A trust based methodology for determining identity risk

Identity theft, fraud, and abuse are rapidly increasing around the world, yet how information systems security providers verify user credentials remains generally unchanged[32]. In order to grant users access to services such as bank accounts or social networks, providers must collect information to store as user credentials. Previous research using authentication and authorization approaches has examined validating user credentials and controlling access, but these approaches still fall short in accurately identifying users[48]. To confirm user identity, most protocols only offer a binary indicator. Thus, quantifying the levels of trust between service providers and their users is necessary but not sufficient for ensuring secure transactions. In the context of transactions, this research proposes leveraging credential attributes to improve confidence in a user's identity leveraging trust and risk management methodologies. Transactions between users on the Internet require credentials that have a fixed number of attributes. When these credentials are created, attributes such as Social Security number, mother’s maiden name, and address are used to validate a particular user. Attributes are often lost, stolen or compromised. Once the attributes of an identity are compromised, anyone can assume that identity with benign or malicious purposes. Traditional solutions to this problem are to increase the trust level of the authentication through multiple modes, such as biometrics or smartcard tokens. While biometrics and smartcards are very useful attributes for increasing trust, this research shows that it is possible to increase trust of users with attributes typically held by or known to the user. This approach is appropriate in terms of cost and convenience and scales to a large number of transactions. Using only the attributes registered with an identity provider (e.g., address, zip code, name, etc.) can show how trusted a user is who presents an identity. Further, the risk to a service provider of allowing access to that user can be established with this limited information. Specifically, this research approach correlates attributes with existing information, including patterns of using attributes to authenticate the user and trustworthiness of existing data maintained by identity providers. The ability to correlate and vary these attributes provides higher confidence in a presented credential. The proposed methodology is shown experimentally to more accurately assess the risks of granting users access to a given set of data and information then existing approaches. These approaches to identification are shown to significantly increase the confidence of credentials granted to individuals through a series of simulations representing common transactions involving identity.