Monthly Archives: October 2020

The Next Evolution of Levels of Assurance in Canada

Levels of Assurance (LOA) play a foundational role in the world of standards, digital identity, and digital transactions. Put simply, LOA is the degree of confidence in the validity of a claim, process, or authentication. In the sphere of digital identity, it is a necessary model to verify that the person or entity claiming an identity is the entity to which that identity was assigned. 

Most Canadians don’t think too deeply about LOAs, and yet most Canadians interact with these models, unknowingly, at some point in their lives. For example, Canadian experience LOAs when opening a bank account, demonstrating qualifications for a government service or benefit, making an insurance claim, or wiring money to a client or family member. 

Organizations that use LOAs to inform their policies and processes often have dedicated strategies and teams, working out contingencies and approaches to maximize security in Canada and internationally. These teams often face challenges interacting with other service providers, meeting different standards across jurisdictions, and minimizing friction for clients accessing their services.

How the Current LOA Model Works

Imagine two people, Samir and Aiya, are trying to apply for a small business loan. Both women have very strong credentials, a passport, driver’s license and the requisite business records. Samir and her credentials are linked through a knowledge-based authentication (KBA), and are accepted after answering a security question she previously populated about her father’s middle name. Aiko and her credential are linked with an in-person ceremony, as she went to her local bank branch with two pieces of identification and her business records to complete the loan application. Aiya’s scenario offers a stronger LOA and Samir’s a weaker LOA. Despite these differences, Canada’s federal LOAs currently dictate that Samir and Aiya both have the same assurance. 

In Canada and many places around the world, it is common for LOA structures to combine a number of factors into a single score. The result is an obscured view of the risk factors and authentication. This lack of granularity into the LOAs of specific capabilities is a challenge present in the construct of LOA models around the world. The deciding factor regarding acceptance of an identity comes down to Relying Parties (parties who rely on the validity of identities) who determine their own risk profiles. 

In this case, the relying party is the bank. The banker helping Samir and Aiya also benefits from a stronger LOA as they sign off on the business loan. In addition to building a stronger relationship with the client, they are able to manage their portfolio with confidence.

There is widespread agreement the current LOA model in Canada is inadequate. While LOAs serve a purpose, they are not transparent and dynamic enough to address the myriad digital solutions and scenarios of today. Internationally, single LOA schemes are no longer state of the art and today’s requirements necessitate separate evaluation for specific capabilities. In the DIACC community, there is consensus that there must be separate schemes for credentials and identity, at a minimum, in order to be useful in the widest possible range of scenarios and contexts. An improved assurance model should be capable of asserting identity and credentials at different levels.

Envisioning a New Risk-based Model for Assurance

A risk-based model offers a more enduring, user- and industry-friendly path forward that enables existing LOA schemes to participate while building for a more dynamic and scalable digital ecosystem. The notion of leveraging a risk-based model is highly applicable as the application of LOAs  today are best determined by performing a threat or risk analysis. The risk-based model must address the likelihood and impact of something happening, and the appropriate mitigation approach. 

LOA is essential in determining liability and risk; offering a clear understanding how a Subject (customer or citizen) and a Relying Party (company or government service) can validate that they are who they say they are. It is a central component in being able to determine whether a transaction should proceed. 

The risk-based starts by assessing risk first and then the approach drives more value for organizations, as they confront the baseline of their current systems and assess risk realistically. It also helps adopters improve their systems through motivation to  reduce or remove risks through various types of mitigation.

DIACC is on a mission to rapidly deliver a modern, risk-based LOA model that is…

  • Risk-based
  • Directive and illustrative
  • Non-prescriptive in execution
  • Evergreen
  • Deterministic in implementation and assessment
  • Congruent with existing state of the art and best practices
  • Inclusive in support of both the private and public sector
  • Supportive of evolving needs on credentials and bindings

The impact of this evolution is far-reaching, and will ensure that the  Pan-Canadian Trust FrameworkTM is strong and resilient over time. This evolution takes a framework-wide approach to address interdependencies, independencies, and support communication across platforms. This new approach ensures scalability over time as technologies and their uses evolve.

DIACC has engaged a small, representative team to rapidly deliver a new model to support the PCTF, which launched September 15, 2020. The model will benefit from the DIACC’s well-documented peer and public review process. Members can contact to contribute. Non-members can get in touch to learn more.

Spotlight on Stash

1.What is the mission and vision of Stash?

Our mission is to provide people with the tools and education to help them protect their online accounts. Our vision is a digital world in which people do not reuse any of their passwords across multiple accounts. Ever. Stash is bringing this vision to reality by delivering an offline password manager that makes it easy for people to create and securely manage strong, unique passwords for every single account they have. Ultimately, removing the difficulty and frustrations of having to do it on their own.

2. Why is trustworthy digital identity critical for existing and emerging markets?

In the digital age, it is too easy for people to remain anonymous online or claim to be someone they aren’t. In the physical world, we have ways of proving who we are through different identification methods which makes it difficult for someone to fake their identity. As we increasingly go digital, we need a form of digital identity to help people stay secure and limit their risks of being the subject of fraudulent activity.

3. How will digital identity transform the Canadian and global economy? How does Stash address challenges associated with this transformation?

Simply put, digital identity will make it safer and easier for Canadians to operate online. This will lead to people conducting more business online, nationally and internationally, in ways in which they were not comfortable before.

While it is clear that digital services aid in the efficiencies of businesses and organizations, trusted digital identity has been relegated to a side note by many leaders across numerous sectors in Canada. As digital solutions continue to evolve, access to such services still requires end users to create usernames and passwords – leaving them with hundreds of login credentials to manage.

In the digital world, it has become critical to have strong password management practices. With the ever-increasing amount of online services that require passwords, many are left feeling overwhelmed and frustrated leading them to sacrifice security for convenience. Using a password manager allows people to improve their password security while providing the convenience and peace of mind needed to go about their lives.

Stash Password Manager was created to remove the frustrations of trying to manage unique, complex passwords for all of our digital accounts while ensuring each of your usernames and passwords are securely stored offline and making logging into accounts easy.

4. What role does Canada have to play as a leader in this space?

Canada is seen by many global observers as a trustworthy, safe and stable country. Once Canada moves beyond its strategic framework and implements various capacities of digital identification, our reputation will allow us to help influence the rest of the world in adopting a standardized digital identity protocol.

5. Why did Stash join the DIACC?

We believe our patent pending Island Technology™ and our approach to online security can assist in DIACC’s mission to achieve excellence in digital identity.

6. What else should we know about Stash?

The simplest way for people to protect their own digital accounts is by having a strong, unique password for every single account they have.

Stash was created because we realized people needed a way, that was both secure and convenient, to easily manage all of the different usernames and passwords they are forced to use in the digital age. We believe the only way to securely manage all of our login credentials (usernames + passwords) and truly keep them safe is to physically store them offline in a way that keeps them disconnected from the internet. This means they should not be managed on any device that is connected to the internet, as those devices can be hacked.

At the heart of Stash is Island Technology™. Island Technology™ creates an air-gapped “island” which allows a user to isolate their data and store it in a secure manner that keeps it disconnected from the internet. Essentially it acts as a dynamic, one way communication bridge that safely transfers data from a disconnected vault to the online world. Although we utilize this technology in transferring login credentials, other companies are now beginning to recognize Island Technology™ for its unique utility in additional use cases.

Spotlight on the Digital Technology Supercluster

1. What is the mission and vision of the Digital Technology Supercluster?

The Digital Technology Supercluster solves some of industry’s and society’s biggest problems through Canadian-made technologies. We bring together private and public sector organizations of all sizes to address challenges facing Canada’s economic sectors including healthcare, natural resources, manufacturing and transportation. Through this ‘collaborative innovation’ the Supercluster helps to drive solutions better than any single organization could on its own.

2. Why is trustworthy digital identity critical for existing and emerging markets?

With the COVID-19 pandemic, now more than ever we are relying on our ability to prove our identity and key personal information remotely. Over the past six months, we have worked with dozens of organizations to develop and deploy cutting-edge digital and virtual health platforms. A critical requirement to ensure uptake of these developments is ensuring that Canadians feel they are in control of their personal data and have trust in the institutions and protocols we have created.

3. How will digital identity transform the Canadian and global economy? How does the Digital Technology Supercluster address challenges associated with this transformation?

For the Digital Technology Supercluster, we see digital identity as a key component in the adoption of our many innovative technologies – whether it’s accessing remote addiction and mental health treatment for health care workers, or receiving post-surgical treatment from home. Without secure digital identity, Canada will be unable to continue developing innovative solutions like these. As a team, we strive to collaborate with companies (large and small), organizations and academic institutions to ensure that we are addressing digital security from all sides. Ensuring privacy and control of personal information is at the heart of what we do, and organizations like DIACC provide critical guidance on this front. 

4. What role does Canada have to play as a leader in the space?

Canada is already seen as a leader in the global economy. We are known for our transparency, ethical business practices and diverse resources. This foundation puts us on solid ground for not only contributing to the policy of digital identity, but alongside DIACC, leading the way on international interoperability in this space.

5. Why did the Digital Technology Supercluster join the DIACC?

We believe there is power in coming together towards a common goal, and that there is strength in bringing different perspectives, experiences, and backgrounds to the table. To reach Canada’s full potential, it is critical that we leverage our diversity and unique strengths to share knowledge and expertise.

6. What else should we know about the Digital Technology Supercluster?

While we are located in Vancouver, British Columbia, our members span across the country, with 40 per cent of our 750+ membership in provinces outside of British Columbia. We are open to working with all types of organizations. By facilitating bold collaboration, we bring together companies of all sizes from a myriad of sectors within the tech ecosystem and tech-enabled companies from a variety of industries. This allows these organizations to tap into a network of knowledge and experience they would not otherwise have had access to.

Spotlight on ModoHR

1. What is the mission and vision of ModoHR?

ModoHR is a Canadian technology-driven business that provides modern solutions for the human resources industry. Our web application, ScreeningCanada™ was developed with the goal to empower Canadian organizations to remotely conduct background screening and digital identity verification. We help set the standard for Canadian privacy, compliance and data security; these unwavering principles provide Canadian organizations with compliant products and services that mitigate risk. 

2. Why is trustworthy digital identity critical for existing and emerging markets?

Simply put, digital identity is the foundation of background screening. Without a candidate’s consent and identity verification, compliant and thorough background screening cannot take place. In addition, the emerging markets like on-demand delivery services and ride-sharing have further highlighted the need for speed in the background screening industry. We strongly believe that a trusted digital identity solution is critical in removing these obstacles and improving remote hiring.

3. How will digital identity transform the Canadian and global economy? How does ModoHR address challenges associated with this transformation?

Digital identity will transform the Canadian and global economy by removing geographical barriers for individual job applicants. ModoHR is pioneering new identity verification solutions in the marketplace with tools that utilize credit file-based verification, live video verification and facial accreditation. Existing background screening processes have traditionally required face-to-face interaction with the hiring manager, or an in-person verification conducted by an authorized third party like Canada Post. ModoHR’s digital identity solutions remove barriers that previously existed for remote hiring. The process is compliant with federal and provincial physical distancing recommendations and approved by police services. This transformation will empower Canadians and organizations to increase diversity and inclusion by removing traditional remote hiring barriers.

4. What role does Canada have to play as a leader in the space?

There is no question that Canada possesses the necessary knowledge and capabilities to be a leader in digital identity. Our national approach to privacy and compliance and the value we place on protecting personal information across all industries, is highly regarded around the world. In the coming months and years, Canadian provinces will need to work together to centralize, standardize and unilaterally protect personal information, and develop methods to securely utilize this information to verify identity.

Our competitors in this space are already operating on the global stage; Canada must move quickly to share resources, seek federal support and ensure that our sovereign interests will not be negatively influenced by the standards set by other nations. More importantly, we need to lead this charge to develop processes and platforms that are truly Canadian.

5. Why did ModoHR join the DIACC?

ModoHR Technologies joined DIACC to share our knowledge and experience relating to the important topic of digital identity, compliance, risk mitigation and global regulatory challenges.  We believe that together, Canadian organizations can not only improve processes for Canadians but remain at the cutting edge of policy development globally. We look forward to networking and sharing knowledge with other DIACC members.  

6. What else should we know about ModoHR?

ModoHR is owned by background screening and risk mitigation industry experts. Our executive team founded the pre-employment industry in Canada 20 years ago and built the largest risk mitigation firm in Canada. These subject matter experts came together to collaborate, re-imagine and empower Human Resources with technology that ensures privacy, security and streamlines processes for organizations and individuals alike. Our drive and enthusiasm is reflected in every new risk mitigation product or service that we create. In summary – we build what’s next™.