By definition Identity Assurance in the context of federated identity management is the measurement of certainty that an individual, organization, or device is who or what it claims to be. Generally speaking, this degree of certainty is built through a Trusted Digital Identity Acceptance Policy that will Verify and Validate Identity claims.
Identity Validation & Verification
Identity Validation solely refers to whether data is accurate or not. It does not verify that the user is using their own data. The later step is referred to as Identity Verification. This can sometimes be achieved in the same step, or can be implemented through alternative methods.
Let’s look at an example: Our fictional user, Peter, signs up with our application and fills out his address. At this point, the data is self-attested and not validated. Also, the identity is not yet verified.
To validate the data, we may ask Peter to enter his drivers license, as well as his full name. This allows us to make a service call to the Local DMVs database to verify that the name + address combination is accurate. We can now state that the identity’s address and name have been validated. This does not mean that we have verified the ownership of the identity, yet.
To verify the identity, we may get help from an app that will ask Peter, first to take a picture of the front and back of his drivers license, then snap a selfie. The app will compare the drivers image with the selfie and verify that the drivers license is not a fake. While this gives us more assurance about the users identity than a purely self-attested profile, we can imagine a scenario where a malicious person stole Peters drivers license, Peter hasn’t reported his drivers license stolen, and the attacker was able to trick the app past the facial recognition.
This leads us to the next topic, Level of Assurance.
Level of Assurance
Identity Assurance is represented in levels, referred to as Level of Assurance (LoA). LoA is a helpful indicator to manage risk of a certain service or activity.
To decide what Level of Assurance your service may need, the Pan-Canadian Trust Framework defines 4 Levels of Assurances.
|Level of Assurance||Confidence required||Harm if compromised|
|Level 1||Little to none||Minimal to none|
|Level 2||Some||Minimal to moderate|
|Level 3||High||Moderate to serious|
|Level 4||Very High||Serious to catastrophic|
To help you in the process of evaluating the Level of Assurance you may need for a particular service, the Treasury Board of Canada Secretariat has posted a very useful guideline on their site: https://www.tbs-sct.gc.ca/pol/doc-eng.aspx?id=26262.
After considering the harm that could occur in case of a compromise, we also have to take the amount of work involved of building a certain level of assurance in account. Generally speaking, the higher the LoA is, the more work is involved for the user. To get a general idea of what is involved to reach a Level of Assurance, Treasury Board of Canada Secretariat has posted a Table that outlines its minimum requirements.
Going back to our scenario, we may decide that a LoA of 1 is enough for Peter to report a damaged light pole in a street maintenance app hosted by Peter’s town. If Peter’s account has been compromised, then this activity would cause minimal to no harm.
On the other hand, our drivers license example for Identity Verification might not be enough for a Line of Credit service deployed by a bank.
Depending on the exact service, we can assume that the harm or damage would be serious if Peter’s account would be compromised in this scenario. Therefore, the bank may only open this service to accounts that have reached a LoA of 3 or 4 to ensure that Peter is truly the owner of this account.
You understand Identity Assurance. You know how to pick the right Level of Assurance for your service. You build out workflows for Identity Validation and Verification.
This leads to some more considerations that we haven’t covered in this post:
- How to store the evidence information so that you can ensure Identity Validation on every access, while not unnecessarily storing personally identifiable information
- How to offer multiple alternatives of validation and verification, ensuring that your service is accessible by as many users possible
- When and how to publish your obtained validated data into multiple subscribing systems
- How to build a progressive profile of a user to ensure that you do not store more data than needed
- How to add more layers to your Trusted Digital Identity Acceptancy Policy such as:
- Verified Login
- Verified Organization
- Verified Relationships
- How to scale this approach to onboard 100s of services in a short period of time
CitizenOne as a mature Verified Person Acceptance Policy Trust Framework Provider fits into your Ecosystem to answer all of these concerns and more.
Are you interested in learning more about how CitizenOne can help you transform your organization to the digital world? Or are you a current CitizenOne customer and want to learn more about Identity Assurance as well as the Pan Canadian Trust Framework? We would love to hear from you, just visit https://www.vivvo.com/contact/ and we’ll schedule some time to go over your questions in detail.