Assurance

["Dunker, Mary" <>]

If an institution issues photo ID cards and keeps those photos in a data 
base, perhaps the verifying party could compare the stored photo with the 
video image. Virginia Tech may be interested in exploring video options for 
remote proofing, and appreciate this discussion.

Mary


-----------------------------------------------------------------
Mary Dunker
Director, Secure Enterprise Technology Initiatives
Virginia Tech Information Technology
1700 Pratt Drive
Blacksburg, VA 24060
540-231-9327

 
--------------------------------------------------------------------


-----Original Message-----
From: 

 
[mailto:]
 On Behalf Of Michael R. Gettes
Sent: Wednesday, May 30, 2012 2:58 PM
To: 
<>
Subject: Re: [Assurance] Remote proofing?

aren't we all assuming a perfect world where the world we need is "good 
enough"?  and, have you tried to present an ID via video conf?  Frankly, it 
looks pretty good.  Additionally, I have the problem of dealing with people 
from other countries so Notary is problematic there. 

/mrg

On May 30, 2012, at 14:54, Roy, Nicholas S wrote:


        
        This is a good point, Jacob- the validity of the documents would be 
harder to determine via video link.  I think this might be a benefit to 
having a notary look at the documents, if that's something they are trained 
to do.
         
        Nick
         
        From: 

 
[mailto:]
 On Behalf Of Farmer, Jacob
        Sent: Wednesday, May 30, 2012 10:58 AM
        To: 

        Subject: RE: [Assurance] Remote proofing?
         
        When it has come up at IU, one of the major concerns has been our 
ability to tell if the ID has been altered over the video link.  Granted, we 
are not likely to catch a good fake ID even if it's presented in person, but 
it seems like we could very well miss a poorly altered ID over the video 
conference link.
         
        Jacob
         
        From: 

 
[mailto:]
 On Behalf Of David Walker
        Sent: Wednesday, May 30, 2012 11:53 AM
        To: 

        Subject: Re: [Assurance] Remote proofing?
         

        I like this general approach.  It also raises the question of whether 
a video conference link should be considered remote or local.  Clearly, it's 
geographically remote, but the risks and the proofing process are much more 
like local proofing.
        
        Has anyone implemented identity proofing based on video conferencing? 
 I've heard it discussed before, but I'm not aware of actual implementations.
        
        David
        
        On Tue, 2012-05-29 at 19:11 +0000, Michael R. Gettes wrote:

        I've been mulling this over for some time.

                 

                Here are my thoughts on a Remote Proofing process we are now 
mulling over at CMU.

                 

                There are parts in here to address some CMU problems of 
issuing 2nd-factor tokens - but you could take that out of the flow and it 
still is viable.

                 

                The IDProof App has yet to be written.

                 

                /mrg

                 

                Version 1.0
                
                Actor = Person to be Identity-Proofed
                Proofer = Doh!  Could be any full-time CMU staff person 
appropriately authorized?  Could be Help Center staff?
                
                It is assumed the Actor has already been issued an Andrew ID 
- or must we define this process too?
                
                0. Actor and Proofer agree upon method of Video Conference 
(FaceTime, Google Voice Video, Skype, others?)
                
                1. Actor independently obtains physical FOB or downloads soft 
FOB
                
                2. Proofer independently accesses ID-Proof Web App in a 
"Proofer" role
                
                3. Proofer establishes VC with Actor.
                a.  It is most optimal if someone the Proofer knows is with 
the Actor as a "chain of custody".
                
                4. Actor presents to Proofer Official Photo ID - holding it 
up to the camera.
                a.  Proofer verifies photo matches actor's face
                b.  Proofer records ID Type, Issuer, ID number into ID-Proof 
Web App
                c.  Actor provides AndrewID - Proofer validates AndrewID 
matches Actor
                d.  Possibility of obtaining digital photo capture of Actor 
in VC
                e.  If a "custodian" (see 3a) is present, record custodian 
AndrewID.
                
                5. Process FOB
                a.  Proofer records Actor's FOB # and AndrewID into ID-Proof 
Web App
                b.  Proofer enables Actor's FOB
                
                6. Actor verifies authentication and access
                a. Actor accesses ID-Proof Web App and login as normal user
                Actor authenticates using Shib SSO and then uses FOB authN on 
ID-Proof page.
                b. Actor is presented with a 6 character KEY
                c. Actor reads KEY to Proofer
                d. Proofer validates the Actor's KEY with KEY on Proofer's 
ID-Proof page.
                e. repeat a-d until success
                
                7. Proofer approves Actor in ID-Proof Web App
                
                8. End Video Conference
                
                9. Proofer authorization
                a.  If Proofer has privilege to authorize then modify 
accordingly.
                b.  If not (9a) then Proofer notifies official authorizers 
ID-Proof steps completed and provides AndrewID and Name to Authorizers.  
Authorizers modify accordingly.
                
                Done.