How High Assurance Authentication Works
Identity assurance is about three things, at least as it involves individual consumers.- In
its strongest sense, identity assurance is about enabling a service
provider to know the identity of the
person to whom it is providing a service. It does this by relying
on a digital credential issued to this person by an "identity provider"
that has verified, to a certain degree of assurance, the person's
identity by means of documentation or other methods. During a
service transaction, this
digital credential is authenticated by the identity provider to support
or deny the identity claim. The outcome of the authentiction
procedure is then transmitted to the service provider, now also known
as a
"relying party", by means of a secure electronic assertion
message.
- There
are other
situations in which a service provider doesn't really need to know the
identity of a person, but just needs to know some particular
attribute(s) about someone. For instance, is the person over a
certain age, or does the person belong to some particular organization
or other category of individuals? In this case, identity
assurance is a bit of a misnomer, since the relying party only needs
assurance about these attribute values. This might be more
properly called
"attribute assurance" instead.
- Finally, it may not even be necessary for the service provider to know any such identity-related information. All that may be needed by the service provider is assurance that the person using the service is the same person who initially signed up, or enrolled, to use the service. In other words, is it the same person coming back each time to use the service that he/she originally established? For instance, is access to an online repository of backup data being sought by the same person whose data is stored, or by someone else trying to gain unauthorized access?
While
there are several technologies that can be used to provide stronger
authentication to consumers to prevent these forms of identity fraud,
we will focus on strong authentication within the context of "claims-based" identity. The
following diagram illustrates how credentials
issued by an Identity Provider that is trusted by the Service Provider
can be used to authenticate the consumer's identity. The Service Provider relies on
an identity assertion or "claim" issued by the trusted Identity Provider to decide
whether the consumer's identity is valid. The trust
relationship between the Service Provider / Relying Party and the
Identity Provider is established by the rules and criteria specified by the "trust framework" accepted by each.
High Assurance Claims-Based Authentication of Consumers U-Prove for High Assurance Claims-Based AuthenticationAlso see additional references under Identity Assurance Links.