Advisory Council for the Revision of the identity verification Guidelines (first meeting in fiscal 2023)
- Last Updated:
An expert panel will be held for the next revision of the "DS-500 Guidelines on Online identity verification Methods for Administrative Procedures" , which has been developed as one of the Digital Society Promotion Standard Guidelines.
Overview
- Date and time: Tuesday, October 31, 2023, from 18:00 to 20:00
- Location: Meeting room on the 20th floor of Digital Agency and online
- Agenda:
- Opening
- Business
- Outline of the meeting
- Discussion Points for Revision of the Guidelines
- Point 1: Review of the level of identity assurance
- Point 2: Review of the certification and assurance level
- Closing
Material
- Agenda (PDF/38KB)
- Document 1: Outline (PDF/1,124 kb) (updated on November 21, 2023)
- Appendix 2: Materials for the Issues Discussion (1st Round) (PDF / 1,411 kb) (updated on November 21, 2023)
- Minutes (PDF/242KB)
Related policy
Minutes
Attendee
- Tatsuya Kadohara (Specialist Solutions Architect, Security)
- GOTO Satoshi (General Manager, RCS Development Dept., DX Business Div., Business Promotion Div., Toppan Edge Co., Ltd.)
- Natsuhiko Sakimura, OpenID Foundation Chairman
- Amane Sato (Associate Professor, Information Technology Center, The University of Tokyo / Next Generation Certification Cooperation Working Group, National Institute of Informatics Academic Certification Cooperation Committee / Trust Working Group, Chief)
- Akihide Higo (Director, TRUSTDOCK Co., Ltd.)
- Hisahiro Fujie (Representative Director of OpenID Foundation)
- Minai Toru (Deputy General Manager, Market Research Office, Innovation Division, Japan Credit Bureau Co., Ltd.
- MORIYAMA Koichi (Chief Security Architect, NTT DoCoMo Inc., Executive Council of FIDO Alliance, Board Member, Chair of FIDO Japan WG, Director of W3C, Inc. (Board Member))
Agenda (1) Opening and Outline of the Meeting
Secretariat
- We have been thinking for a long time that the time required to set up a video conference will be shortened due to the evolution of technology, but it has been a quarter of a century since we were disappointed. I feel that it is an old and new problem. In the case of IDs, which is the theme of the conference, we also briefly thought that various problems would be solved by the spread of My Number Card. However, as more than 90 million cards have been issued to date, problems with linking and agents have become apparent, and I feel that it is not enough to just issue credentials. Such problems are being discussed in the study of electronic power of attorney, but as a result of nearly 20 years of discussion in the government and the foundation being prepared for the discussion of identity verification guarantee level and personal authentication guarantee level, edge cases have been discovered in the increasing utilization, and many reviews are needed in foreign countries, so I think it is an extremely high-profile field. I feel that we ourselves must advance the study with a sense of touch and feel, while catching up with the discussions around the world, such as what is happening in the world, what needs are emerging, what is feasible as a technology, and where there are gaps. I appreciate your continued guidance.
- I would like to give an explanation of today's meeting. Thank you all for participating in the meeting as you did last year. The materials and minutes of this year's meeting will be made available on the web. In addition, a total of five meetings are scheduled to be held this year. As a current plan, three meetings will be held during 2023 to discuss points of discussion, and the two meetings scheduled for 2024 will discuss points of discussion based on the draft of the revised version of the identity verification Guidelines prepared by this Task Force. The points of discussion scheduled to be discussed at the three meetings during 2023 are listed in the outline of the meeting in Appendix 1. As a future schedule, a draft of the revised version of the identity verification Guidelines will be prepared by the end of this year, and the contents of NIST SP 800-63-4, which is scheduled to be finalized at the end of this fiscal year, will be incorporated in the first half of the next fiscal year, and the revised version will be finalized and issued while discussing with you.
Agenda (2) Discussion Points for Revision of the Guidelines
Regarding "Point 1. Review of Identity Assurance Level"
The Secretariat explained the current policy on Issues 1-1 to 1-3 based on Appendix 2, and experts held free discussions.
Expert opinion
- In the explanation from the secretariat, the theft of identification cards was mentioned, but I think that NIST is also considering the lending and borrowing of identification cards. I felt that it is necessary to consider whether the current policies are acceptable when considering the lending and borrowing of identification cards in Japan as well. In addition, I was concerned about the relationship between the policies for the process of issuing a My Number Card for the first time and reissuing it when it is lost, and the policies that are going to be established in accordance with the identity verification Guidelines this time. If it takes a long time to reissue it, it will be a problem if administrative procedures cannot be carried out during that time, so I feel that it is necessary to describe in the Guidelines how to provide relief measures. Even in NIST SP 800-63-4, there is a description to the effect that it should not be excluded for the reason that there is no identification card, so I would like to ask your opinion on how to include such exception processing.
- I think there is no problem with the basic policy of aligning to NIST IAL3. However, at this point, what is meant by "Supervised Remote Identity Proofing" in NIST terms, and the interoperability of ID evidence in Japan and the interoperability of ID evidence in the United States are naturally different, so I think it is necessary to work on it at the same time as finalizing the definition and market view. For these reasons, even if we declare that we will align to NIST IAL3, I think it is unclear whether we can really achieve it, and I think it is a point that we need to deepen our discussions.
- Regarding the comparison of biometric information, in the case of Supervised Remote, authentication with a digital account in AAL2 or FAL2 should have been included in the requirements of Verification, and I believe that authentication with My Number Card and PIN conforms to NIST IAL3 because it proves that you have accessed your registered My Number Card account. However, as mentioned earlier, if PIN information is also shared when lending or borrowing My Number Card, it becomes possible to authenticate by another person. As there is talk of making recording of biometric information mandatory, heuristic control by tracking later can be realized, but it does not constitute preventive control, so I think it is better to keep in mind whether it is acceptable in light of the conventional thinking of the administration.
- In the first place, I think it would be better to leave room for discussion on whether or not the identification guarantee level should be fixed at three levels. In the internal digital identity guidelines we created, we considered whether or not the three levels of NIST IAL should be followed and decided on three levels. I think that the operation is generally going well, but I realize that there are cases where it is better to add plus and minus to the three levels when considering the strictness. In this review, if the identification guarantee level 3 is defined as a very strict level that does not apply to general administrative procedures, the actual guarantee level will be two levels of level 1 and 2, so I thought that there is room for consideration to additionally define an identification guarantee level equivalent to NIST IAL3, such as 3 +.
- In recent years, there has been a trend in the private sector that health insurance cards without facial photos cannot be used as identification documents. I believe that people have come to understand the need to check their appearance, including the issue of lending and borrowing identification documents. On the other hand, I believe that it is actually effective to conduct remote identification by multi-factor authentication with My Number Card electronic certification and PIN numbers, and in fact, we have been able to use JPKI in our business since March 2022, and we have confirmed that the usage rate has increased. However, there are still people who do not remember their PIN numbers. Recently, in September, we started to confirm the presence of IC chips and their appearance to confirm their identity. If the identity verification Guidelines simply state that "biometric comparison is not mandatory," I think it will be considered that "confirmation of appearance is not necessary," so I think it is better not to actively promote this way of thinking, including the issue of lending and borrowing.
- There are not many other opinions about the registration code, so I think it would be good to discuss it individually, but I personally think it is meaningful.
- Regarding Issues 1-2, it seems that the results verified by knowledge certification and the confirmation of appearance are treated in the same way, so I think there should be a slight difference. I thought it was important to at least create a situation where Relying Party could confirm what was used to verify.
- There is a high possibility that discussions on biometric identification will lead to various halations, so I feel that we will have to proceed carefully in terms of how to inform the public. The other is about false acceptance rate (FAR). If we try to accept foreign nationals who have a Japanese resident card and a My Number Card, I think it will be difficult unless we raise the acceptance rate to some extent.
- I agree with the idea of combining NIST IAL3 with Identity Assurance Level 3 in consideration of interoperability with other countries in the future. However, when DADC reviewed the identity verification Guidelines for the private sector about two years ago, many methods were concentrated at Level 2 and subdivided. I am concerned about the possibility that different levels would be mixed. With regard to Identity Assurance Level 2, I think it would be acceptable to use a description such as "Public Personal Authentication or" because there is a possibility that it will be read if biometric authentication is performed when knowledge authentication is not possible.
- As a separate matter, the current identity verification Guidelines describe "face-to-face or remote", and I am aware that online procedures and postal procedures were included in remote. However, this document describes "remote" and "digital evidence", so I would like to ask whether postal procedures will be excluded from the baseline.
- I am also concerned that the scope of Identity Assurance Level 2 will be expanded. When the private sector refers to the revised identity verification Guidelines, I think all financial procedures will probably be at Level 2. Various procedures, such as opening a bank account and creating a credit card, will be concentrated at Level 2. Therefore, I felt that it would be easier for identity verification to receive a guide that recommends considering the fragmentation of Identity Assurance Levels as appropriate when the private sector refers to the private sector Guidelines, on the assumption that the private sector will also refer to them.
- If the Identity Assurance Level 3 is to be tightened, the level to be selected is basically Level 1 or Level 2. If the necessary assurance level is to be considered based on risk assessment, I am concerned about whether administrative procedures can be included in Level 2, or whether it is possible to set criteria that can be divided into Level 2 because criteria are important.
- I think there is a problem with the fact that there is a possibility that there will be two levels of PIV, but I think it was easy to operate because the information collected by the Japanese government was reliable and Level 2 was easy to prove. At this point, I don't think there is a problem with Level 2, but considering the future security of the country, I may have to be a little more flexible. Currently, My Number Card is used by government agencies for employee certification, but I think Level 3 is a matter of being prepared to operate another PIV equivalent to the US PIV. Is this correct?
- As for the registration code, I think the gap between Level 1 and Level 2 is that the e-mail address is used. Young people use the registration code by e-mail instead of by mail or phone, so I think there is a difference.
- With regard to the point that even a two level guarantee is acceptable in Japan, I feel that there is something that cannot stand on the theory of good nature, considering that there are many foreigners in Japan and the modus operandi of crimes is becoming more complex. There should be absolutely no discrimination based on the country of origin of the user, and it would be good if the guarantee level could be defined with fairness and strictness.
- Regarding e-mail addresses, there have been cases where attackers have used aliases or Gmail issues to launch sophisticated attacks, so I think it would be better to carefully consider the possession of an e-mail address. It has been pointed out that the ability to receive e-mail and the ability to receive SMS should be distinguished, and I am aware that some carriers actually operate in such a way.
- As for the guarantee level, in the past, even when there were four levels of guarantee, there was a discussion about whether level 2 minus or level 1.5 was necessary. So, if we make it even more substantial this time, I think the resolution for the guarantee level will be further reduced. In terms of the Japanese situation, there are many descriptions about tailoring in NIST SP 800-63-4, so I think we need to be aware of how to think about it.
- Regarding the point that biometric identification may not be required, I think it would be easier to understand if you sort out this as a response to such threats. Considering theft, it is covered, but considering lending and borrowing, it is not covered. Special fraud is also considered to be a case of lending and borrowing of ID.
- At last year's meeting, I said that it would be better to define the lower level as thicker as possible, or to combine the identification assurance level 0 with the higher individual certification assurance level. I think it would be difficult to judge the appropriateness of the registration code only from the perspective of the identification assurance level. At the lower level, the difference would be less, I think. It is true that there will be a very large number of cases that fall under Level 2, and for those that fall under Level 2, the identity verification assurance level alone does not guarantee the reliability of conducting domestic administrative procedures, so I think it would be good to define Level 1 thicker and combine it with the individual certification assurance level to guide us in the direction of responding to risks.
- Regarding the registration code, I could not imagine what kind of use case it would be used for and how it would lead to cost reduction by increasing the variation of the measure standard at the lower level.
- When I think about the level 1 registration code from the perspective of business operators, I imagine that it means attaching a photographed image of an identification card to an e-mail or uploading it to a website. If the registration code is added to level 1, I thought that modifications would occur to make these procedures currently in operation fall under level 1. Although I think it is safe to notify the address about the registration code, when I think about sending various notifications other than the registration code in the future, I thought it would be meaningful to capture information such as a mobile phone number and use it as a contact.
- To give you an example at a university, the introduction of two-factor authentication has just started at the university, but the actual situation is that they register mobile numbers but only self-declare and do not verify them. In such a case, the registered mobile numbers cannot be treated as registration codes, but the operation has been surprisingly successful, so I think it is reasonable to treat mobile numbers as registration codes. This story is about the person's authentication assurance level, but I think it would be better to separate the registration codes that can be adopted at Level 1 and Level 2 at the identification assurance level.
- I think you are right about increasing the Identity Assurance Level 1. NIST IAL1 and NIST IAL2 were combined and NIST IAL0 is missing this time, so I understand that NIST IAL1 is actually expanding in the US.
- As for the registration code, I think the concept of controlling it by changing the length of the validity period for each means of communication, such as 24 hours for e-mail and a certain period of time for mailing to the address, is good. However, receiving SMS and receiving e-mail are different from the point of view of Authentication, so I think it is good to distinguish the use of SMS as a means of personal authentication. I think it is good to have variations as a means of identification, but I feel that deeper consideration is necessary as a means of personal authentication.
- For each item of the countermeasure standard items, the standard required for the guarantee level is described. In reality, the risk is reduced by going through the confirmation method defined as the countermeasure standard for the assumed risk, and as a result, if this level of risk is achieved, what is the NIST xAL? This is the result of the study. Therefore, when tailoring is conducted in this country, if it is too bound by the countermeasure standard items presented by NIST, the accuracy will decrease and it will not be accompanied by a sense of satisfaction. Therefore, I think it is necessary to consider it from the viewpoint of what the risk is. I think it is also described in the countermeasure standard of the current guideline, but I think it is necessary to take into account the viewpoints of existence, survivability, and uniqueness, and to discuss supported by details such as how it is against a survivability visa when using a photo identification card.
- Going back to the issue of the registration code, in Japan, there is an additional system to confirm the address such as specified mail, and since the registration code is mailed to the address and presented, I think it is different from the story that it is Identity Confirmation Guarantee Level 1, so in addition to presenting the registration code, a trained delivery person checks it, so I thought it could be adjusted to Identity Confirmation Guarantee Level 2.
- In that case, I would like you to point out that there is a possibility of breaking the issue setting. Today, there was a lot of discussion about the fact that if the identification assurance level 3 is adjusted to the NIST IAL3 standard, the required standard of measures is too high and many procedures are concentrated at level 2. Level 2 was centered on the need to compare biometric information during online identification. When considering what kind of situation identification in the administration occurs, it was said that NIST IAL3 level identification is required in extremely special and limited cases. As for how the current My Number Card and the next My Number Card, which are prerequisites for online identification that more and more citizens will be required in the future, currently, identification is performed at the level of going to the government office and referring to the Basic Resident Register. I have always felt that what level of identification is performed here will be important. If identification at the time of issuance of the My Number Card is reliably performed at a certain level, the identity verification using the My Number Card will be high-quality, so it is not included in the subject issue today, but I think it is important how the face-to-face identity verification at the administrative institution should be.
- I am aware that there have been cases of identity theft even in face-to-face verification, and that there have been cases in which the authenticity of submitted identification documents has been verified at stores, which has been effective. However, it is not simple because there are criminal groups that think of ways to circumvent even that authenticity verification, but when face-to-face identification is elevated to a certain level, at least those installed in current and future My Number Card and smartphones that can fulfill those roles will play very effectively online, so the identity verification guarantee level and the person authentication guarantee level are also important, but the core of identity verification, which is called an endpoint in terms of other technologies, will be firmly implemented in the subsequent trust chain, so I thought it was very important, although it was not included in today's discussion, and I made a statement.
- The secretariat explained that they are considering changing the title of the identity verification Guidelines, but we understand that the current identity verification Guidelines issued in 2019 cover both personal and corporate identity verification. However, at least the subject of today's discussion is only the personal identity verification. Are there any future discussions on the corporate identity verification? Or is the corporate identity verification going to be outside the scope of the identity verification Guidelines? As reference information, there are business operators in the Trusted Web that are considering use cases of identity verification for corporations and conducting verification test, so I thought it would be beneficial to use the results well in cooperation with such companies.
- NIST strongly regrets that the thorough implementation of the guidelines in SP 63-3 (800) resulted in the exclusion of residents from administrative services. We believe that this should never have happened, and at the briefing in SP 63-4 (800), we emphasize that tailoring should be taken to prevent such a situation from occurring in the future. Unfortunately, tailoring is not working well even in the United States. If the standards for measures are made stricter than necessary, it may become a golden rule and be excluded. This is a common occurrence overseas. For example, in Uganda, there are reports of cases where people were unable to receive medical care because they did not have a national ID card despite the urgent need for medical care. Administrative services require a wide range of resources, so I think it is important to figure out how to incorporate them into documents so that people can read them.
- Among the changes from SP-800-63-3 to SP-800-63-4, I was particularly impressed by the elimination of the flow chart, which was quite complicated in structure. Due to the elimination of the flow chart, each of us had to consider it by ourselves. I think there is such a concept because if it is described in too much detail in the guideline, it cannot meet the really necessary needs.
- I think that the elimination of the flow chart is the right direction, and I understand that risk assessment is not something to be done with the flow chart. Those who appreciate the existence of the flow chart should also realize that in the end, risk assessment must be done properly when actually using the flow chart. If the risk assessment has been done correctly, I think that the necessary guarantee level will be determined by following the flow chart, but in terms of the degree of impact on the business, we will talk about what falls under serious, medium, and low, so in the end, I think the problem is shelved there.
- I think it is true that NIST SP 800-63 was originally intended for government employees, and as a vestige of it, the risk such as the duplication of credentials in the case of theft of one employee's PIV is very heavy, and it is IAL3. I recognize that the risk of the system we are assuming is that if an Authenticator is stolen, there is a horizontal spread in the data of various citizens who can access with that authority. When it comes to services such as government-to-citizen, I think that the scope of impact is basically closed to the scope of a specific user, and I think it would be better to map the risk such as whether it is a service that should set the identity verification guarantee level to 3 or whether it is a service that has no problem at level 2, and converge to which request level this service should be set. In order to build a common understanding, I think it is important to think about what kind of system is specifically required for identity verification guarantee level 3.
- There were repeated comments from several committee members, including myself. While it would be good to proceed with consideration based on the means, I think it would be better to have guidelines that clearly indicate which threats are being addressed. I think there are many cases where there is no need to consider the threats for various use cases, and there should be many benefits such as being able to respond flexibly, eliminating the exclusion of residents from services, and making tailoring easier, so I would like you to consider them by all means. A similar comment was made in NIST SP 800-63-4.
- Also, I would like to ask you to consider exception handling from the beginning. This time, it is quite My Number card-centric, and I think that's fine, but I would like to ask you to describe in an easy-to-read way how to deal with the loss of a My Number Card.
- As for the registration code, since the authentication strength is different, I understand that it is necessary to make a clear distinction between postal mail and other means, and that it may be possible to maintain a certain level of strength for specific postal mail, so I would like to add something.
- On a threat basis, it should come out properly. By adopting the special postal service, various threats should have disappeared.
- It's a very widespread story, and it seems to be difficult to summarize it in a form like N to N to N, but I think it's true.
Additional Discussion: Significance of Guidelines and Assurance Levels
- In our company, the level of risk countermeasures has clearly increased with the establishment of the internal guidelines. The level of identity verification assurance is the same, and the level of identity verification assurance, which is the point of discussion later, is even more so. When experts gather like this conference, it will be argued that it is essentially not there, but from the standpoint of actual implementation, it is easier to proceed with measures by setting a level of assurance that can be used as a common language. While the flow chart was removed in SP 800-63-4, there was a request within our company to make the flow chart of the guidelines a little more detailed. In this way, when developing and revising the guidelines, I feel that it is necessary to think from the standpoint of the person who actually uses them.
- The same thing is happening in universities, too. There is a problem of enumerating the threats and eliminating them one by one. In other words, there are not many people who can respond intelligently at a high level. Even so, we have to maintain a certain level, so I think we have no choice but to raise the level of operations little by little by showing the guidelines and making it okay to do this. In that sense, even if it doesn't mean much because there are more technical options, I think it still means a lot to guide the way of thinking for those who respond in the field. From the side of asking students to do various things, it feels very strong.
- In both explanation and evaluation, if there is no framework for that, it will be difficult to deal with. I think it would be more convenient if there is something. However, I think it is necessary to tell them that we should not close it there.
- In the private sector, for example, it is relatively easy to create a framework in which a standard is set based on the amount of damage and business impact when a problem occurs in a certain service, and if there is even one high after tracing it, it is XX. In the case of the administration, I think it is difficult because the position is different.
- Of course, I agree with the opinion that we should take measures after conducting a risk assessment, but I feel that the definition of risk in the current NIST SP 800-63-4 is quite rough. When designing based on the guidelines, if we evaluate based on the criteria such as whether the risk is related to human life, it often becomes fixed in one place. If we respond on a risk basis, I think it depends on how precisely we can define the risk in administrative procedures.
- In terms of flowcharts, I think it's true that some people think it's better to have it as a common language, but others think it's too bound by it. In my opinion, the worst part of the flowchart in SP 800. 0-63-3 is that all of them are Yes/No binaries. I think it would be useful if a flowchart that takes into account the point that we have to make exceptions as mentioned earlier is completed.
"Point 2: Review of the certification and assurance level of the person concerned"
The secretariat explained the current policy on Point 2-1 based on Appendix 2, and the experts held a free discussion.
Expert opinion
- I have been involved in phishing resistance for many years, so I think there are some suggestions I can make. At our company, we have a track record of eliminating inquiries from customers saying that they are engaged in transactions that they are not aware of, by actually limiting phishing resistant authentication to certain service sites. We are very confident about the results, and the amount of damage has been reduced as a whole. I believe that the fact that the authentication required to use our services is phishing resistant is extremely important for people to live their lives with peace of mind. Earlier, there was talk about making the Identity Assurance Level 3 in accordance with the identity verification Guidelines equivalent to NIST IAL3, but if there is room for adjustment in the definition of the Identity Assurance Level, I understand that it is very meaningful in practice to draw a line between those who are phishing resistant or close to it, and those who are not phishing resistant but outbound in the table on page 13, and strongly recommend it.
- I think it is quite difficult to make phishing resistance a requirement, but I think it is better to clearly indicate the strength or weakness of the degree of recommendation for the authentication methods that can be selected at Level 2. The nature of what we assume is completely different between the type of attack in which it is economically rational to send an e-mail to 10,000 people and receive 100,000 yen from one of them and the risk of stealing and copying the token of a government employee's PIV card. There is no doubt that the importance of this type of attack is increasing now that there are methods for attacking an unspecified number of people online. Basically, I think there is no problem as summarized in the material.
- On the other hand, even with one time password authentication without phishing resistance as an example, I recognize that there is a big difference between doing and not doing multi-factor authentication in the first place. There is a difference in the effect of bringing the impact of an attack closer to zero, but I am a little concerned that if you narrow the options to do multi-factor authentication too much, it will be difficult to use it or it will go in the direction of quitting, so I think it is better to leave it as an option.
- While I am also working as an advisory to local governments, even if it is as simple a method as possible to realize multi-factor authentication or phishing resistance, for example, if it becomes mandatory for personal authentication guarantee level 2, it will be difficult for local governments to choose, and I feel that local government staff will be in direct contact with residents and users will be seen, so it will be difficult to make or accept it. On the other hand, I think it is difficult to remove it, so I thought I had to read how acceptance of the world would progress.
- Two step verification is really easy to break through, so I hope you will value the line between two step verification and non-SMS. In addition, there is a password + SMS authentication code in the document, but there is no one to receive one time password by e-mail. This is different, it's good or bad, but as a menu, I think it's better to prepare both.
Other discussions: Granularity of description of threats and approaches in the guidelines
- Although threats change, I think that we should not hesitate to explicitly state the threats that are known at the present time. As long as there is a change in the degree of recommendation, I think that it will not be conveyed to users unless there is a reason for what is difficult to recommend and what is strongly recommended. If it is stated that it should not be adopted, what kind of threat is there, and if the probability of occurrence increases as time changes and it becomes common, please think that it can not be used anymore, I think that the expiration date of the document can be extended on the face of the text. NIST also left SMS as an option while conveying the message as Restricted, and I thought it was a good method, and I feel that it had to be stated like that.
- The anti-phishing guidelines published by the Japan Anti-Phishing Association include "points to be aware of when sending e-mails to users," "measures to be taken in the event of a phishing attack," and other measures before and after the attack. If Level 2 does not require phishing resistance, I thought it would be helpful to refer to these points.
Closing and Next Announcement
Secretariat
- That's all I would like to discuss today. The next meeting will be held on Thursday, November 16th. Thank you very much for your participation over a long period of time and for your comments.
END