Identification

Definitions

The security quality subfactor, identification, is the degree to which the claimed identities of externals (e.g., people, roles, systems) are established before allowing them to request and receive services (e.g., perform functions, obtain data).

Measurement

Identification is typically measured in terms of:

• The percentage of the time that identification of a specified external [type] occurs in a specified situation.

Requirements

See identification requirements.

Mechanisms

Typical mechanisms for implementing support for identification include:

• Who You Say You Are:
  • Name
  • User Identifier
  • National Identifier (e.g., social security number)
• What You Have:
  • Digital possessions:
    • Digital certificate
    • Token
  • Physical possessions:
    • Employee ID card
    • Hardware key
    • Smart card enabled with a public key infrastructure (PKI)
• Who You Are:
  • Behavioral Characteristics (What You Do):
    • Keystroke dynamics
    • Signature style
    • Voice pattern
  • Physiological Traits (What You Are):
    • Finger print
    • Hand (palm) print
    • Face recognition
    • Iris recognition
    • Retina scan
    • Vein recognition (infrared scan of the back of the hand)
• Where You Are:
  • Dedicated LAN line
  • Network address verification

Guidelines

The following guidelines have been found to be useful with regard to identification:

• Identification is typically insufficient by itself, but is a necessary prerequisite for authentication.
• The scope of identification may include:
  • A business enterprise
  • An application
  • A component
  • A center