As described in "E-Authentication Guidance for Federal Agencies (OMB-M04-04) [PDF]", at level 1 there exists little to no confidence in an asserted identity. At the same time, there are many differences of opinion and expectations of what LOA 1 can deliver. This blog post is a summary of some thoughts regarding various expectations of security and privacy, at level 1, within the context of delivering public sector online services.
During a recent conversation with one of my mentors, who has been around the identity block many times and is now happily retired, I mentioned how I was struggling to articulate the value of utilizing a federated level 1 credential at any medium/high value online public sector service.
My position was that given the lack of confidence in the identity, the value of a level 1 credential lies solely in decreasing the burden to users in having to manage multiple identity credentials and reducing, to some degree, the relying party infrastructure and operational costs to manage those credentials.
I was making level 1 into a rather binary or a "buyer beware" choice from the relying party perspective. But my mentor's response was that while the point regarding the lack of confidence in the asserted identity holds true, at level 1 there is also an expectation that the credential service provider (or IdP) is operating in a manner that protects the information that an applicant/user has entrusted to it.
I am feeling a bit challenged on how one could develop a light-weight trust criteria for level 1, given that it feels like a blending of both security and privacy factors. Some potential items that may be applicable are:
- An effort must be made to make sure the the applicant has a unique identifier at the CSP/IdP
- Transmission of sensitive data must take place over a protected session (e.g. TLS/SSL)
What else? Since this is level 1, there is no identity proofing and anonymity and pseudonymity are perfectly acceptable here. Is there an expectation of privacy component here? I am curious as to whether or not anyone has done any further thinking in this area and if so, would appreciate pointers to that work.
Did you find this interesting? Don't miss any new posts. Sign up to automatically receive them now!
This blog post first appeared on Anil John | Blog (https://blog.aniljohn.com). The opinions expressed here are my own and do not represent my employer’s view in any way.