Authentication is the process of ensuring that an individual is the person that they claim to be. This involves matching a person’s claimed identity—asserted through a credential (e.g., an ID card or unique ID number)—against one or more authentication factors that are bound to that credential. Potential authenticators include: Show
Secure authentication (i.e., for higher levels of assurance) requires a multi-factor approach. In general, the combination of authentication factors should include some or all of the three above categories. In addition, sub-factors—such as location (where are you?) and time (when are you trying to authenticate?)—can be used in combination with the other core factors to create further conditionality when authenticating. Digital authentication—i.e., authentication that involves electronic credentials and processes—can be done in-person (e.g., at a physical bank branch or government office) or remotely (e.g., via a mobile or web service). While remote digital authentication is by definition “online” (i.e., it requires an internet connection), in-person transactions can be digitally authenticated using online or offline mechanisms (see Figure 29). Figure 29. Digital authentication modes Both online and offline authentication mechanisms have a common set of requirements in order to protect the person asserting their identity and to offer sufficient assurance to the identity consumer (a service, person, or relying party). In general, an authentication mechanism should:
This section describes some offline and online authentication mechanisms that are commonly used in foundational ID systems. The choice of which mechanisms to adopt is closely tied to the types of credentials issued by the ID system and should be appropriate to the intended use cases for the system and country-specific constraints such as connectivity and digital literacy (see Section II. Planning Roadmap). Offline authenticationOffline authentication—used for in-person transactions when connectivity is unavailable or unnecessary—must provide a means of verifying that the person asserting their identity is who they claim to be without referring to other systems (e.g. remote identity databases, online services, etc.) and, if possible, that the credentials they present are genuine. In general, there are three primary options for offline authentication (summarized in Table 33):
Table 33. Offline authentication mechanisms for in-person transactions
Online authenticationWhere relying parties and users have access to internet and/or mobile network connections, online authentication can be used for both in-person and remote transactions. The ability to refer to other systems—such as remote servers, data stored in the cloud, web- and mobile-based applications, etc.—increases the variety of potential online authentication mechanisms, as shown in Table 34, and the ability to check the validity of a credential. Ultimately, online authentication provides a higher level of assurance because it offers more potential authentication factors and a “live” source. At the same time, it may also bring greater data protection and cybersecurity risks. The authentication level of assurance provided by online mechanisms varies according to the specific credentials, authenticators, and protocols used. In addition to choosing authentication methods with levels of assurance appropriate to the transaction, practitioners must consider their accessibility and convenience, particularly for vulnerable persons (e.g., low literacy, the elderly, and people with disabilities), and those with unreliable internet or mobile connections. For example, card-based authentication for remote transactions (e.g., e-services) would require the purchase and distribution of card and/or biometric readers to each person, which may be a barrier to adoption. Table 34. Examples of online authentication mechanisms for in-person and/or remote transactions
FederationFederation is the ability of one organization to accept another organization’s identity credentials for authentication based on inter-organizational trust. The trusting organization must be comfortable that the other identity provider has acceptable policies, and that those policies are being followed. Federation protocols and assurance and trust frameworks facilitate federation of digital identity between organizations. For federation to be effectively used globally, agreement and mapping with the ISO defined assurance framework and the adoption of standards are critical (Source: Catalog of Technical Standards). Federation can occur at multiple levels:
In order to establish a framework for federation, practitioners must:
Box 38. GOV.UK Verify Unlike many other countries, the UK has no single foundational ID system except for a civil registry. People hold a variety of credentials—such as driving licenses, passports, birth certificates, and more—and rely on some combinations of these to assert their identities for various purposes. In 2016, the UK government launched its GOV.UK Verify system to provide a digital identity layer that would allow UK citizens and residents to authenticate themselves online for a variety of public and private sector services. Rather than relying on a single, centrally provided digital identity credential, the Government developed a federated system with multiple digital identity providers who are certified by the GOV.UK Verify platform to provide authentication services. GOV.UK Verify partnered with a number of private sector identity providers (e.g., banks) to issue digital identities with combinations of individual’s various credentials and other “dynamic” proofs of identity as a foundation (e.g., micro-payments to a bank account controlled by the individual with a unique reference code, which requires the user to access their online banking system to retrieve the code and complete the proofing). The provider issues a digital identity along with varying credentials, including USB keys and mobile authenticators. People can then use this identity to authenticate themselves online for various services. This system was designed with privacy in mind, as it allows people choice over their identity provider and prevents identity providers from knowing the precise service for which the authentication is being requested. In addition, it uses back-end tokenization at the point of transaction to avoid the correlation of Personal Identifiers (PIDs) across databases. Source: Whitley (2018), ID4D Tokenization note (forthcoming). What are the three 3 types factors of authentication information for an individual?The three authentication factors are: Knowledge Factor – something you know, e.g., password. Possession Factor – something you have, e.g., mobile phone. Inherence Factor – something you are, e.g., fingerprint.
What are the 3 types authentication methods?5 Common Authentication Types. Password-based authentication. Passwords are the most common methods of authentication. ... . Multi-factor authentication. ... . Certificate-based authentication. ... . Biometric authentication. ... . Token-based authentication.. What are the factors used to authenticate an individual?These include fingerprints, thumbprints, and palm or handprints. Voice and facial recognition and retina or iris scans are also types of inherent authentication factors. When systems can effectively identify users based on their biometric data, inherence can be one of the most secure types of authentication factors.
What are the 3 factors in MFA?Three Main Types of MFA Authentication Methods. Things you know (knowledge), such as a password or PIN.. Things you have (possession), such as a badge or smartphone.. Things you are (inherence), such as a biometric like fingerprints or voice recognition.. |