MorphoTrust and the State of North Carolina Lead Public‑Private Partnership to Pilot First Secure Electronic ID
NSTIC Grant Facilitates Test of Security, Viability and Interoperability of a U.S. Driver License Equivalent for Online Transactions
The driver's license is the document U.S. citizens most rely on to establish and assert their identity, providing access to a wide range of benefits, privileges and services. However, there is currently no equivalent for online transactions.
Read the press release
The State of North Carolina, MorphoTrust and a team of carefully selected partners will collaborate to test a driver's license equivalent proof-of-identity for online transactions. The team will focus on a use case for North Carolina Department of Health and Human Services (NC DHHS) benefit applicants. Three counties have been chosen by NC DHHS to take part in this proof of concept. Walk-in benefit applicants in the three county offices who choose to participate in the pilot will create an Electronic ID (eID) using their existing North Carolina driver's license or state ID to establish a trusted identity, meeting the same requirements as the traditional in-person identity verification process. These applicants will use their mobile phone (iPhone and Android smartphones), their state-issued driver's license or ID, and a new photo taken using the phone, to link them to the photo on record at the North Carolina Department of Transportation (NC DOT).
An electronic ID or eID is an identity token, for use in the digital world to create a trusted identity. MorphoTrust eIDs leverage the highly secure and trusted vetting process required to obtain a state driver's license or identification card. Today, state issued driver's licenses are the documents we use most to establish our identity in order to receive a wide range of services, benefits and privileges.
MorphoTrust eIDs operate within a Trust Framework with individuals who desire to transact, identity providers, attribute providers, and relying parties, among others. Each participant needs the ability to trust the identities of those involved in the transaction, as well as that all identity information will be protected. And, all must agree to all rules and policies established within the framework.
MorphoTrust eID gives individuals a token they can use online to authenticate themselves – putting the consumer in control of their identity. By using their mobile phone to take a photo of their face, individuals then use the image to achieve a much higher degree of trust without the risks associated with the all too common user-name and password breach.
In instances where anonymity is acceptable, the MorphoTrust eID ensures web sites receive only the information needed to perform the transaction. For example, sites requiring that individuals are of a certain age will only receive age verification, with no additional information shared on that person.
Key Concepts of the Pilot
Prove that an eID can be created that carries the trust of a secure credential and can be used to eliminate in‑person identity proofing requirements
Americans rely on their driver's licenses and state issued IDs as their primary means of asserting their identity when performing secure in-person transactions. A visual comparison of the driver license, the photo and the individual provide the trust needed for our most critical transactions; the pilot is focused on mirroring that trust in the online world. During the pilot, individuals who want to apply for FNS benefits will be given the option to do so online in place of the in-person verification required today.
Demonstrate elevation of trust using biometric multi-factor authentication
The strength of the eID created in this pilot is rooted in the direct link to the identity vetting process performed by NC DOT during the driver's license/state ID issuance process. The identity vetting processes in place at NC DOT (and MVAs across the nation) are exhaustive, making them an ideal source for obtaining the trust needed for online identities. A photo verification (biometric face matching) will be utilized to directly link each individual with their electronic record at NC DOT to minimize the risk that a person could obtain an eID using a false identity. Equally important, the biometric match forms a straight-line relationship between the identity vetting process executed at NC DOT with the new eID formed by MorphoTrust for the individual.
Define a framework through which state and commercial entities can trust each eID
In order for any eID to be successfully implemented there needs to be a clear relationship established between all of the parties involved and policies agreed upon that will manage the interactions between them. MorphoTrust has formed a team that includes an important cross-section of parties that will ensure the trust framework implemented through the pilot has the ability to address the broader online community. A successful pilot will demonstrate how this diverse community of parties will transact seamlessly under the Trust Framework established.
The University of Texas at Austin Center for Identity (the Center)
The Center for Identity was formed to ensure that our nation’s institutions can manage and overcome emerging identity management threats. The Center will publish a study correlating the NIST Levels of Assurance (LOA 1-4) with the identity proofing processes used to issue a state driver license. These results will serve as an industry reference for online transactions in the future.
Gluu publishes free open source Internet security software that universities, government agencies and companies can use to enable Web and mobile applications to securely identify a person, and manage what information they are allowed to access. Gluu is providing the integrated identity platform for the pilot solution.
miiCard's digital passport creates trust online through a consumer-centric, bank-verified Bring Your Own Identity service. miiCard will leverage its identity platform to demonstrate the ability of the eID to integrate with other global commercial services and further extend the value of trusted identities online for consumers, business and enterprise.
Disclaimers regarding individuals and privacy: The option to participate in the pilot, actions required to obtain the eID and the decision to use the eID to login to a site online all reside with the individual. While the pilot offers a new online method of applying for FNS benefits, there is nothing restricting anyone from applying in the traditional in-person manner if they prefer to. Nobody except the individual may create an eID or assert an eID for online access. The eID itself is securely held within the individuals’ own smartphones and is only invoked when users are choosing to use it.
Personal Privacy: The security and safety of personally identifiable information (PII) is a primary concern so the team has included an outside privacy expert to ensure that:
- No unnecessary information is requested, stored or transmitted during any stage of use
- Personal information is stored safely and in as few places as possible
- Personal information in transit is secure at all times