Delivering high value digital services to a particular individual requires knowing who that individual is with a high degree of assurance. That identity assurance in turn has dependencies on the sources used to validate the information and the techniques used to verify that the validated information belongs to the person claiming it. All too often, we focus on verification techniques while neglecting the whole chain of trust that goes into validation.
I spent a good portion of last week interacting with some smart, passionate people who are trying to move the ball forward in the identity space. That in turn triggered some thoughts on common terminology (or lack thereof), as well as around responsibility and accountability. So this is my attempt to write my way to clarity on some of those topics.
|Identity Establishment||Identity Management||Identity Services|
All entities that are responsible for identity establishment are also identity managers. The reverse is not true. A good example of this, at least in the US, are the State DMVs. In order to issue a Driver's Licence to you, they typically ask as evidence your name, date of birth, legal status, social security number and principal residence address.
A DMV is not the apex authoritative source for any of the information requested but is very much an identity manager as part of its process for issuing the driver's licence. It could, if it so chooses, offer identity services very easily (Hello, Virginia!).
As I've mentioned before, the validation piece where the public sector can play a critical role is something that is very much missing in the US and that impacts the level of assurance available to high value digital services. Verification capabilities, on the other hand, are something that are relatively mature in the US market. We need both!
As a counter-point, I am watching the public beta of the GOV.UK Verify service with a great deal of interest. The UK IDAP have deployed an identity validation service which backs against passport and drivers licence information. But the beta roll-out for new UK DFRA CAP schemes which uses that service for validation, and an external provider for verification are providing very real lessons that are relevant to all of us in this space.
Question: Are there any examples out there of where the identity establishment, management and service offerings are done by the same entity?
- Identity Establishment, Verification and Validation
- Identity Establishment and the Role of the Public Sector
- HOW TO Choose Attributes to Uniquely Identify a Person
- Identity Validation as a Public Sector Digital Service?
- Identity Assurance and Knowledge Based Authentication
- UK IDAP: Introducing the document checking service
- UK DFRA: Introducing GOV.UK Verify, replacing Government Gateway for new CAP schemes
Did you find this interesting? Don't miss any new posts. Sign up to automatically receive them now!
This blog post first appeared on Anil John | Blog (https://blog.aniljohn.com). The opinions expressed here are my own and do not represent my employer’s view in any way.