Jimmy,

I have seen a need for IAL2-capable kiosks for significant numbers of individuals who apply for benefits. A number of physical conditions can make a kiosk easier to use than a phone, and quite a few people lack the devices or bandwidth needed for biometric verification.

The use of kiosks, should they become more readily available, also adds friction to the process which can be useful when organizations are dealing with high levels of fraud during their IAL2 processes.

Maria

Maria E. Vachino

President

Calvert Consulting, LLC

Mobile: +1 (410) 849-9033

Email: maria@icam.consulting

Time Zone: EDT/UTC-4

This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review; use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail, delete and then destroy all copies of the original message.

From: Jimmy Jung <jimmy.jung@slandala.com>
Sent: Tuesday, August 8, 2023 5:52 AM
To: Lorrayne Auld <lorraynejs@gmail.com>
Cc: IAWG <wg-idassurance@kantarainitiative.org>
Subject: [WG-IDAssurance] Re: Supervised Remote Criteria

Thanks Lorrayne,

I imagine that the use case separation between IAL2 and IAL3 is going to be who owns the “remote terminal.” Taking on the cost and logistics of deploying CSP controlled kiosks is probably not merited unless you are shooting for IAL3. Supervised Remote In-person at IAL2 is going to be via the applicant’s phone or laptop.

Combing our thoughts, it seems unlikely that a CSP would deploy a kiosk that in a location that did not meet IAL3, when IAL2 could be performed on the phone. Hence, my thinking that 63A#0570 – Tamper detection and resistance features at its Remote proofing terminal is the criteria that is the real distinction between IAL2 and IAL3; and also my hesitancy at including 63A#0450 - clearly witness all applicant actions, when this is dependent on the applicants equipment. At IAL2, we could define this as the supervisor being satisfied with the clarity; while at IAL3 this could be a technical criteria; but one is subjective and neither clings to 800-63 as written.

jimmy

From: Lorrayne Auld <lorraynejs@gmail.com>
Sent: Monday, August 7, 2023 2:47 PM
To: Jimmy Jung <jimmy.jung@slandala.com>
Cc: Lynzie Adams <lynzie@kantarainitiative.org>; IAWG <wg-idassurance@kantarainitiative.org>
Subject: Re: [WG-IDAssurance] Supervised Remote Criteria

In my mind, a key distinction between what could potentially be IAL2 and IAL3 is the physical location and physical controls over the equipment.

In the case of a kiosk, is the location of the kiosk in a public location (is it in a shopping mall with limited human oversight [I deem this as IAL2]) or in a closed environment (such as a badging area that has human oversight where one has higher assurance the equipment hasn’t been tampered with that would be appropriate for IAL3).

I think it could be helpful to identify use cases for supervise remote for IAL2 and IAL3.

Sent from my iPhone

On Aug 7, 2023, at 2:24 PM, Jimmy Jung <jimmy.jung@slandala.com> wrote:

Folks,

It sounds like the Supervised Remote Criteria is the next big hurdle.

The first question I would ask is what is our guiding philosophy regarding tracking with 800-63. I recognize that we offer a Kantara 800-63 certification; not just an 800-63 certification. But I was also listening last week, when we got into the weeds about ONLY including “SHALL” statements and always skipping the “MAYs” and “COULDs.” So, it would seem that we often cling very closely to the 800-63. With that in mind, my initial proposal would be that the Supervised Remote Criteria should ONLY be applicable to IAL3. IAL2 vendors who offer more, are to be lauded; but should we be in the position of telling an applicant that they cannot be IAL2, because they meet 800-63, but they do NOT meet Kantara?

That’s my position; although I cannot promise I am sticking to it. As has been noted, some of the Supervised Remote Criteria seems reasonable for any IAL; if we really felt we wanted to apply some of these criteria to IAL2, I think I could get behind 520, 530, 560 and 580. In my mind, 570 is the distinction between IAL2 and IAL3 and I am not sure 550 makes sense without 570. 540 just makes me nervous because I don’t know how to measure it. Do I require the CSP to NOT perform with applicants using an iPhone 8, because I don’t think the camera is clear enough?

I welcome your thoughts

Jimmy

63A#0520 – Proofing Supervisor participates entirety of the remote session, applicant doesn’t depart
63A#0530 – Proofing Supervisor participates entirety of the remote session
63A#0540 – clearly witness all applicant actions
63A#0550 – integrated scanners and sensors
63A#0560 – Training
63A#0570 – Tamper detection and resistance features at its Remote proofing terminal
63A#0580 – Secure Communications

As I mentioned yesterday, I'm not going to be on the IAWG call next week. I'm hoping Denny/Andrew will meet with me on Tuesday for a planning call so I can prep them on what still needs to be discussed - but I'm not sure if they're available yet. These criteria are one of those things. If you have time (unlikely, I know, lol) and want to have some proposed suggestions it might help the conversation move along.

Like we've said - some can stay IAL2/IAL3 and some should be only IAL3 - but we need to say which ones in particular. And then if we remove IAL2, the follow-up question is do we need to add something that would fill a gap for those CSPs? Airside & ID.me both voiced that it would be important to ensure they're process is being assessed even at IAL2.

I attached a word doc that has just the criteria I'm referring to. Just a simpler form than the full criteria.

Thanks & enjoy your weekend,

_______________________________________________
WG-IDAssurance mailing list -- wg-idassurance@kantarainitiative.org
To unsubscribe send an email to wg-idassurance-leave@kantarainitiative.org