Leveling up social credentials
At a high level, a trust framework is a guarantee. For example, payment cards use a trust framework to guarantee payment when a charge is authorized.
In the identity ecosystem a trust framework would guarantee that an ID provider has taken steps to assure that an online identity is connected to the correct individual. The American Association of Motor Vehicle Administrators and the Virginia Department of Motor Vehicles is implementing a trust framework as part of its pilot for the National Strategy for Trusted Identities in Cyberspace.
The trust framework needs to serve both the public and private sectors, says Paul Blanchard, project manager for the Cross Sector Digital Identity Initiative pilot. The team initially looked at what was available publicly conducting a gap analysis to find out what areas needed to be filled. It was determined that the InCommon Trust Framework best fit the project’s needs though it still required fine tuning.
“You’re assembling these components and gluing them together with a trust framework that enables multiple replying parties, attribute verifiers, credential service providers and others to all participate in this identity ecosystem,” Blanchard explains.
Next, the pilot is going to take identities from commercial providers – Google, Facebook, etc. – and enable consumers to add assurance to them, Blanchard says. Consumers’ will use driver license data, which will be checked against the Virginia DMV, to add the extra authentication elements. “We’re enabling consumers to take their commercially available identities and augment it with different authentication events so the identity becomes more reliable to relying parties,” he says.
Relying parties will choose what strength credentials they will consume. “They can say they’re fine with a self-asserted credential or they can choose to augment that,” Blanchard adds.
The project is offering a “buffet of authentication events” for users, Blanchard says. Included in this buffet is a gesture-based authentication technology from pilot participant Biometric Signature ID.
To enroll, the user draws a “signature” using the mouse and builds a profile. When returning to use the system, the user again draws the signature, it is checked against the enrolled version and an authentication decision is made.
Another pilot partner, PhoneFactor, provides out-of-band authentication by delivering one-time passcodes to a user’s mobile or home telephone.
We are working to sign up relying parties to consume these new credentials, Blanchard says.
The system will be privacy enhancing and user centric, enabling the relying party to only see the user data necessary to complete the specific transaction, Blanchard says. For example, if a relying party needs to know that the user is over the age of 18, the system will simply return a yes or no response, rather than provide actual the date of birth.