90 likes | 189 Views
OASIS Electronic Identity Credential Trust Elevation Methods (Trust Elevation) May 24, 2012. Technical Committee’s Road Map. Introduction and goals of the technical committee Phase 1 - Survey of methods of trust elevation status- Done Phase 2 - Analysis
E N D
OASIS Electronic Identity Credential Trust Elevation Methods (Trust Elevation)May 24, 2012
Technical Committee’s Road Map • Introduction and goals of the technical committee • Phase 1 - Survey of methods of trust elevation status- Done • Phase 2 - Analysis • Phase 3 - Proposed protocol capturing combinations
What is Trust Elevation? • Increasing the strength of trust by adding factors from the same or different categories of methods that don’t have the same vulnerabilities • Other descriptions • Step-up authentication • Dynamic multi-attribute authentication • Not one and done authentication
Phase 1: Survey of Methods of Trust Elevation • There are five categories of methods: • who you are, • what you know, • what you have, • what you typically do, • Context includes, but is not limited to, location, time, party, prior relationship, social relationship and source, and anything else that is useful • Elevation can be within the classic four NIST and ISO/ ITU-T levels of assurance or across levels of assurance
Sample Method Examples • Who you are • Physical biometric • Behavioral biometric (voice recognition) • What you know • KBA • What you have • End point identity • Multi-channel by phone • What you typically do • Browsing habits • Context • Multi-Attribute-Based Trust Elevation Service (AKA Fraud Detection)
Corner Case and Hybrid Method Examples • Customer Retention • Session Elevation to Level of Identity Proofing • Split Large (Risky) Transactions into Multiple Smaller Transactions • Address Verification Service • Hub Provider of Pseudonymous Identity • Personal Levels of Assurance (PLOA) • Online Identity Proofing with OTP and KBA
Phase 2 • An analysis of the identified methods to determine each one's ability to provide a service provider with assurance of the submitter's identity sufficient for elevation between each pair of assurance levels, to transact business where material amounts of economic value or personally identifiable data are involved • Next step - Identify analysis approaches
Standards are like parachutes. They work best when they're open. Q&A