Identity assurance

Last updated

Identity assurance in the context of federated identity management is the ability for a party to determine, with some level of certainty, that an electronic credential representing an entity (human or a machine) with which it interacts to effect a transaction, can be trusted to actually belong to the entity.

Contents

In the case where the entity is a person, identity assurance is the level at which the credential being presented can be trusted to be a proxy for the individual to whom it was issued and not someone else. Assurance levels (ALs or LoAs) are the levels of trust associated with a credential as measured by the associated technology, processes, and policy and practice statements.

Description

Identity assurance, in an online context, is the ability of a relying party to determine, with some level of certainty, that a claim to a particular identity made by some entity can be trusted to actually be the claimant's "true" identity. Identity claims are made by presenting an identity credential to the relying party. In the case where the entity is a person, this credential may take several forms, including: (a) personally identifiable information such as name, address, birthdate, etc.; (b) an identity proxy such a username, login identifier (user name), or email address; and (c) an X.509 digital certificate.

Identity assurance specifically refers to the degree of certainty of an identity assertion made by an identity provider by presenting an identity credential to the relying party. In order to issue this assertion, the identity provider must first determine whether or not the claimant possesses and controls an appropriate token, using a predefined authentication protocol. Depending on the outcome of this authentication procedure, the assertion returned to the relying party by the identity provider allows the relying party to decide whether or not to trust that the identity associated with the credential actually "belongs" to the person presenting the credential.

The degree of certainty that a relying party can have about the true identity of someone presenting an identity credential is known as the assurance level (ALs). Four levels of assurance were outlined by a 2006 document from the US National Institute of Standards and Technology. [1] The level of assurance is measured by the strength and rigor of the identity proofing process, the strength of the token used to authenticate the identity claim, and the management processes the identity provider applies to it. These four levels were adopted by the governments of the U.K., Canada and the U.S. for electronic government services.

Purpose

To conduct online business, entities need to be able to identify themselves remotely and reliably. In most cases, however, it is not sufficient for the typical electronic credential (usually a basic user name and password pair or a digital certificate) to simply assert "I am who I say I am - believe me." A relying party (RP) needs to be able to know to some degree of certainty that the presented electronic identity credential truly represents the individual presenting the credential. In the case of self-issued credentials, this is not possible. However, most electronic identity credentials are issued by identity providers (IdPs): the workplace network administrator, a social networking service, an online game administrator, a government entity, or a trusted third party that sells digital certificates. Most people have multiple credentials from multiple providers. Four audiences are affected by the transaction—and the inherent trust therein:

  1. Users of electronic identity credentials,
  2. Entities that rely upon the credentials issued by electronic identity providers (IdP),
  3. Providers of IdP services and auditors or assessors who review the business processes of IdPs, and
  4. Relying parties (RPs) trust electronic identity credentials provided by IdPs

Different IdPs follow different policies and procedures for issuing electronic identity credentials. In the business world, and especially in government, the more trustworthy the credential, the more stringent the rules governing identity proofing, credential management and the kind of credentials issued. But while different IdPs follow their own rules, more and more end users (often called subscribers) and online services (often called relying parties) wish to trust existing credentials and not issue yet another set of userID/passwords or other credentials for use to access one service. This is where the concept of federated identity becomes important. Federated identity provides IdPs and relying parties with a common set of identity trust conventions that transcend individual identity service providers, users, or networks, so that a relying party will know it can trust a credential issued by IdP 'A' at a level of assurance comparable to a common standard, which will also be agreed upon by IdPs 'B,' 'C,' and 'D.'

Specific implementations and proposed implementations

Australia

Netherlands

DigiD is a system whereby Dutch government agencies can verify a person's identity over the Internet, a type of digital passport for government institutions.

Poland

In a joint initiative between the Interior, Digital Affairs and Health Ministries, new chip ID cards will be introduced from Q1 2019, replacing the existing identity cards over a ten-year period. [2]

United Kingdom

The UK's identity assurance programme, GOV.UK Verify is delivered by the Government Digital Service in conjunction with private sector identity providers. GOV.UK Verify is a standards based, federated identity assurance service to support the digital transformation of central and local government. The service allows citizens to use a federated identity model to prove they are who they say they are when they sign into government services. Users are able to choose an identity assurance provider from a range of certified suppliers and may choose to register with one or more of these suppliers. The service has been live since May 2016. [3]

United States

The US government first published a draft for an E-Authentication Federation Credential Assessment Framework (CAF) in 2003, with final publication in March 2005. [4]

The Kantara Initiative identity assurance work group (IAWG) was formed in 2009. It continued the Liberty Alliance Identity Assurance Framework, which was based, in part, on the Electronic Authentication Partnership Trust Framework and the CAF, to enable interoperability among electronic authentication systems. It defined a trust framework around the quality of claims issued by an IdP based on language, business rules, assessment criteria and certifications. The work began within the Liberty Alliance in early 2007, and the first public draft was published in November 2007, with version 1.1 released in June 2008. The Identity Assurance Expert Group within Liberty Alliance worked with the ITU-T (via the ITU-T SG17Q6 Correspondence Group on X.EAA on harmonization and international standardization of the Identity Assurance Framework---work commenced Sept. 2008); ISOC (ISO SC27 29115 Harmonization with Identity Assurance Framework, among other contributions); and the American Bar Association (collaboration to develop a model trade agreement for federated identity).

The Kantara Initiative Identity Assurance Framework (IAF), published in December 2009, detailed levels of assurance and the certification program that bring the Framework to the marketplace. The IAF consists of a set of documents that includes an Overview [5] publication, the IAF Glossary, a summary Assurance Levels document, [6] and an Assurance Assessment Scheme (AAS), [7] which encompasses the associated assessment and certification program, as well as several subordinate documents, among them the Service Assessment Criteria (SAC), [8] which establishes baseline criteria for general organizational conformity, identity proofing services, credential strength, and credential management services against which all CSPs will be evaluated.

Several presentations on the application of the Identity Assurance Framework have been given by various organizations, including Wells Fargo [9] and Fidelity Investments, [10] and case studies about Aetna [11] and Citigroup [12] are also available.

In 2009, the South East Michigan Health Information Exchange (SEMHIE) adopted the Kantara IAF.[ citation needed ]

World Wide Web Consortium

Decentralized identifiers (DIDs) are a type of identifier that enables a verifiable, decentralized digital identity.

See also

Related Research Articles

<span class="mw-page-title-main">Authentication</span> Act of proving an assertion, often the identity of a computer system user

Authentication is the act of proving an assertion, such as the identity of a computer system user. In contrast with identification, the act of indicating a person or thing's identity, authentication is the process of verifying that identity. It might involve validating personal identity documents, verifying the authenticity of a website with a digital certificate, determining the age of an artifact by carbon dating, or ensuring that a product or document is not counterfeit.

Single sign-on (SSO) is an authentication scheme that allows a user to log in with a single ID to any of several related, yet independent, software systems.

Identity management (IdM), also known as identity and access management, is a framework of policies and technologies to ensure that the right users have the appropriate access to technology resources. IdM systems fall under the overarching umbrellas of IT security and data management. Identity and access management systems not only identify, authenticate, and control access for individuals who will be utilizing IT resources but also the hardware and applications employees need to access.

<span class="mw-page-title-main">Liberty Alliance</span> Computer trade group

The Liberty Alliance Project was an organization formed in September 2001 to establish standards, guidelines and best practices for identity management in computer systems. It grew to more than 150 organizations, including technology vendors, consumer-facing companies, educational organizations and governments. It released frameworks for federation, identity assurance, an Identity Governance Framework, and Identity Web Services.

Security Assertion Markup Language is an open standard for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider. SAML is an XML-based markup language for security assertions. SAML is also:

A federated identity in information technology is the means of linking a person's electronic identity and attributes, stored across multiple distinct identity management systems.

Digital identity refers to the information utilized by computer systems to represent external entities, including a person, organization, application, or device. When used to describe an individual, it encompasses a person's compiled information and plays a crucial role in automating access to computer-based services, verifying identity online, and enabling computers to mediate relationships between entities. Digital identity for individuals is an aspect of a person's social identity and can also be referred to as online identity.

<span class="mw-page-title-main">OpenID</span> Open and decentralized authentication protocol standard

OpenID is an open standard and decentralized authentication protocol promoted by the non-profit OpenID Foundation. It allows users to be authenticated by co-operating sites using a third-party identity provider (IDP) service, eliminating the need for webmasters to provide their own ad hoc login systems, and allowing users to log in to multiple unrelated websites without having to have a separate identity and password for each. Users create accounts by selecting an OpenID identity provider, and then use those accounts to sign on to any website that accepts OpenID authentication. Several large organizations either issue or accept OpenIDs on their websites.

A credential service provider (CSP) is a trusted entity that issues security tokens or electronic credentials to subscribers. A CSP forms part of an authentication system, most typically identified as a separate entity in a Federated authentication system. A CSP may be an independent third party, or may issue credentials for its own use. The term CSP is used frequently in the context of the US government's eGov and e-authentication initiatives. An example of a CSP would be an online site whose primary purpose may be, for example, internet banking - but whose users may be subsequently authenticated to other sites, applications or services without further action on their part.

Electronic authentication is the process of establishing confidence in user identities electronically presented to an information system. Digital authentication, or e-authentication, may be used synonymously when referring to the authentication process that confirms or certifies a person's identity and works. When used in conjunction with an electronic signature, it can provide evidence of whether data received has been tampered with after being signed by its original sender. Electronic authentication can reduce the risk of fraud and identity theft by verifying that a person is who they say they are when performing transactions online.

Privacy-enhancing technologies (PET) are technologies that embody fundamental data protection principles by minimizing personal data use, maximizing data security, and empowering individuals. PETs allow online users to protect the privacy of their personally identifiable information (PII), which is often provided to and handled by services or applications. PETs use techniques to minimize an information system's possession of personal data without losing functionality. Generally speaking, PETs can be categorized as hard and soft privacy technologies.

An identity provider is a system entity that creates, maintains, and manages identity information for principals and also provides authentication services to relying applications within a federation or distributed network.

The National Strategy for Trusted Identities in Cyberspace (NSTIC) is a US government initiative announced in April 2011 to improve the privacy, security and convenience of sensitive online transactions through collaborative efforts with the private sector, advocacy groups, government agencies, and other organizations.

Security Assertion Markup Language (SAML) is a set of specifications that encompasses the XML-format for security tokens containing assertions to pass information about a user and protocols and profiles to implement authentication and authorization scenarios. This article has a focus on software and services in the category of identity management infrastructure, which enable building Web-SSO solutions using the SAML protocol in an interoperable fashion. Software and services that are only SAML-enabled do not go here.

<span class="mw-page-title-main">Kantara Initiative</span>

Kantara Initiative, Inc. is a non-profit trade association that works to develop standards for identity and personal data management. It focuses on improving the trustworthy use of identity and personal data in the area of digital identity management and data privacy.

The Open Identity Exchange (OIX) is a membership organisation that works to accelerate the adoption of digital identity services based on open standards. It is a non-profit organisation and is technology agnostic. It is collaborative, and works across the private and public sectors.

A trust service provider (TSP) is a person or legal entity providing and preserving digital certificates to create and validate electronic signatures and to authenticate their signatories as well as websites in general. Trust service providers are qualified certificate authorities required in the European Union and in Switzerland in the context of regulated electronic signing procedures.

<span class="mw-page-title-main">Qualified website authentication certificate</span>

A qualified website authentication certificate is a qualified digital certificate under the trust services defined in the European Union eIDAS Regulation.

<span class="mw-page-title-main">Verifiable credentials</span>

Verifiable credentials (VCs) are an open standard for digital credentials. They can represent information found in physical credentials, such as a passport or license, as well as new things that have no physical equivalent, such as ownership of a bank account. They have numerous advantages over physical credentials, most notably that they're digitally signed, which makes them tamper-resistant and instantaneously verifiable. The security of verifiable credentials in the context of COVID-19 vaccination and test certificates has been questioned. Verifiable credentials have also been subject to usability concerns. Verifiable credentials can be issued by anyone, about anything, and can be presented to and verified by everyone. The entity that generates the credential is called the Issuer. The credential is then given to the Holder who stores it for later use. The Holder can then prove something about themselves by presenting their credentials to a Verifier.

<span class="mw-page-title-main">Self-sovereign identity</span> Type of digital identity

Self-sovereign identity (SSI) is an approach to digital identity that gives individuals control over the information they use to prove who they are to websites, services, and applications across the web. Without SSI, individuals with persistent accounts (identities) across the internet must rely on a number of large identity providers, such as Facebook and Google, that have control of the information associated with their identity. If a user chooses not to use a large identity provider, then they have to create new accounts with each service provider, which fragments their web experiences. Self-sovereign identity offers a way to avoid these two undesirable alternatives. In a self-sovereign identity system, the user accesses services in a streamlined and secure manner, while maintaining control over the information associated with their identity.

References

  1. William E. Burr, Donna F. Dodson and W. Timothy Polk (April 2006). "Electronic Authentication Guideline" (PDF). Special Publication 800-63 Version 1.0.1. US Institute of Standards and Technology. doi:10.6028/NIST.SP.800-63v1.0.2 . Retrieved November 10, 2013.
  2. "Poles to have new chip ID cards: report". Polskie Radio dla Zagranicy. Retrieved 2017-12-18.
  3. "What is identity assurance? - Government Digital Service". gds.blog.gov.uk. 23 January 2014. Retrieved 2020-11-22.
  4. "E-Authentication Federation Credential Assessment Framework" (PDF). Federal CIO Council. March 16, 2005. Archived from the original (PDF) on November 15, 2008. Retrieved November 10, 2013.
  5. http://kantarainitiative.org/confluence/download/attachments/38371432/Kantara+IAF-1000-Overview.pdf [ bare URL PDF ]
  6. http://kantarainitiative.org/confluence/download/attachments/38371432/Kantara+IAF-1200-Levels+of+Assurance.pdf [ bare URL PDF ]
  7. http://kantarainitiative.org/confluence/download/attachments/38371432/Kantara+IAF-1300-Assurance+Assessment+Scheme.pdf [ bare URL PDF ]
  8. http://kantarainitiative.org/confluence/download/attachments/38371432/Kantara+IAF-1400-Service+Assessment+Criteria.pdf [ bare URL PDF ]
  9. Licht, William (November 12, 2021). "Real World Identity Assurance: Wells Fargo Demonstration of Identity Assurance Principles In Action".
  10. Licht, William (November 12, 2021). "Liberty Alliance Webcast: Title: The Journey From Concept to Reality: Identity Assurance in Action".
  11. http://www.projectliberty.org/liberty/content/download/4420/29635/file/Aetna%20IDDY%20liberty%20case%20study%208.08.pdf [ bare URL PDF ]
  12. http://www.projectliberty.org/liberty/content/download/4423/29647/file/Citi%20IDDY%20liberty%20case%20study%209.08.pdf [ bare URL PDF ]
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.