High Assurance AZ Token: Difference between revisions
Jump to navigation
Jump to search
No edit summary |
|||
| Line 2: | Line 2: | ||
Structure of a stand-alone Token that can provide high assurance of (1) Identity, (2) Authentication and (3) Federation. | Structure of a stand-alone Token that can provide high assurance of (1) Identity, (2) Authentication and (3) Federation. | ||
==Context== | ==Context== | ||
* The page is directed to the problem of providing high assurance identifier tokens that can be used for high volume use cases, such as health services. | |||
*Existing standards for identifier tokens are based on the assurance of the trust of the [[Relying Party]] (aka client) in the tokens produced by the Identifier provider, typically on of the well-known social sites. | *Existing standards for identifier tokens are based on the assurance of the trust of the [[Relying Party]] (aka client) in the tokens produced by the Identifier provider, typically on of the well-known social sites. | ||
*To get high assurance identifiers, the web site that | *To get high assurance identifiers, the web site that wants the higher level of assurance (whether RP or IDP) will perform additional validation of the user with protocols like [[Fid 1.0]] or Web Authentication (aka Fido 2.0). | ||
==Problems== | ==Problems== | ||
* The IdP needs to be trusted by the RP. That can be difficult to achieve when the RP has the high value resource that the user | * The IdP needs to be trusted by the RP. That can be difficult to achieve when the RP has the high value resource that the user wants to access. | ||
* The users are accustomed to using the "free" social media sites as an IDP that will be trusted by the RP. | |||
* The liability associated with high assurance IDPs is not likely to be available on "free" social media sites. | |||
* The assurance associated with out-of-band assurance, like web authentication has not been successful with the large number people that are expected to be using high assurance sites, like health services. | |||
==Proposed Solution== | ==Proposed Solution== | ||
Revision as of 03:46, 5 March 2020
Full Title
Structure of a stand-alone Token that can provide high assurance of (1) Identity, (2) Authentication and (3) Federation.
Context
- The page is directed to the problem of providing high assurance identifier tokens that can be used for high volume use cases, such as health services.
- Existing standards for identifier tokens are based on the assurance of the trust of the Relying Party (aka client) in the tokens produced by the Identifier provider, typically on of the well-known social sites.
- To get high assurance identifiers, the web site that wants the higher level of assurance (whether RP or IDP) will perform additional validation of the user with protocols like Fid 1.0 or Web Authentication (aka Fido 2.0).
Problems
- The IdP needs to be trusted by the RP. That can be difficult to achieve when the RP has the high value resource that the user wants to access.
- The users are accustomed to using the "free" social media sites as an IDP that will be trusted by the RP.
- The liability associated with high assurance IDPs is not likely to be available on "free" social media sites.
- The assurance associated with out-of-band assurance, like web authentication has not been successful with the large number people that are expected to be using high assurance sites, like health services.