ⓘ Identity assurance in the context of federated identity management is the ability for a party to determine, with some level of certainty, that an electronic cre ..


ⓘ Identity assurance

Identity assurance in the context of federated identity management is the ability for a party to determine, with some level of certainty, that an electronic credential representing an entity with which it interacts to effect a transaction, can be trusted to actually belong to the entity.

In the case where the entity is a person, identity assurance is the level at which the credential being presented can be trusted to be a proxy for the individual to whom it was issued and not someone else. Assurance levels ALs or LoAs are the levels of trust associated with a credential as measured by the associated technology, processes, and policy and practice statements.


1. Description

Identity assurance, in an online context, is the ability of a relying party to determine, with some level of certainty, that a claim to a particular identity made by some entity can be trusted to actually be the claimants "true" identity. Identity claims are made by presenting an identity credential to the relying party. In the case where the entity is a person, this credential may take several forms, including: a personally identifiable information such as name, address, birthdate, etc.; b an identity proxy such a username, login identifier user name, or email address; and c an X.509 digital certificate.

Identity assurance specifically refers to the degree of certainty of an identity assertion made by an identity provider by presenting an identity credential to the relying party. In order to issue this assertion, the identity provider must first determine whether or not the claimant possesses and controls an appropriate token, using a predefined authentication protocol. Depending on the outcome of this authentication procedure, the assertion returned to the relying party by the identity provider allows the relying party to decide whether or not to trust that the identity associated with the credential actually "belongs" to the person presenting the credential.

The degree of certainty that a relying party can have about the true identity of someone presenting an identity credential is known as the assurance level ALs. Four levels of assurance were outlined by a 2006 document from the US National Institute of Standards and Technology. The level of assurance is measured by the strength and rigor of the identity proofing process, the strength of the token used to authenticate the identity claim, and the management processes the identity provider applies to it. These four levels were adopted by the governments of the U.K., Canada and the U.S. for electronic government services.


2. Purpose

To conduct online business, entities need to be able to identify themselves remotely and reliably. In most cases, however, it is not sufficient for the typical electronic credential usually a basic user name and password pair or a digital certificate to simply assert "I am who I say I am - believe me." A relying party RP needs to be able to know to some degree of certainty that the presented electronic identity credential truly represents the individual presenting the credential. In the case of self-issued credentials, this isnt possible. However, most electronic identity credentials are issued by identity providers IdPs: the workplace network administrator, a social networking service, an online game administrator, a government entity, or a trusted third party that sells digital certificates. Most people have multiple credentials from multiple providers. Four audiences are affected by the transaction- - and the inherent trust therein:

  • Entities that rely upon the credentials issued by electronic identity providers IdP,
  • Providers of IdP services and auditors or assessors who review the business processes of IdPs, and
  • Users of electronic identity credentials,
  • Relying parties RPs trust electronic identity credentials provided by IdPs

Different IdPs follow different policies and procedures for issuing electronic identity credentials. In the business world, and especially in government, the more trustworthy the credential, the more stringent the rules governing identity proofing, credential management and the kind of credentials issued. But while different IdPs follow their own rules, more and more end users often called subscribers and online services often called relying parties wish to trust existing credentials and not issue yet another set of userID/passwords or other credentials for use to access one service. This is where the concept of federated identity becomes important. Federated identity provides IdPs and relying parties with a common set of identity trust conventions that transcend individual identity service providers, users, or networks, so that a relying party will know it can trust a credential issued by IdP A at a level of assurance comparable to a common standard, which will also be agreed upon by IdPs B, C, and D.


3. Specific implementations and proposed implementations


DigiD is a system whereby Dutch government agencies can verify a persons identity over the Internet, a type of digital passport for government institutions.


3.1. Specific implementations and proposed implementations Netherlands

DigiD is a system whereby Dutch government agencies can verify a persons identity over the Internet, a type of digital passport for government institutions.


3.2. Specific implementations and proposed implementations Poland

In a joint initiative between the Interior, Digital Affairs and Health Ministries, new chip ID cards will be introduced from Q1 2019, replacing the existing identity cards over a ten-year period.


3.3. Specific implementations and proposed implementations United States

The US government first published a draft for an E-Authentication Federation Credential Assessment Framework CAF in 2003, with final publication in March 2005.

The Kantara Initiative identity assurance work group IAWG was formed in 2009. It continued the Liberty Alliance Identity Assurance Framework, which was based, in part, on the Electronic Authentication Partnership Trust Framework and the CAF, to enable interoperability among electronic authentication systems. It defined a trust framework around the quality of claims issued by an IdP based on language, business rules, assessment criteria and certifications. The work began within the Liberty Alliance in early 2007, and the first public draft was published in November 2007, with version 1.1 released in June 2008. The Identity Assurance Expert Group within Liberty Alliance worked with the ITU-T via the ITU-T SG17Q6 Correspondence Group on X.EAA on harmonization and international standardization of the Identity Assurance Framework---work commenced Sept. 2008; ISOC ISO SC27 29115 Harmonization with Identity Assurance Framework, among other contributions; and the American Bar Association collaboration to develop a model trade agreement for federated identity.

The Kantara Initiative Identity Assurance Framework IAF, published in December 2009, detailed levels of assurance and the certification program that bring the Framework to the marketplace. The IAF consists of a set of documents that includes an Overview publication, the IAF Glossary, a summary Assurance Levels document, and an Assurance Assessment Scheme AAS, which encompasses the associated assessment and certification program, as well as several subordinate documents, among them the Service Assessment Criteria SAC, which establishes baseline criteria for general organizational conformity, identity proofing services, credential strength, and credential management services against which all CSPs will be evaluated. Several presentations on the application of the Identity Assurance Framework have been given by various organizations, including Wells Fargo and Fidelity Investments, and case studies about Aetna and Citigroup are also available.

In 2009, the South East Michigan Health Information Exchange SEMHIE adopted the Kantara IAF.

  • Applied R D called KIPI - Kantara Identity Privacy Incubator and Trust Framework Assurance The Trust Framework Assurance program involves the creating
  • development of the UK government identity assurance programme to hasten adaptation and adoption for Jersey. The Open Identity Exchange currently has thirteen
  • levels of identity assurance that may be required for a given scenario are also being standardized through a common and open Identity Assurance Framework
  • governments. It released frameworks for federation, identity assurance an Identity Governance Framework, and Identity Web Services. By 2009, the Kantara Initiative
  • module Identity assurance Identity driven networking Identity management systems Identity verification service Identity provider Identity - based security
  • GOV.UK Verify is an identity assurance system developed by the UK Government Digital Service GDS The system is intended to provide a single trusted
  • data for marketing purposes. Digital identity Electronic authentication Federated identity Identity assurance Identity management Privacy by design Strong
  • Authentication is a key aspect of trust - based identity attribution, providing a codified assurance of the identity of one entity to another. Authentication
  • cross - government standards for identity assurance with the authority to approve, commission and accredit the identity component of any central government
  • Standards of identity for food are mandatory requirements that are set by a governing body to determine what a food product must contain to be marketed
  • psychological concept of the ego s accumulated assurance of its capacity for order and meaning. Ego identity is the accrued confidence that the inner sameness