The present invention relates to the field of security and, more particularly, to holistic risk-based identity establishment for eligibility determinations in context of an application.
Different security measures exist to secure protected assets such as access to secured facilities and receiving protected services. These measures tend to be implemented in a uniform manner regardless of the specific context in which the measures are executed. Further, these measures tend to be implemented within a protected enterprise environment. Conventional security measures also tend to be implemented on a per-transaction basis, where each transaction is handled in an isolated, discrete fashion. That is, the question being posed and answered by the security measures is whether or not that particular transaction is legitimate as a whole, and risk is assessed (if at all) on this per-transaction basis. Many industry standards exist to permit best practice security measures to be implemented within an organization and associated entities, which can be used for security.
Frequently, however, these measures can result in limited security and/or excessive security which fails to adapt to domain specific requirements. When limited security is implemented, the risk of breaches can increase dramatically exposing sensitive information and services to unwanted personnel and/or entities. When excessive security is implemented, many problems can arise including over-complexity, numerous inefficiencies, and costly upkeep. Further, excessive security can have a deleterious effect of overcompensating resulting in problems of determining situational appropriate security measures. The security measure's shortcomings are particularly detrimental to identity verification processes.
Traditional approaches to identity verification utilize an industry accepted “three factor identification” model. These three identity factors are defined as “Who you are?”, “What you know?”, and “What you own?”. “Who you are” often includes physical and behavioral features of a person such as fingerprints, facial features, and other biometric and physical features. “What you know” frequently includes information presumed to be known to the person to be identified such as passwords, individual/family data, and other data or information. “What you own” traditionally refers to physical objects that are owned by, or legitimately in the possession of, a person such as a passport, keys, other tokens, driver's license, and other ID card.
This three factor identification model is constrained and hindered by several limitations. A first limitation is the “physical world” concept of individual identification as opposed to a more comprehensive information technology and data-centric approach to identity management. Secondly, the model does not provide for consideration of the operational context in which an identity or eligibility determination is to be performed. The model also fails to provide for risk assessment of other important influencing factors and/or relevant data used in individual identification. Further, the model does not effectively enable or support other key identity management capabilities such as confidentiality, risk management, non-obvious relationship analysis, and “trust” relationship management. Lastly, the model favors a frequently “card” centric identity approach, thus minimizing and overlooking potentially more effective factors that could be used in identifying individuals. These shortcomings are part of the per transaction security paradigm implemented by conventional systems, which assesses security/risks in an isolated per transaction manner, as opposed to in a more holistic or context aware fashion.
An additional individual identification verification solution is required in order to mitigate the significant constraints and limitations of the three factor identity model and associated variations of that model. Further, a new identification verification solution is needed in order to provide and address an organization's required business capabilities and needs (e.g., effective resource utilization, cost reduction, increase revenue), which current identification solutions only marginally consider.