This British Standard gives recommendations and supporting guidance for the design and operation of an online user identification system (OUIS) and the corresponding user digital identity management systems (IdMS). As authorized users, individuals can act in a personal capacity (e.g. consumer, customer or citizen) or on behalf of another individual (e.g. as a proxy) in a role in a digital identity provider (IdP) and\/or relying party (RP), e.g. employee or authorized contractor. In particular, recommendations are given for:<\/p>\n
establishing or revising an OUIS, including:<\/p>\n
business objectives and requirements for an OUIS;<\/p>\n<\/li>\n
requirements for protecting the life cycle management of digital identities associated with individuals;<\/p>\n<\/li>\n
requirements for protecting data used specifically for identifying or authenticating individuals;<\/p>\n<\/li>\n
requirements for protecting against attacks on specific types of user knowledge\u2011based authentication methods, possession-based authentication methods and biometric recognition methods and modes of operation;<\/p>\n<\/li>\n<\/ol>\n<\/li>\n
the controls for managing the life cycle of users\u2019 digital identities for an OUIS, including:<\/p>\n
creation, proofing and issuance of a digital identity and the formation of the digital identity\u2019s associated credential;<\/p>\n<\/li>\n
identification together with credential usage (where applicable);<\/p>\n<\/li>\n
activities to update credentials and associated data, and notification of these changes to the user;<\/p>\n<\/li>\n
revocation, expiration, reinstatement, disqualification or user cancellation of a digital identity\u2019s credential and purging or archiving of digital identities; and<\/p>\n<\/li>\n<\/ol>\n<\/li>\n
evaluating the effectiveness of an OUIS, including the management of user identification errors, such as false positives and false negatives, and efficiency, including the user identification transaction timings and demand on resources.<\/p>\n<\/li>\n<\/ol>\n
This British Standard:<\/p>\n
describes various knowledge-based authentication methods, possession-based authentication methods and biometric recognition methods, together with their inherent vulnerabilities;<\/p>\n<\/li>\n
provides recommended measures to mitigate the potential exploitation of these identified vulnerabilities; and<\/p>\n<\/li>\n
assists in the development of a risk mitigation strategy, though it does not cover risk identification, protection, detection, response and recovery, as part of developing a supporting performance management strategy and plan.<\/p>\n<\/li>\n<\/ol>\n
The standard is applicable where the user initiates the process of user identification for an online service supplied by an RP and the processes of user identification to access an IdP\u2019s IdMS (if applicable).<\/p>\n
This standard covers the management of digital identities by organizations, including IdPs, and individuals\u2019 management of the credentials allocated to them by an IdP and\/or RP. It concentrates on the OUIS component of access control mechanisms. However, reference is made to the permission management associated with roles and authorization functions of associated policy decision points in decision authorization systems.<\/p>\n
This standard is applicable to online authentication transactions that are associated with either online or offline identity proofing processes, but its recommendations might also be useful for the design of offline authentication transactions, though their applicability in these contexts requires careful consideration.<\/p>\n
The scope of the transaction commences with the authentication\/recognition request from an authorization system or access control mechanism through to the return response by the authentication\/recognition subsystem, as illustrated in Figure 1. The authentication\/recognition subsystem includes capture of signals from an individual through an input device, e.g. keyboard or sensing apparatus (e.g. camera), through to a decision component, which determines whether the identification data presented are sufficient to authenticate or recognize an individual within predetermined user identification assurance parameters.<\/p>\n
Figure 1 Generic model of user identification<\/b><\/p>\n
This standard covers the situations where the authentication and\/or recognition decision engine resides either on the user\u2019s intelligent device or in a remote information system.<\/p>\n
This standard covers \u201cman-in-the-middle\u201d (MITM) attacks on authentication methods and biometric recognition methods only. It does not cover MITM authentication attacks or similar substitution attacks on networks, computer operating systems, computer programs, applications, router and\/or certificate repositories. The vulnerabilities and associated mitigation controls relating to these technologies are outside the scope of this standard.<\/p>\n
This standard does not cover security controls in networks, computers, operating systems, application software and supporting utilities or input devices.<\/p>\n
This standard is not applicable to device identification, though, in most digital interactions, the user needs to bind their digital identity or their credential to the device, so that the device can be trusted by the network and\/or IdP or RP. The exclusion of device identification applies equally to a user\u2019s device and the user\u2019s application authentication of a remote information system (e.g. web server gated cryptography hosting the RP\u2019s application or resource).<\/p>\n
\nNOTE An example of the use of device identification is the binding of a user to their mobile phone\u2019s international mobile equipment identifier (IMEI) or to the subscriber identity module (SIM) or international mobile subscriber identity (IMSI), to prevent an attacker replacing the SIM in a stolen mobile phone and impersonating the genuine user.<\/p>\n<\/blockquote>\n
This standard does not give specific recommendations for:<\/p>\n
\n
- \n
single sign-on systems;<\/p>\n<\/li>\n
- \n
digital identity federation schemes;<\/p>\n<\/li>\n
- \n
password application managers and password generation software; and<\/p>\n<\/li>\n
- \n
attributes sharing between organizations in a contractual relationship.<\/p>\n<\/li>\n<\/ul>\n
The de-identification of data relating to a digital identity is outside the scope of this standard, but guidance on this is given in BS ISO\/IEC 20889.<\/p>\n
PDF Catalog<\/h4>\n
\n
\n PDF Pages<\/th>\n PDF Title<\/th>\n<\/tr>\n \n 5<\/td>\n Foreword <\/td>\n<\/tr>\n \n 7<\/td>\n Introduction <\/td>\n<\/tr>\n \n 8<\/td>\n 1 Scope <\/td>\n<\/tr>\n \n 10<\/td>\n Figure 1 \u2014 Generic model of user identification <\/td>\n<\/tr>\n \n 11<\/td>\n 2 Normative references
3 Terms, definitions and abbreviations <\/td>\n<\/tr>\n\n 21<\/td>\n 4 Establishing or enhancing an OUIS
4.1 Strategic factors <\/td>\n<\/tr>\n\n 22<\/td>\n Figure 2 \u2014 Establishing an OUIS <\/td>\n<\/tr>\n \n 27<\/td>\n 4.2 Requirements for an OUIS <\/td>\n<\/tr>\n \n 37<\/td>\n 4.3 Design and implementation of an OUIS <\/td>\n<\/tr>\n \n 38<\/td>\n 4.4 Operational management of an OUIS <\/td>\n<\/tr>\n \n 40<\/td>\n 5 Design for life cycle management of user digital identities <\/td>\n<\/tr>\n \n 41<\/td>\n Figure 3 \u2014 Digital identity life cycle
5.1 Digital identity creation <\/td>\n<\/tr>\n\n 47<\/td>\n 5.2 Digital identity and credential usage
5.3 Digital identity and credential maintenance <\/td>\n<\/tr>\n\n 48<\/td>\n 5.4 Digital identity termination
5.5 Digital identity system management <\/td>\n<\/tr>\n\n 49<\/td>\n 6 Knowledge-based user authentication methods
6.1 Recovery from failure in knowledge-based user authentication
6.2 Creation, maintenance and recovery of authentication data <\/td>\n<\/tr>\n\n 52<\/td>\n 6.3 Personal identification number (PIN)
6.4 Passwords and passphrases <\/td>\n<\/tr>\n\n 54<\/td>\n 6.5 Partial PINs <\/td>\n<\/tr>\n \n 55<\/td>\n 6.6 Security questions <\/td>\n<\/tr>\n \n 56<\/td>\n 7 Possession-based user authentication methods
7.1 Recovery from failure in possession-based methods <\/td>\n<\/tr>\n\n 57<\/td>\n 7.2 General <\/td>\n<\/tr>\n \n 58<\/td>\n 7.3 One-time password (OTP) <\/td>\n<\/tr>\n \n 59<\/td>\n 7.4 Disconnected hardware security token (OTT) method
7.5 Software secret one-time token (OTT) method <\/td>\n<\/tr>\n\n 61<\/td>\n 7.6 Connected hardware security token (OTT) method <\/td>\n<\/tr>\n \n 62<\/td>\n 8 Inherence-based (biometric) user recognition methods
8.1 Recovery from failure in inherence-based recognition methods
8.2 Structured approach
8.3 Mitigation measures for biometric recognition systems
8.4 Using biometric recognition as a component of the identity proofing process <\/td>\n<\/tr>\n\n 64<\/td>\n 8.5 Biometric enrolment and registration <\/td>\n<\/tr>\n \n 67<\/td>\n 8.6 Biometric verification method <\/td>\n<\/tr>\n \n 70<\/td>\n 8.7 Privacy and data protection
8.8 Health and safety <\/td>\n<\/tr>\n\n 71<\/td>\n 8.9 Biometric information security <\/td>\n<\/tr>\n \n 73<\/td>\n 8.10 Biometric performance maintenance <\/td>\n<\/tr>\n \n 74<\/td>\n 9 Confirmatory evidence and contra-indicators <\/td>\n<\/tr>\n \n 75<\/td>\n 9.1 Confirmatory evidence <\/td>\n<\/tr>\n \n 77<\/td>\n 9.2 Contra-indicators <\/td>\n<\/tr>\n \n 78<\/td>\n Table 1 \u2014 Contra-indicators <\/td>\n<\/tr>\n \n 79<\/td>\n 10 OUIS management
10.1 Establishing an service level agreement (SLA) between the IdP(s) and the RP(s) <\/td>\n<\/tr>\n\n 80<\/td>\n 10.2 Operational responsibilities and procedures
10.3 Life cycle management of the OUIS <\/td>\n<\/tr>\n\n 85<\/td>\n 10.4 Day-to-day system operation <\/td>\n<\/tr>\n \n 91<\/td>\n Annex A (informative)\u2002 User identification assurance <\/td>\n<\/tr>\n \n 92<\/td>\n Table A.1 \u2014 Levels of identity proofing assurance <\/td>\n<\/tr>\n \n 93<\/td>\n Table A.2 \u2014 Levels of user identification assurance <\/td>\n<\/tr>\n \n 94<\/td>\n Table A.3 \u2014 Selecting the appropriate level of user identification assurance <\/td>\n<\/tr>\n \n 95<\/td>\n Annex B (informative)\u2002 Supplementary information on biometrics
Figure B.1 \u2014 Components of a general biometric system [Source: PD ISO\/IEC TR 24741:2018] <\/td>\n<\/tr>\n\n 100<\/td>\n Table B.1 \u2014 Decision error outcomes for biometric functions
Table B.2 \u2014 Suggested FAR values for user identification assurance levels <\/td>\n<\/tr>\n\n 103<\/td>\n Figure B.2 \u2014 Examples of points of attack in a biometric system [Source: BS ISO\/IEC 30107\u20111:2016] <\/td>\n<\/tr>\n \n 108<\/td>\n Annex C (informative)\u2002 Risks for biometric recognition methods <\/td>\n<\/tr>\n \n 109<\/td>\n Annex D (informative)\u2002 Behavioural biometrics <\/td>\n<\/tr>\n \n 114<\/td>\n Bibliography <\/td>\n<\/tr>\n<\/table>\n","protected":false},"excerpt":{"rendered":" Design and operation of online user identification systems. Code of practice<\/b><\/p>\n
\n\n
\n Published By<\/td>\n Publication Date<\/td>\n Number of Pages<\/td>\n<\/tr>\n \n BSI<\/b><\/a><\/td>\n 2020<\/td>\n 122<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n","protected":false},"featured_media":361829,"template":"","meta":{"rank_math_lock_modified_date":false,"ep_exclude_from_search":false},"product_cat":[2641],"product_tag":[],"class_list":{"0":"post-361820","1":"product","2":"type-product","3":"status-publish","4":"has-post-thumbnail","6":"product_cat-bsi","8":"first","9":"instock","10":"sold-individually","11":"shipping-taxable","12":"purchasable","13":"product-type-simple"},"_links":{"self":[{"href":"https:\/\/pdfstandards.shop\/wp-json\/wp\/v2\/product\/361820","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/pdfstandards.shop\/wp-json\/wp\/v2\/product"}],"about":[{"href":"https:\/\/pdfstandards.shop\/wp-json\/wp\/v2\/types\/product"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/pdfstandards.shop\/wp-json\/wp\/v2\/media\/361829"}],"wp:attachment":[{"href":"https:\/\/pdfstandards.shop\/wp-json\/wp\/v2\/media?parent=361820"}],"wp:term":[{"taxonomy":"product_cat","embeddable":true,"href":"https:\/\/pdfstandards.shop\/wp-json\/wp\/v2\/product_cat?post=361820"},{"taxonomy":"product_tag","embeddable":true,"href":"https:\/\/pdfstandards.shop\/wp-json\/wp\/v2\/product_tag?post=361820"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}