Skip to main content

This page has been translated using TexTra by NICT. Please note that the translation may not be completely accurate.If you find any mistranslations, we appreciate your feedback on the "Request form for improving the automatic translation ".

Advisory Panel on identity verification Practice Issues, Examples, Methods and Guidelines (2nd meeting in FY 2025)

Last Updated:

We will hold a meeting of experts to formulate a commentary for 's "DS-511 Guidelines on the Treatment of Digital Identity in identity verification in Administrative Procedures, etc." , which has been developed as one of the Digital Society Promotion Standard Guidelines.

Overview

  • Date and time: November 26, 2025 (Wed) from 16:00 to 18:00
  • Venue: Digital Agency meeting room and online
  • Agenda
    1. Opening
    2. Agenda
      1. Discussion on the contents of the guideline manual (draft)
    3. Adjournment

Material

Attendees

  • Tatsuya Kano (Foundation and Identity Principal Engineer, Mercari, Inc.)
  • Satoshi Goto (General Manager, Digital Solution Division, Secure DX Management Division, and General Manager, RCS Development Department, TOPPAN Edge Co., Ltd.)
  • Natsuhiko Sakimura (Representative Partner, NAT Consulting LLC)
  • Amane Sato, Professor, National Institute of Informatics (Director General, Digital ID Infrastructure Research and Development Center)
  • Takashi Niizaki (CEO, Cedar Co., Ltd.)
  • Akihide Higo (Director of TRUSTDOCK Inc.)
  • Naohiro Fujiei, Executive Director of OpenID Foundation Japan
  • Takafumi Masuo (Associate Professor, Faculty of Health Data Science, Juntendo University)
  • Toru Minai (Deputy General Manager, Market Research Office, Innovation Division, Japan Credit Bureau Co., Ltd.
  • Koichi Moriyama (Chief Security Architect, NTT DOCOMO, INC.; Member of the Board of the Executive Council of the FIDO Alliance; Chair of the FIDO Japan WG; Executive Director (Board member) of W3C, Inc.)

Agenda (1) Discussion on draft contents of the Guideline Manual

"Proposed Table of Contents and Overview of Chapter 4 of the identity verification Guideline Manual"

The Secretariat provided an explanation based on Document 1, and experts held free discussions.

(Expert Opinion)

  • Regarding the metrics on P12, I think it would be good to have information on registering authentication factors for user authentication. In the case of passkeys, etc., success or failure of registration depends on the user's environment. Therefore, considering that passkeys will be recommended in the future, I think it would be good to have data on the success rate of registration of passkeys, etc. and the percentage of authentication factors among all users as materials to determine whether authentication methods other than passkeys are necessary.
  • I think the table on page 8 is based on the table in the main part of the Guidelines. However, in the main part of the Guidelines, it is described as a concept of risk identification, and the content of the impact when it becomes apparent is described. I feel that it is difficult to imagine how to use this. Do you assume that there is a use such as understanding that there are specific risks by looking at a specific concept, or do you assume that the reverse lookup is done because there is an impact?
    • (Secretariat) This is intended to be an example of how risk identification and assessment should be done, rather than using a reverse lookup. In the future, we would like to expand the examples from actual assessment results, so that it can be used as a reverse lookup.
  • In that case, I think it would be easier to understand how to write the main part.
    • (Secretariat) Confirm including the granularity of description with the main part.
  • In the risk case of P8, I was wondering if the person reading the manual would be able to tell the difference between impersonating a real person and impersonating a non-real person.
    • (Secretariat) Correct the wording.
  • The purpose of page 8 is to select the "appropriate assurance level" according to the risk. However, there has been a problem for some time that the risk tends to lean toward the high-impact side. Therefore, I think there was a discussion at meetings up to last year about preparing something like a worksheet. Will it be attached to "Attachment 2 Reference Materials" in the table of contents?
    • (Secretariat) The policy for preparing worksheets has not changed. It is under internal consideration whether they should be positioned as part of the manual or outside the manual. In addition, the worksheet plan presented at the Expert Meeting about two years ago was complex based on the decision flow of NIST SP 800 63-3, but the worksheet in accordance with Section 4 of DS-511 is expected to be simple.
  • What specific administrative procedures and processes are being considered to share examples of the selection of the level?
    • (Secretariat) We would like to create a worksheet so that we can provide feedback based on the status of similar discussions, but we do not intend to include it in the Manual.
  • In P8, there are low to high levels, and it is a problem to know which level they are in reality. Do you have samples? In NIST SP 800-60, there are high, moderate, and low levels for government work, but since there is none, I would like you to make a judgment to some extent.
  • Unless the procedures themselves are expressed and visualized, it may be difficult to identify risks. Even in the National Cybersecurity Office (NCO)'s SBD manual, almost half of the first half is about how to write business models. If the volume becomes too large, it may fall under the category of project manager or Enterprise Architecture, but I would like to see how to organize business from the perspective of certification and how to visualize it.
  • I would like to be able to collect the metric information shown on page 12, but to be honest, if you can't do something specialized, you won't be able to create how many things you can evaluate realistically. That's why I'd like you to use federation, but I'd like you to emphasize the point of monitoring and giving feedback so that it's not just human reviews.
  • The sections "1) Identification of risks" and "2) Assessment of the impact of risks" on page 7 are difficult to use in practice. I think it is difficult to determine unless there are some specific cases. Considering who will read this material, there may be some inconsistencies. I got the impression that it would be better to use a certain amount of case-based text because it is a practical manual.
  • Regarding P8, I felt that it was somewhat difficult content for those who read this guideline and manual for the first time. The part following the level judgment as a process on the previous page is easy to understand, but I think that administrative officials who judge the assurance level and people who design the system will want to understand which assurance level they encounter when they read it. In the "Details of the Impact at the Time of Actualization," at the bottom is "The e-mail address and password of the registrant will be leaked to the attacker," which is always true if you use a password. I would like to judge the level according to the nature of the actual system, but I think that what is described here is the characteristics of the system itself and is not a good material for judgment. I feel that it is a little difficult to grasp the logic of the "low" overall impact level, meaning that it is OK to say level 1 because it is OK to leak. I think that whether the service you are trying to provide is level 3 or level 2 is the place you are most interested in, so I would like some hints for judgment. I think that it is better to fill the logic and examples that are useful for judgment a little more, rather than being able to squeeze it into this one page.
  • The content of P12 is very deep, and I think there will be differences in what is considered complete and what is considered a failure. The definition of time to completion differs depending on the system. I think it will be difficult to answer at this meeting, but since the manual will be revised in a timely manner, I would like you to accumulate knowledge.
  • It is said that the content of P3 will be described in the Guideline Manual, but should it also be stated that a separate guideline will be prepared for identity verification for employees who perform internal administrative work, etc.?
    • (Secretariat) We do not plan to include this point in the manual itself.
  • If it says that it is not covered, I don't know what to read, so I think it would be good to describe this guideline as a reference. If it says only that it is not covered, I wonder if there are other things.
    • (Secretariat) I will try to cover that point.
  • With regard to P12, when the biometric authentication system was introduced, there was a question about whether it was being used correctly. This is not the main topic, but there are organizations that are monitoring not the security side but the operation side, and are working on a mechanism to find people who are not using it well, so I thought it would be good to use it together with that.

Concerning the Concept of Selection of Identification Methods

The Secretariat provided an explanation based on Document 1, and experts held free discussions.

(Expert Opinion)

  • I was a little concerned about the point of "3) Examination of implementation model and implementation means" after deciding "2) Examination of methods other than My Number Card" in the implementation flow. The reason is that the timing of 3 is difficult because the methods 1 and 2 are determined when the implementation model of 3 is selected. I think it is good to think about 3 after thinking about 2, but there is a possibility that the examination will be useless.
    • (Secretariat) There is also a part that you are right. If you write 3 first, you will end up with the judgment of "choosing the one you can choose", so I have put it in this order so that you can think about the method that should be done first.
  • I think it is very easy to understand and good to consider other means if it is not sufficient, mainly in My Number Card. On the other hand, on P19, it is written that you can choose which method to adopt based on the assurance level for methods other than My Number Card, but I think other methods that can be adopted depend on the service delivery channel. For example, if you have an original task such as online only, face-to-face, or mailing, you can do what you can do on top of that, so I think it is unreasonable to prepare a face-to-face contact point for online services. Since the diagram on P20 is easy to understand, I thought it would be good to write that you choose which one to choose depending on the assurance level and service delivery channel, and that you consider additional measures if the assurance level is insufficient with that method. Related to this, the example of the results of the study on P15 seems to be an example of a fairly strong method. As an alternative method for My Number Card, I think it is a mixture of an example of adopting an alternative method by mailing or face-to-face, and a specific example of the personal assurance level for each. Although the amount may be large, I thought it would be good to divide it into two patterns and present it in two ways, one for the online provision channel and the other for the mailing / face-to-face provision channel.
  • Before deciding whether to use My Number Card or not, I think the most important concept is what kind of identification is required for this administrative service. Frankly speaking, I think there should be something in the first part of this. For example, there are services such as money transfer through Act on Prevention of Transfer of Criminal Proceeds and identity verification for mobile phone businesses, and it is defined that identification should be performed by laws and regulations. If you are going to provide services to the people as an administration, it may not be exactly the same, or if there is something equivalent to that, I think there is an identification that should be done first. On top of that, I think My Number Card is very effective in realizing that. In order, first of all, what kind of identification should be required. I think it is good to actively promote the identity verification method using My Number Card as a means in the explanatory document. I think other methods should also be described from the concept of "no one will be left behind."
  • There is something to consider in terms of using My Number Card in the implementation model. JPKI attracted attention from an early stage and smartphones were installed ahead of others, but some teachers say that those using electronic certification for signatures are equivalent to registered seals. In the current era where electromagnetic records alternative to cards have been put into practical use, I think that one idea is to actively promote electromagnetic records alternative to cards in the explanatory document.
  • Whether it is JPKI or an electromagnetic record alternative to a card, only one smartphone electronic certification can be registered on a smartphone owned by a citizen. There is also a story about what people with Androids would do with iPhones. It is becoming a common technology that people want to receive administrative services on PCs, but PCs do not have My Number Card, but they can install My Number Card on their smartphones and use identity verification on PCs. I think it would be good to keep in mind that such matters need to be written in the explanatory document.
    • (Secretariat) For example, in Mynaportal, QR codes can be used for cross device authentication. There is a problem of how general-purpose it can be used, but I think it can cover a certain amount.
  • On Page 15, there is a description of "Supplementary AP for Entry of Matters on Certificate," but I believe there was also a description in the first document that the verification of the applicant cannot be performed with the verification numbers A and B, so I thought it would cause misunderstanding if there was no such description.
  • Am I right in thinking that the usage is based on the so-called 4 pin?
    • (Secretariat) You are right.
  • I don't think there are many use cases for obtaining My Number, but isn't it so?
    • (Secretariat) There are not many use cases for acquiring My Number, but we recognize that it is possible to use the Supplement AP for Entering Information on Certificates regardless of whether or not My Number is acquired.
  • If it is a 4-digit PIN, my number will also come in, and I thought that only those who are involved in the use and related office work can use it.
    • (Secretariat) We will consider appropriate descriptions based on the case where people in the private sector will refer to it.
  • On P18, it was mentioned earlier that it is equivalent to a registered seal, but regarding 1-b), I think it is necessary to guide the UX and display so that users can understand that they have a registered seal. I think we still hear a lot about why we need to scan My Number Card many times and why we need to use different passwords and PINs. I think there is a point that confusion is caused by putting a seal and identification in one card. Also, as smartphones will be installed in the future, I think it would be good to describe that we should guide something like a notice of accessibility and usability so that users can understand what they are doing from their perspective.
  • On page 19, there is a description of cases in which a method that does not meet the assurance level is adopted due to unavoidable circumstances. However, we recognize that there are cases in which applications are made forcibly due to the lack of documents at the window of the government office. While it is reasonable to write that this is not acceptable as a guideline, considering the current situation, we do not recommend a method to make up for the lack of documents later, but I think it should be clearly stated.
  • It is always necessary to think about which attributes are required for identity verification. I think the ones listed here are not very desirable because even at Level 1, all information will be stored. From the perspective of privacy, I think it would be better to clearly indicate the means by which selective disclosure can be made. You can do it if you use an electromagnetic record instead of a card, or at a digital Authentication App in Digital Agency. I think it is important as a guideline to indicate that there are such options so that they can be understood.
  • An IC card is listed as an alternative for those who do not hold a Guarantee Level 3 My Number Card on page 15, but I don't think ordinary people can think of anything that meets this condition. I think it would be better to write it for them. I thought it would be good if an accreditation and certification authority was written as an alternative.
  • Is it because My Number Card is not able to issue it immediately, that is, when it expires, there is a period of at least one week in which it cannot be used, and it is not mandatory that the method other than My Number Card cannot be eliminated?
    • (Secretariat) As you say, we assume the procedures of high urgency that cannot wait for new issuance or reissuance as a typical case.
  • If an alternative method is established, it may cost the service provider. For example, it may be difficult to prepare a personal My Number Card (specific information delivery type) because it is very costly, and it may be difficult to decide whether it is really necessary to prepare one. In addition, since an alternative method is usually a loose method in terms of security, there is a concern that many people will easily use it. There is a concern that if there is an alternative method, it may go against the direction of wanting people to use a postal service, and as a result of choosing an alternative method for a long time, it may become impossible to remove the alternative method. I thought it might be better not to say that there is an alternative method, and it might be better not to describe the alternative method flatly.
  • I thought it would be simpler and better to guide them to use My Number Card. The alternative method that does not use My Number Card is extremely less usable. As a result, I think it would be a good idea to recommend the use of My Number Card.
  • If the alternative method costs the user, I think the balance is good, but if it costs the service provider and there is no burden on the user who chooses the method, I think it is a little difficult.
  • In addition to JPKI and Electronic Records in Lieu of Cards, there is also eKYC, which uses My Number Card as an IC-chip-attached identification document. This has the advantage that people can use it without remembering the PIN number of My Number Card. The utilization rate is higher than the method of using driver's licenses as eKYC with IC chips, and the success rate is also high. Will such things like how to use My Number Card be included in the manual? My Number Card
    • (Secretariat) My Number Card also has various methods, so I am thinking of attaching a brief overview on the attached sheet. eKYC as an external service you mentioned was not a candidate for inclusion, but I will consider it.
  • Regarding the IdP on page 21, I would like to mention that it is an IdP within a government agency. In addition, as for other options for digital Authentication App, even if gBizID cannot be mentioned because it is for corporations, for example, eMAFF is for individuals a little more, so I thought it would be good to have examples and explanations.
  • Recently, some have been handing out localized identities. Local governments and municipalities are collaborating, but if you don't keep them in mind, you may end up using IDPs who should not be trusted in the first place, so I think it is better to take action now. Not a comment on the guidelines, but a comment on how to contain the current situation.

Concerning "Approach to the Selection of Authentication Methods"

The Secretariat provided an explanation based on Document 1, and experts held free discussions.

(Expert Opinion)

  • In the "Comprehensive Measures to Protect Citizens from Fraud," passkeys are described as a standard established by an international standardization organization as a phishing resistant authentication method. The Financial Services Agency Metropolitan Government and the JSDA, in their supervisory guidelines and guidelines on October 15, respectively, decided to make phishing resistant authentication methods mandatory or default. In response to this, implementations and releases of passkeys are rapidly increasing. Given such circumstances, I think that there are no options other than user identification by the My Number Card Metropolitan Government or passkeys. Therefore, as an explanatory document, I think it would be easy for those involved in practical operations to understand if it is written as concretely as this. Even in the Financial Services Agency Metropolitan Government and the JSDA, it is not written as "passkeys," but as "phishing resistant authentication," and as an example, it is written as passkeys or PKI-based ones. I think it substantially refers to these two, so I think it is consistent. DMARC
  • I believe it was in the press release, but people from OpenID Foundation Nippon have made comments on the public comments regarding the partial revision of Financial Services Agency's supervisory guidelines. In it, it is written that identity verification and identification will be important when registering passkeys. As I mentioned when Ministry of Internal Affairs and Communications was promoting the installation of My Number Card smartphones in 2021, identity verification will be extremely important when setting passkeys. There have been reports that when registering passkeys, there is only a two step verification, and attackers have begun to set passkeys on attacker terminals. This is a serious situation, so I would like you to make sure to add that identity verification is important when using phishing resistant authentication, especially at level 3 in this case.
  • I think it is a separate discussion whether it should be included in the personal identification method item, but as far as I look at the table of contents, I don't think there is any talk about account recovery. I think there is no choice but to include it here, but I think it should be stated. It also relates to the content of the identity verification at the time of setting that you just mentioned.
  • Binding and recovery are duties that CSPs must perform, and it is recognized that this document describes the methods of authentication that administrators allow consumers to use. I think I have to say both of them, but I think the readers who are supposed to read the comments of both of them are double. I thought it was quite difficult how to incorporate it into the manual.
  • A typical example of using the electronic certification for user identification in My Number Card is the digital Authentication App, but I think that readers will not get lost if you write a specific name.
  • When choosing a CSP, it is important that the CSP is properly operated and tested. It is OK if only digital passkeys are considered as CSPs, but it may be better to indicate such a point of view somewhere. In fact, there have been CSPs that exposed private keys in the past, and they have not followed the protocol properly. A Authentication App also refers to a protocol, but when it comes to a electronic certification for user identification, I think it does not necessarily refer to the protocol. Originally, the protocol also needs to be secure, so it should be described.
  • What kind of measures do you have in mind for the administrators and designers to make sure that the providers are doing things properly?
  • Since we will be checking Attest and Certify in the protocol, I think we have no choice but to build a trust framework.
  • I understood that I had no choice but to build a trust framework because I had to utilize such things and I could not Attest because I could not go to check individually.
  • When it comes to recovery, a common pattern is to use a pass-key as the normal verification factor, and to recover the pass-key by re-verifying your identity in a situation where the pass-key cannot be used. Since DS-511 also mentions re-verification of your identity as an example of a typical account recovery measure, I think it is included, but I could not read through which level it corresponds in this manual, so I would like you to clarify it. On P26, since it is limited to My Number Card (electronic certification for user identification), I thought that it was assumed to be the use of My Number Card as personal verification rather than re-verification of your identity. I do not know whether account recovery by re-verifying your identity would be level 3. Since it is not a pass-key or My Number Card, I did not know whether it would be a different method. I would like you to clarify that point in the document.
    • (Secretariat) In response to your comments today on account recovery, I would like to expand upon them in the commentary. I will also organize the relationships and correspondences to be clear.
  • There is also a discussion of identity verification and vice versa in the recovery example. When talking about this kind of thing, identity verification and identity verification are described separately, but I thought it would be good to explain that they are actually related to each other.
  • I recognize that the NIST document is the same.
  • This is the order in which personal identification and identity verification are most common in enterprises, but in services for citizens, it has been said for some time that it is sometimes better to reverse the order. The point is that passkeys are registered first and then IAL is raised, and I think it is safe to say that it is not necessarily in this order. Since there is a My Number Card in Japan, either way may be fine, but if there is no unified electronic means of verification like in the US, there is a problem of how credentials are handed over after identity verification, so it is said that the risk is lower if credentials are handed over first and then the IAL of the account is raised.
  • I personally think that it is necessary to secure a certain level of passkeys when considering how a person who has unintentionally registered a passkey will notice the damage and what the RP side who has issued the passkey can do.
  • As I mentioned earlier, in the case of credentials first flow, you can't do anything at the time of credentials enrollment. You can only verify your identity in the session.
  • It is effective in a system where you have a credential and you can control the authority that the credential has, but I think there are few systems that do that. It may be good if we can educate such parts through the manual, so I think it would be good to go that far.
  • From the perspective of continuous access evaluation, we need to create a system that records the level and allows it to be raised and lowered freely. I think such points will be required in the future.
  • I don't think ordinary people know that you have to confirm your identity before authenticating yourself. I understand that the meta threats are organized, but since it is an Informative document, I think it would be easier to understand if you write some specific examples, so I would like you to consider it.
  • When it comes to local identification, if a municipality creates a VC (Verifiable Credential), device-bound to a smartphone, and uses an Android keystore, is there a mechanism to sift through them?
  • A similar story is with the US mDL. When opening an account using the US mDL, depending on the state, the mDL may not have been issued in accordance with the Real ID Act, so it would be a problem if there were no flags, so there are discussions about how to expand it.
  • In the case of actual face-to-face procedures, there are cases where a identity verification can be made even for those not issued by the administration, and in such cases, I think it may be accepted to a certain extent. However, it will be within the scope of the main part of the guidelines, so I think it will be outside the scope of today.
    • (Secretariat) Historically, it has been widely accepted, and until the early 2000s, employee ID cards seemed to be much more reliable than Basic Resident Register cards. However, after 9.11, it is not the Act on Prevention of Transfer of Criminal Proceeds or the Act on Prevention of Improper Use of Mobile Phones, but if it is only required as a risk mitigation measure, it is only a discussion of risk mitigation, in which cases it is okay to take risks, so it is quite possible to accept it. I think it is good to discuss whether it is good for inclusion.
  • At the time of the DS-511, there were discussions, but will issues such as the mask issue be included in the manual? I think it will be an actual issue, so I think it would be good if it is described in the manual.
    • (Secretariat) It is planned to be stated as an explanation of the individual methods in the attachment.
  • I have had the opportunity to introduce DS-511, but it is difficult for me to ask you to read all of it, so I would appreciate it if you could prepare not only the Word version, but also the summary version in PowerPoint for explanation.

Adjournment

  • (Secretariat) This year, I am talking about specific practices, and I think it may be more important than DS-511, because what is actually required is not philosophy but a guidebook. In addition, the Act on Prevention of Improper Use of Mobile Phones is scheduled to be revised next year, and the Act on Prevention of Transfer of Criminal Proceeds is scheduled to be revised the year after next, and in both cases, compared to online, the chip will be read, including face-to-face, which is a major turning point. We have been doing visual identity verification for decades, so the challenge we are trying to do now will be a major turning point for the first time in decades. It is a document that will be the base for that, so I would like you to discuss it thoroughly. On the other hand, since it is an Informative document, rather than aiming for perfection, I think it would be good if we could update it with timely information. I would appreciate your continued opinions.

  • (Secretariat) Finally, I would like to conclude with some administrative guidance. As in the past, we will prepare a draft of today's proceedings within two weeks and share it with everyone, so please check it. As soon as we receive confirmation from everyone, it will be available on the Digital Agency website. Then, that's all for today's expert meeting. Thank you very much.

END