Identity Quality Assurance™

Identities and Identity Management are two different things. Know the quality, and therefore the reliability, of the identities in your system. Is the Identity Quality of each one appropriate to its current and planned application?

The Six Dimensions of Identity Quality™

1. Quality of Ownership Does the user have "skin in the game" or are the organization's assets the only ones at risk? If the only reliable way to prevent credential sharing is with credentials that protect the user's financial, reputational and identity assets then to what extent does the identity protect those personal assets?
2. Quality of Enrollment Practices What type of enrollment procedure was used? Did it involve PII corroboration? Was it face-to-face notarial or remote? How is provisioning performed? How is the process supervised and audited? How many eyes are watching? Each risk profile and highest protected digital asset value will call for a particular enrollment procedure.
3. Quality of Means of Assertion A well-used identity is a more reliable identity; the more places it is used, the more its holder will be aware of the need to protect it. Does the credential support OpenID, i-Name, Shibboleth, CardSpace? Does it use SAML assertions?
4. Quality of Attestation Who attests to the validity of the assertion, that is, the claimed identity? Is the attesting party a certification authority? How reliable are their attestation practices? How is identity status reported: CRL or OCSP or another method?
5. Quality of the Credential What are the characteristics of the credential and its carrier? Is one key pair used for everything, or are different key pairs or simple serial numbers used for different applications? The carrier of the credential is equally important. Some risk profile / asset value situations call for two, three or four factor hardware tokens, or a one-time password, while a soft credential in the client computer will suffice for others.
6. Quality of Assumption of Liability If fraud is committed with the use of the credential, who carries the liability? Is that commitment bonded? What are the terms of the bond? What is the source of funds for fulfillment of the bond? Are there caveats or is the commitment absolute, regardless of the circumstances that made the credential available to the perpetrator? To protect assets and processes of the highest value, where a compromised identity would have the most serious consequences, there should be both civil and criminal liability involved in the issuance and ongoing use of the credential. Equally important is protection against fraudulent repudiation. Nonrepudiation is perhaps the most difficult goal for a trust system to achieve, but it is necessary for the system to be useful to relying parties where significant transactions are involved.

IDQA™ and Identity Quality Assurance™ are trademarks of Reliable Identities. Patent Pending. The Identity Quality methodology is licensed by HSM-ID Inc. from Reliable Identities.

Learn more about IDQA™