09 January, 2012
By Colin Soutar, Director of Identity and Privacy Assurance, CSC
In the past, the term “credential” was used solely to refer to a dedicated physical entity that intertwined an individual’s identity with a specific entitlement, for example a passport or driver’s license.
We’ve all witnessed the progression over the last decade or so, however, towards trusted identities that are separated out and used to access many different entitlements.Such trusted identities are typically manifested either as a secured version of the physical credential – the smart card – or as an online digital “persona.” To a degree, these techniques traditionally supported either end of the levels of authentication range.
However, the definition and certification of trust frameworks and the desire of users to use their own smart phones to access online and physical services has led to a much broader range of form factors that are being considered to support trusted identities. We believe that this trend will continue throughout 2012 and that the evolution of form factors will re-shape what we have traditionally defined as a “credential.”
In support of this, trust frameworks are helping to drive a clearer separation of the functions of identity proofing, identifier authentication and authorization. This provides a structure that enables various identity providers to supply certified components of identity proofing or identifier authentication, as referenced in the recently-updated version of NIST Electronic Authentication Guideline .
In addition, trust frameworks also enable service providers to “consume” a range of certified digital identities to support their required degree of identity assurance – in accordance with the assessed risk level. In this light, a PIV card is underpinned by the identity proofing provided by the NACI process, along with the authentication techniques specified in FIPS 201-1, up to and including biometric authentication. This combination of strong identifier authentication, and well-defined identity proofing process, supports the production of the very high assurance credential for this program. The smart card provides the secure credential to bind together a user’s identifier with their “proofed” identity.
Thus, it is clear that the three salient attributes of the PIV card are: the underlying identity proofing process; the use of strong authentication; and the secure binding inside the smart card of the user and their identifier by which they are known. The projection of these three factors, along with implicit cryptographic data protection and transport mechanisms, onto many diverse form factors such as smart phones, will enable users to access services using a broad variety of authentication mechanisms, in some cases using derived credentials1.
Indeed, as the global use of smart phones in personal, corporate, citizen and defense environments expands, it is critical to focus on these attributes to ensure that they are certified to fulfill a specified degree of identity assurance, rather than on the particular form factor used. This will enable users and service providers alike to use or accept, respectively, a wide range of user credentials, and will narrow the gap in terms of the levels of authentication that the various form factors can support.
We envisage that 2012 will see this continued certification of identity components and, therefore, users will be able to interact with service providers in a variety of ways. This will improve user convenience, by providing the ability to use already-available devices such as smart phones, in some cases with built-in biometric authentication capability. By the end of the year, this combination of strong authentication, along with the appropriate identity proofing, will allow such devices to be used in high assurance environments, and thereby serve as trusted credentials.
About the AVISIAN Publishing Expert Panel
At the close of each year, AVISIAN Publishing’s editorial team selects a group of key leaders from various sectors of the ID technology market to serve as Expert Panelists. Each individual is asked to share their unique insight into what lies ahead. During the month of January, these panelist’s predictions are published daily at the appropriate title within the AVISIAN suite of ID technology publications: SecureIDNews, ContactlessNews, CR80News, NFCNews, DigitalIDNews, ThirdFactor, RFIDNews, EnterpriseIDNews, FinancialIDNews, GovernmentIDNews, HealthIDNews, FIPS201.com, IDNoticias es.