Level 3 and 4 Credentials in the Exosystem (3H)

From IIW

Level 3 & 4 Credentials in the Ecosystem (3H)

Convener: Mike Magrath

Notes-taker(s): Mike Magrath

Tags for the session - technology discussed/ideas considered:

Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:

  • Question on Levels and their meaning ,and benefit, and what the level mean
  • Use Cases: Sensitive, personal info such as healthcare and financial institutions
  • Other bodies have other definitions
  • Europe has only one level
  • Need policy for what can be done at what level (e.g. how much credit you can get with a credential)
  • Bindings, proofing, etc. are criteria in various levels
  • US Federal Government is not liable, but there is liability in Europe
  • FIPS 201 and SP800-63 is for government and for G2C, G2B, C2G, etc.
    • o SP800-63 written for issuer and relying party
  • How does the consumer use Level 3 in the commercial world?
  • Use out of band transactions to verify identity to obtain a higher level credential
  • Actually care about the attributes involved for a transaction rather than an arbitrary assurance level
  • Back end fraud protection is what give value to PayPal and eBay rather than the authentication
  • Identity credentials are not transaction credentials and the same authentication might not be appropriate
  • Open Identity Exchange exists and is a starting point so Trust Frameworks can be formed
  • It is not just about the authentication, but the validation of the source that counts
  • Does one have to notify when a street identity is “invalid?”
  • There is also an issue of confidence level of attribute – How old is it?
    • o Police accept a Driver’s License address that is 5 years old
  • Will people use a smartphone to logon to a computer?
  • If embedded in phone (ubiquitous terminalization) it will be more accepted
    • o Low payment only?
    • o Healthcare?
    • o When do you need the higher assurance?
  • If pervasive smartphones bring down cost, the gap for acceptance and use of high assurance goes away
  • Do we use the Carrot or the Stick?