Assessing Identity Quality
The process of establishing identify quality requires the Attestation Officer to review different documents representing Evidence of Identity (EOI) in addition to having the applicant recite An Oath of Identity recording through a Remote Online Notary video process to establish reliability of their identity.
Attestation Officers are trained in two processes to accomplish this. A description of the different processes follows:
-
NIST 800-63-3 – Digital Identity Guidelines
The NIST 800-63-3 guidelines establish security and privacy controls for digital identity management for designated levels of assurance, including: identity proofing, authentication and use of authenticators, and identity federation. SP 800-63-3 establishes risk-based processes for the assessment of risks for identity management activities and selection of appropriate assurance levels and controls. Organizations have the flexibility to choose the appropriate assurance level to meet their specific needs.
Attestation Officers will use these guidelines to establish a level of identity assurance in support of the customer’s (relying Party’s) needs.
The NIST 800.63-3 guidelines do not include issuance of a digital certificate for the individual.
-
Osmio IDQA
IDQA processes, developed by The Authenticity Institute, takes the concepts outlined by the NIST 800.63-3 guidelines to a more detailed level by including a digital certificate along with a scoring system from 0 to 72.
The process of establishing identify quality and issuing a digital certificate requires a Certification Authority for the issuance and recording of the certificate and a process to determine the reliability of the identity.
The Certification Authority we use is called Osmio, which is a duly constituted public authority located in Switzerland. It has been established as a non-commercial enterprise to prevent the potential of change of control to an organization with a lesser standard of integrity. You can read more at: https://www.osmio.ch
Identity Quality Assurance (IDQA) represents a process to evaluate the quality of the identity that is being reviewed. This process results in a score that determines a measure of the reliability of the identity of that individual.
How Osmio IDQA™ adds value to your credential
While there exists an abundance of commercial identity verification services, only Osmio is prepared to assemble the output of those services along with other Evidence of Identity (EOI) to provide a permanent attestation of the level of confidence that you or your relying parties can have in a claim of identity.
Osmio and its agents, including Attestation Officers and Authorized Agencies, will provide a program of Identity Quality evaluation for all holders of your identity credentials.
With Osmio IDQA, the strength of a user’s identity claim — its Identity Quality — is evaluated using eight metrics, with each metric measured on a scale of zero to nine. All eight scores are then added together, giving an aggregate Identity Quality score of zero to seventy-two.
Relying parties (including your own organization) can set a minimum aggregate score, or minimums of any of the eight component scores, to grant or deny access to a resource.
The eight metric scores added together give an Identity Quality score of 0-72
How Osmio IDQA Scores Are Used
The eight scores are added together for an aggregate Identity Quality score of 0 to 72.
Whenever and wherever the credential is presented, the aggregate Identity Quality score and its eight component scores are presented, letting the relying party know the degree to which the identity claim can be relied upon.
Assignment of lower Osmio IDQA scores is done in an automated fashion, while the higher scores are assigned by a human Attestation Officer, as described previously in the Enrollment Component.
Some applications require more assurance of the validity of the identity claim than others. And some require different types of assurance. An online commercial real estate auction will want a high degree of assumption of liability (metric #7), while a social network for children will want to see that the user was enrolled in a face-to-face setting, establishing a high enrollment quality score (metric #2).
Watch
Osmio IDQA score inherited from Foundational Certificate
Most of the eight measures of identity quality of any puzzle kit are inherited directly from the Foundational Certificate, which ideally is a Digital Birth Certificate whose PEN (private key) signed the certificate signing request (CSR) of the utility or device certificate used in the everyday credential. However, everyday credentials can carry their own Osmio IDQA score. In fact, a credential’s Osmio IDQA score applies only to the actual certificate and the card, token, hard drive or other device that houses it.
The eight metrics of Identity Quality™ Each scored on a scale of 0-9
-
Degree of linkage of personal assets
Does the user have "skin in the game" or are the sponsoring organization’s assets the only ones at risk? If the only reliable way to prevent credential sharing is to use credentials that protect the user's financial, reputational, and identity assets, then to what extent does the identity protect those personal assets including ownership of the credential itself?
-
Quality of enrollment practices
What type of enrollment procedure was used? Did it involve PII corroboration (“KBA”)? Was it face-to-face notarial or remote? How is provisioning performed? How is the process supervised and audited?
-
Variety of means of assertion
Does the credential support FIDO, Passkey, eIDAS, OpenID, and others? A well-used identity is a more reliable identity; the more places it is used, the better.
-
Quality of authoritative attestation
What source of authority attests to the validity of the assertion — that is, the claimed identity? Is the attesting party a certification authority? How reliable are their attestation practices? How is identity status reported: CRL, OCSP, or another method?
-
Attestations from others
In an enrollment interview, how many important online services is the subject able to authenticate to, with this credential or another?
-
Quality of the credential
What are the characteristics of the credential and its carrier? (Secure Element or Secure Enclave in a phone, crypto wallet, password manager, etc.) Is one key pair or token used for everything, or is there a “credential stack” allowing for different personas and different relying parties? Some risk profile / asset-value situations call for two, three, or four-factor hardware tokens or a one-time password, while a soft token in a client computer will suffice for others. How big are asymmetric keys: 1024, 2048, or 4096 bits?
-
Quality of assumption of liability
If fraud is committed with the use of the credential, who carries the liability? Is that commitment bonded? What are the terms of the bond? What is the source of funds for the fulfillment of the bond? Are there caveats or is the commitment absolute, regardless of the circumstances that made the credential available to the perpetrator? To protect assets and processes of the highest value, where a compromised identity would have the most serious consequences, civil and criminal liability should be involved in the issuance and ongoing use of the credential. Equally important is protection against fraudulent repudiation. Non-repudiation is the most difficult goal for a trust system to achieve, but the system must be useful to relying parties where significant transactions are involved.
-
Reputation of the credential
How long has the credential been used without revocation or reported compromise? How many transactions and authentication events has it been used for in total? The longer a credential has been used without incident, the more reliable it tends to be. Note that the reputation of the credential is not the same thing as the reputation of the person. For example, if someone with a very good reputation has a habit of lending his or her credential to family members and colleagues — resulting in documented confusion over who is responsible for what — then the reputation of the credential is diminished. Evidence of Nonduplication may also be assessed as part of the Reputation of the Credential.”
For more specifics contact Juanita Lyons