasures, reviewing assurance levels:

• Based on domestic and international threat trends, the latest technological trends, and the revised contents of NIST SP 800-63-4, the anticipated threats and example methods for each element will be updated.
• The positioning of identity confirmation assurance levels and identity authentication assurance levels and the countermeasure standards will be reviewed from the perspective of threat resistance.
• The identity verification process will be defined as "collection of attribute information," "verification of identification documents," "verification of applicant," and "registration," and the threats at each process will be clarified.
• The identity verification assurance level will be redefined as "Level 1," which is intended for low-risk procedures, with the key difference being whether or not digital verification is performed using an IC chip, etc. (simple identity verification).
• The process of identity authentication will be defined as "registering an authenticator," "performing identity authentication," "responding in the event of theft or loss," and "account recovery," and measures will be considered throughout the entire lifecycle.
• The countermeasure standards for the personal authentication assurance level will be reviewed to strengthen responses to the latest threats such as phishing resistance. At Level 3, phishing-resistant authentication methods will be mandatory for all users.
• In federation, the assurance level will not be specified, but a uniform standard of measures will be defined. Based on the requirements of NIST SP 800-63-4 FAL2, the standards for establishing trust relationships, configuration, registration, key management, measures related to assertions, and periodic confirmation and review will be defined.
• (Document 2 (From p.3) "XNUMX. Threats and countermeasures in identity verification"
• (Minutes"Regardless of the trends in NIST SP800-63-4, Japan has created an environment in which strict identity verification using IC chips is relatively easy to use. However, since phishing scams cannot be prevented by warning alone, I think identity verification assurance level 3 is becoming more important."
• (MinutesFrom the article: "The table of personal authentication assurance levels includes a notation such as phishing resistance (recommended). How about adding a notation that similarly recommends checking the person's appearance when verifying their identity? I think this will help to clear up the misunderstanding that verification using a PIN without checking the person's appearance when meeting in person is a strong verification."

Overhauling the risk assessment process:

• We will simplify the process for determining the assurance level and introduce an evaluation process that takes into account business objectives, fairness, the impact on privacy, etc.
• A new "Risk Identification" process will be established as the initial stage of risk assessment.
• The criteria for assessing the level of impact will be centered on the infringement of users' rights and interests, but will be rated "high" if there is expected to be a serious impact on privacy or misuse for criminal or offensive purposes.
• A new evaluation process for identity verification methods will be established, and they will be evaluated from the five perspectives defined in the "Basic Concepts."
• Based on the evaluation results, a process will be introduced to consider complementary measures such as the use of multiple methods in combination, additional measures, and the adoption of methods with higher/lower assurance levels.
• We will establish a process for continuous evaluation and improvement, collect and analyze user inquiries, security events, threat trends, etc., and take improvement measures as necessary.
• (Document 1 "The risk assessment process in Chapter 4 has been completely revised to simplify the process leading up to the assurance level determination, while incorporating the idea of ​​tailoring that takes into account the impact on business objectives, fairness, privacy, etc."
• (Document 2 (From p. 40) "XNUMX. How to consider identity verification methods"

New guideline explanations:

• In addition to the normative main text, a new informative "Identity Verification Guidelines Explanation Manual" will be prepared.
• The commentary manual will compile rapidly changing information, such as specific technologies, methods, case studies, and study worksheets, with the aim of simplifying the main text and allowing for flexible revisions.
• (Document 1(From the website) "In conjunction with this revision, we plan to prepare a separate "Identity Verification Guidelines Commentary" in addition to the main text."
• (Document 1(Source: http://www.ietf.jp/) "While the main text is normative, the 'Commentary' is informative. By compiling information that changes rapidly (specific technologies, methods, examples, etc.) in the 'Commentary', it will be structured to be able to flexibly respond to future changes in trends."

1. Concept of identity verification for corporate procedures:

• Since different approaches and methods are required than for identity verification of individuals, the attached document provides examples of the process and methods for identity verification in procedures involving corporations and other entities.
• It consists of three stages: verifying the existence of the corporation etc., verifying the existence of the individual applicant, and verifying the link between the corporation etc. and the individual applicant.
• (Document 2 (From p. 48) "Appendix XNUMX: Regarding the concept of identity verification in procedures for corporations, etc."

Issues noted in the minutes

• There is a need for guidelines that take into account technological advances, such as the incorporation of My Number cards into smartphones. (Minutes Than)
• Considering that the guidelines will mutually affect laws, regulations, and enforcement regulations, it is necessary to clarify their relationship through FAQs, etc.MinutesThan)
• As a measure against phishing scams, the importance of stricter identity verification procedures (such as checking appearance) is increasing. (MinutesThan)
• It is desirable to compile a mapping of identity assurance levels and threat resistance and reflect this in the document.Minutes Than)
• In order to clear up any misunderstandings, it would be effective to state that, in addition to recommending phishing resistance in identity verification, it is also recommended to check the appearance of the person when verifying the identity. (MinutesThan)
• The charts and figures need to be revised to avoid misleading users, such as by showing the number of digits in the PIN and the expiration date. (MinutesThan)
• A clearer description is required regarding the acquisition of information from identity providers in a federation.MinutesThan)
• It would be desirable to have easy-to-understand descriptions that take into consideration the use of digital authentication apps by private businesses. (MinutesThan)
• It has been pointed out that it is necessary to clarify and audit the process when identity verification is performed by the ID provider. (MinutesThan)
• The part about tamper resistance needs to be revised to clarify that it is a description of the key, not the whole electronic signature. (MinutesThan)
• It has been proposed to revise the definitions of terms such as identity verification and assurance level to more accurate and easy-to-understand expressions. (MinutesThan)
• It is necessary to ensure consistency in the descriptions of the components of "identification."Minutes Than)
• It is necessary to standardize the terminology in the diagram (e.g., personal identification number vs. PIN).MinutesThan)