Skip to main content

This page has been translated using TexTra by NICT. Please note that the translation may not be completely accurate.If you find any mistranslations, we appreciate your feedback on the "Request form for improving the automatic translation ".

Advisory Council for the Revision of the identity verification Guidelines (fifth meeting in fiscal 2024)

Last Updated:

An expert panel will be held for the next revision of the "DS-500 Guidelines on Online identity verification Methods for Administrative Procedures" , which has been developed as one of the Digital Society Promotion Standard Guidelines.

Overview

  • Date: Tuesday, March 4, 2025 (2025), from 18:00 to 20:00
  • Location: Digital Agency meeting room and online
  • Proceedings
    1. Opening
    2. Business
      1. Exchange of opinions on the FY 2024 report and the revised draft of the identity verification Guidelines
    3. Closing

Material

Attendee

  • Tatsuya Kadohara (Amazon Web Services Japan G. K. Sr. Specialist Solutions Architect, Security)
  • GOTO Satoshi (General Manager, RCS Development Dept., DX Business Div., Business Promotion Div., Toppan Edge Co., Ltd.)
  • Natsuhiko Sakimura, OpenID Foundation Chairman
  • To the Amane Sato (Professor, National Institute of Informatics (Director of Trust Digital ID Platform R & D Center))
  • Takashi Niizaki (President, Cedar Co., Ltd.)
  • Akihide Higo (Director, TRUSTDOCK Co., Ltd.)
  • Hisahiro Fujie (Representative Director of OpenID Foundation)
  • MANSHIO Hisashi (Associate Professor, Faculty of Health Data Science, Juntendo University)
  • Minai Toru (Deputy General Manager, Market Research Office, Innovation Division, Japan Credit Bureau Co., Ltd.
  • MORIYAMA Koichi (Chief Security Architect, NTT DoCoMo Inc., Executive Council of FIDO Alliance, Board Member, Chair of FIDO Japan WG, Director of W3C, Inc. (Board Member))

Agenda (1) Exchange of opinions on the FY 2024 report and the revised draft of the identity verification Guidelines

Regarding the "identity verification Guidelines Revision Policies 2024 (Draft)"

The secretariat provided an explanation based on Appendix 1, and experts held a free discussion.

(Expert Opinions)

  • In the verification method for applicants at Identity Assurance Level 3 described on page 26, it is stated that "confirmation of appearance or verification using a PIN number shall be mandatory against theft of identity verification documents." However, I feel uncomfortable that "confirmation of appearance" and "verification using a PIN number" are described in parallel by "or". In the previous discussion, it was discussed that the results differ depending on the presence or absence of confirmation of appearance. Since there is a clear difference in the strength of identification depending on the presence or absence of appearance confirmation, I think it would be better to add a statement such as recommending confirmation of appearance in cases where strict identification is desired, even if there is no classification by level. In addition, I do not think it is necessary to intentionally write such a statement as "measures against lending and borrowing of identity verification documents are not mandatory." In order to make the guidelines to be revised this time usable for a long time, I think that the issue of lending and borrowing will become an important issue in the future. How about deleting this sentence and describing the importance of confirmation of appearance?
  • In the figure on page 17, the word "PASSWORD" is written. I understand that the password is written in Personal Authentication Assurance Level 1 on page 33, but I don't think we should insert a figure that makes a big claim to the password in the guideline that insists that the password alone is already not enough. Among the elements that make up authentication, knowledge information is not only what is called a password, so why don't you delete the word "PASSWORD" from the figure? There are cases where you enter a PIN or passcode, so it is better to leave the asterisk indicating input. In addition, the order of icons in the figure is not aligned, and on page 17, they are passwords, key icons, and face icons. For example, I think that people will be at the center, so it is desirable to first put the face icon representing biometric authentication at the center, place the icon representing the key, which is one of the three elements of authentication, on the left, and place the icon representing knowledge information on the right. In addition, in the illustration of OTP on page 33, there is "1234", but I think it would be good to align it with the asterisk.
  • In the figure on page 18, it says "When using the service for the first time, etc." for identity confirmation and "When using the service for the second time, etc." for personal authentication, but I don't think this is an accurate explanation. I think it would be better to simply say "When using the service for the first time, etc." and "When using the service for the second time, etc." or delete them.
  • Just to confirm, is it correct to understand that the supplement on the wallet model described on page 21 is information that is not described in the main part of the guideline or the manual?
    • (Secretariat) As you know.
  • On the same page, there is a description of "Policy not to be incorporated into this revision of the Guidelines." When the FY 2024 report is published, shouldn't "Policy" be deleted and "Policy not to be incorporated into this revision of the Guidelines" be included?
    • (Secretariat) Material 1, which has been reviewed this time, is intended to be published as the "identity verification Guidelines Revision Policies" prior to the revision of the main part of the Guidelines. Therefore, the term "Policies" is used here.
  • Will it be released as it is in the figure in which "confirmation of appearance" and "verification by PIN number" are described in parallel? I feel that I received a reaction of approval from another committee member for the earlier proposal. If this is agreed, is it the understanding that it will be released as a separate compilation document? I think it will be an important document because it will be named as a "compilation document" issued by Digital Agency.
    • (Secretariat) Today's meeting materials will be released as you can see now. After that, the "draft" materials reflecting today's comments will be released as the official version.
  • There is a diagram on page 26 that shows the My Number Card being held up to the IC reader, but considering the fact that the My Number Card is equipped with a smartphone, I thought it would be good to show the smartphone being held up.
  • I believe that these Guidelines will have a comprehensive impact on the Criminal Proceeds Act and the Mobile Phone Act. In consideration of the possibility that some people may read these Guidelines instead of the laws and ordinances or the Enforcement Regulations, I thought it would be better to describe the relationship with the Criminal Proceeds Act, etc. in the FAQ, etc.
  • Regardless of the trend of NIST SP 63-63-4, Japan has created an environment where it is relatively easy to use strict identification using IC chips. However, I think that Identity Assurance Level 3 is becoming more important because it is not possible to prevent phishing fraud only by warning. Therefore, in order to carry out more strict procedures, I think it is better to describe in a way that it is clear that it is desirable to carry out even facial recognition. 800
  • I understand that the reason why "confirmation of appearance" and "verification by PIN" are described in parallel, such as "confirmation of appearance or verification by PIN", is that there are many systems that verify by PIN at present. I may have to describe both at present, but I think it is desirable to add a supplementary note that confirmation of appearance is important.
  • In the FY 2024 summary materials, there is a table of threat resistance for personal authentication, but not for identity verification. Since the main part of the guidelines also describes the threat of identity verification, I think that the threat should also be included in the summary materials.
  • In the table of the person's authentication assurance level, there is a notation such as phishing resistance (recommended). How about adding a statement that it is also recommended to confirm the person's appearance during identification? I think it will be a trigger to clear up the misunderstanding that verification with a PIN without confirming the person's appearance during face-to-face meetings is strong verification.
  • The PIN number icon on P26 has only four asterisks, and I think it may give a misunderstanding that entropy is not necessary. Also, I think it is OK to write the expiration date.
  • In relation to the fact that "the adoption of a' collaborative model' utilizing federation is the first choice in these Guidelines" on page 20, "Major Points of Revision ④ Update of Threats and Countermeasures, and Review of Assurance Levels 3.1 Identity Proofing" as in the previous version, "Acquisition of Information from an Identity Provider" was deleted because it was written only in a part of the procedures, which caused misunderstanding. On the contrary, it seems to be difficult to read that "Acquisition of Information from an Identity Provider" can be used.
  • The digital Authentication App of My Number Card is often used by private sector, so I think it is desirable to have an easy-to-understand description.
  • I think you can read it from the figure on page 17 or 19.
  • In many cases, the RP obtains the information and verifies the identity itself. However, depending on the administrative procedure, there may be cases where the IdP only needs to know that the identity has been verified at a high level. In some cases, this may be preferable in consideration of privacy and other factors.
    • (Secretariat) Many administrative procedures are considered to depend on the Public Personal Authentication, and if the Public Personal Authentication shows that the identity has been confirmed, I think there are cases where the four basic information is not necessary. We would like to describe the general case in this part, but we will consider reflecting it in the manual, etc.
  • From the viewpoint of data minimization, I think it would be better to consider minimizing not only the acquisition but also the handling of information.
  • I understand that the translation of Authenticator has been unified to "authenticator", but the term "authentication information" is still used.
    • (Secretariat) Whether or not the term "credential" should be replaced with "authenticator" is currently under review. In some cases, the term "credential" is used in the same meaning as "Credential" or "Authenticator Output" in NIST terms. Therefore, by the time the revised guideline is announced, the term "credential" will be revised.
  • As for the vertical and horizontal direction of the figure on page 27, I think it would be better to describe the guarantee level vertically as in the description of other guarantee levels.
    • (Secretariat) We will consider the amendment.

Revision of the identity verification Guidelines (Draft at the Time of Compilation in FY 2024)

The secretariat provided an explanation based on Appendix 2, and experts held a free discussion.

(Expert Opinions)

  • In P1, there is a description such as "Please recognize that it is important." How about a softer expression such as "It is expected that an appropriate method will be selected?"
  • It seems that the word "define" is somewhat abused in the guidelines. I would like to ask you to check again if it is an appropriate expression.
  • Although the term "passkey" is written, there is no explanation. Since this technology corresponds to "C" on page 30 and is expected to be included in the "Comprehensive Measures to Protect Citizens from Fraud," I thought that adding a simple explanation would be a more useful guideline.
  • The term "corporation, etc." is defined in Table 1-1 "Definition of Terms related to identity verification", but it excludes sole proprietors and freelancers, and there are concerns about whether it will be settled by administrative procedures as individuals.
  • Since sole proprietors and freelancers do not have a corporation number, I believe that the definition of "corporation, etc.," which excludes sole proprietors and freelancers, is correct. In addition, although corporations and individuals may follow the same procedures, sole proprietors will be treated as individuals.
  • It is difficult to define the attributes of a sole proprietorship, and I think you can treat it as an individual.
  • The definitions of terms in Table 1-1 include many explanations and examples. It would be better to write the definitions separately.
  • What is described in "Privacy" on page 7 is only a part of the Privacy Principles. It is desirable to describe JIS X 9250, etc. as reference information.
  • Does Table 2-1 overlap with Table 1-1?
    • (Secretariat) Assuming that readers read Chapter 2 without reading the definition of terms, it is intentionally described in duplicate.
  • In the explanation of "a" on page 15, it would be preferable to state that it is important to define the target population.
  • In common with Table 3-5, shouldn't the issuance of identity verification documents based on clearly stated standards similar to ISO/IEC 29115 be required? In the case of identity verification in a federation, if the IdP does not have a clearly stated process, it is not appropriate, and if it does not have a clearly stated process, it cannot be audited, so I think this is a necessary measure.
  • In Table 3-5, "A system that makes it difficult to extract or copy electronic data illegally (tamper-resistant IC chips, similar technical measures, etc.) is provided." This is not a description of the entire digital signature, but a description of the key. It should be corrected so that it can be understood.
  • Table 3-9. I think it would be desirable if the discussions on mapping the identification assurance level and threat resistance that have been arranged in the past study meetings are reflected in some way.
  • Was it difficult to keep a map of the threat resistance? It was easy to understand that the main threat of identity verification is phishing, but I think it is difficult to understand that the main threat of identity verification is spoofing. It would be easier to understand if you describe specific examples such as SIM swaps and pretending to be a person who has no intention of paying and describe measures to prevent them.
  • The definition of the term "identity verification" in Table 1-1 should be written on the first line, but it can be read as if the definition is continued on the second and subsequent lines. In addition, the definition of the term "assurance level" in Table 1-1 is defined as "a category that expresses the degree of certainty of a identity verification as a stepwise level," but it would be easier to understand if the assurance level is expressed as "level" instead of "category." In addition, although it is described that "This guideline defines two types of assurance levels, i.e.," identification assurance level "and" authentication assurance level, "" it seems that there is no definition of each term.
  • Table 1-1 "identity verification" states that "In these Guidelines, a identity verification is defined by three elements:' Identification,'' Identification,' and' Federation.'" However, "2.1. Elements of a identity verification" states that "In these Guidelines,' Identification' and' Identification' are defined as elements that constitute a identity verification. Furthermore,' Federation' is defined as elements that rely on others (trusted identity providers) for identification and identification." Therefore, I think it is better to use the same expression.
  • The word "PIN" is used only in Figure 3-1 where it is described as "PIN number" in other figures and tables.
  • Wouldn't it be better to delete the letters "PIN" and "PASSWORD" from the figure and show only asterisks?
    • (Secretariat) We will consider amendments while taking into account the ease of transmission of these guidelines to readers.
  • In the definition of terms, was it considered to distinguish whether knowledge authentication is Authenticator Output or not?
    • (Secretariat) As a result, we decided not to use different words because the concept does not affect the judgment of the "guarantee level", and we hope that it can be described in the manual.
  • Since there are three notations, "PIN", "PIN number", and "OTP", I think it is better to organize them as well. Since the difference between a locally completed passcode and a remotely output password is obvious, I think it is better to clarify the difference.
    • (Secretariat) In this guideline, the policy is to describe the elements that are not related to the guarantee level or the countermeasure standard in the "explanation document".
  • In Table 4-3, the degree of risk impact is evaluated in three stages: high, medium, and low. However, "invasion of privacy" and "misuse for crime or attack" are only rated high. In the materials of the 2024 draft report, it is explained that these are "rated high regardless of the degree of invasion," and I think it is better to add such a description to this part.
  • Regarding the description of "Password", it is written in Katakana in the text and in English in the icon, so I thought it would be okay to align it with either one.
  • The term "representatives, etc." is used only here on page 48. There is an explanation on page 49, but I am a little concerned.
  • I was also concerned about the fact that only on page 48, the numbers with circles are black circles (1,1, 2,2, and 3).
  • At present, it seems that the "confirmation of appearance" is written on the assumption that it will be performed visually by a human, but in the future, it is assumed that mechanical verification will spread even if it is performed face-to-face. I think it would be good to consider writing based on the fact that mechanical verification will be performed.
  • There are countries in laws and ordinances that require a person in charge who has received appropriate training to conduct visual checks instead of using a machine. I think it would be a good idea to have a place to educate people about such views.
  • Even if the applicant in front of you seems like a different person from the one in the picture, there could be a problem that the person in charge of identification cannot point it out. I think it is necessary to consider comprehensively other than technical problems.
  • I have also heard that the introduction of machine judgment in entrance gate and other places makes it easier for employees to explain that they cannot enter because the machine is judging.
  • "Level 1" on page 22 should be replaced with "Identity Assurance Level 1" and "Identity Assurance Level 2" in the same way as in the 2024 Report.
  • It is stated on page 44 that "Consider supplementary measures, review the guarantee level, consider exceptional measures, and determine the identity verification method to be adopted in the subject procedures." It would be better to state that the results of the consideration should be clearly stated.

Closing

  • Since the launch of (Secretariat) Digital Agency, the revision of the identity verification Guidelines has always been a necessary matter. I am truly grateful for the knowledge of the committee members and the accumulation of discussions at the Advisory Council, which led to the compilation of the revised draft. I would appreciate your continued support in the preparation of the guideline manual scheduled in the future and in confirming the results of the discussions among the ministries and agencies.
  • (Secretariat) That will be all for this year's meeting. Thank you again for your time today.

END