Tag Archives: authentication

Request for Comment & IPR Review: PCTF Authentication Final Recommendation V1.1

Notice of Intent: DIACC is collaborating to develop and publish the Authentication component of the Pan-Canadian Trust Framework (PCTF) to set a baseline of public and private sector interoperability of identity services and solutions. During this public review period, DIACC is looking for community feedback to ensure that the conformance criteria is clear and auditable.

To learn more about the Pan-Canadian vision and benefits-for-all value proposition please review the Pan-Canadian Trust Framework Overview.

Document Status: These review documents have been developed by members of the DIACC’s Trust Framework Expert Committee (TFEC) who operate under the DIACC controlling policies and consist of representatives from both the private and public sectors. These documents have been approved by the TFEC as Final Recommendations V1.1.

Summary:

The PCTF Authentication Component defines:

1.      A set of processes that enable access to digital systems.

2.      A set of Conformance Criteria for each process that, when a process is shown to be compliant, enable the process to be trusted.

Invitation:

  • All interested parties are invited to comment.

Period:

  • Opens: January 16, 2024 at 23:59 PT | Closes: February 15, 2024 at 23:59 PT

When reviewing the components Conformance Criteria, please consider the following and note that responses to this question are non-binding and serve to improve the PCTF.

  1. Would you consider the Conformance Criteria as auditable or not? That is, could you objectively evaluate if an organization was compliant with that criteria and what evidence would be used to justify that?

Review Documents: Authentication

Intellectual Property Rights:

Comments must be received within the 30-day comment period noted above. All comments are subject to the DIACC contributor agreement; by submitting a comment you agree to be bound by the terms and conditions therein. DIACC Members are also subject to the Intellectual Property Rights Policy. Any notice of an intent not to license under either the Contributor Agreement and/or the Intellectual Property Rights Policy with respect to the review documents or any comments must be made at the Contributor’s and/or Member’s earliest opportunity, and in any event, within the 30-day comment period. IPR claims may be sent to review@diacc.ca. Please include “IPR Claim” as the subject.

Process:

Value to Canadians:

The purpose of the PCTF Authentication Component is to assure the on-going integrity of login and authentication processes by certifying, through a process of assessment, that they comply with standardized Conformance Criteria. The Conformance Criteria for this component may be used to provide assurances:

·  That Trusted Processes result in the representation of a unique Subject at a Level of Assurance that it is the same Subject with each successful login to an Authentication Service Provider.

·  Concerning the predictability and continuity in the login processes that they offer or on which they depend.

All participants will benefit from:

·  Login and authentication processes that are repeatable and consistent (whether they offer these processes, depend on them, or both).

·  Assurance that identified Users can engage in authorized interactions with remote systems.

Relying Parties benefit from:

·  The ability to build on the assurance that Authentication Trusted Processes uniquely identify, at an acceptable level of risk, a Subject in their application or program space.

Context:

The purpose of this review is to ensure transparency in the development and diversity of a truly Pan-Canadian, and international, input. In alignment with our Principles for an Identity Ecosystem, processes to respect and enhance privacy are being prioritized through every step of the PCTF development process.

DIACC expects to modify and improve these Draft Recommendations based upon public comments. Comments made during the review will be considered for incorporation into the next iteration and DIACC will prepare a Disposition of Comments to provide transparency with regard to how each comment was handled.

Directory of Identity Management and Proofing Products

Our Directory of Identity Management and Proofing Products has been retired.

Building on the success of the Directory of Identity Management and Proofing Products and incorporating feedback from ecosystem stakeholders, we are proud to launch our new DIACC Member Services Directory (MSD).

The DIACC MSD opened on February 15th, 2024. As DIACC members, certified service providers, and servicer providers undergoing certification complete their DIACC MSC listings, the value resource delivers will grow as service providers list their capabilities.

We understand that transitions can be challenging as we move from the Directory of Identity Management and Proofing Products to the DIACC MSD. We appreciate your understanding and your questions during this time.

Send questions regarding this transition or your interest in being listed in the DIACC MSD to directory@diacc.ca.

Listing in the DIACC MSD is not equivalent to DIACC certification. Send questions regarding the benefits of DIACC certification to voila@diacc.ca.

DIACC Member Services Directory Objectives: 

  • Address a range of adoption audiences, e.g., law societies, lawyers, notaries, and industry professionals who must verify their clients’ identities. 
  • Help members communicate adherence to standards, best practices, and specific privacy, security, equity, and trust requirements. 
  • Based on your valuable feedback, evolve our previous static (PDF) directory and expand the service types listed.
  • Provide a dynamic, filterable, and searchable tool for easier access to information.
  • Showcase our members’ service capabilities and design features.  

With the DIACC MSD launch, our members are hard at work completing their DIACC MSD listings.

Please return over the coming days and weeks to see the DIACC MSD and its value to adopters grow.

Decentralized Identity and DIACC PCTF Authentication

While the Authentication component may have been mostly developed before Decentralized Identity approaches emerged, this document demonstrates that Authentication is applicable in the context of Decentralized Identity systems and encourages service providers not to lose sight of good security practice even in the face of new approaches.

Download the paper.

Decentralized-Identity-and-DIACC-PCTF-Authentication

Reliance on the Internet and the Battle Against COVID-19 Highlight the Need for Multi-Channel Authentication

By Karl P. Kilb III, CEO, Boloro Global Ltd.

Today, as COVID-19 rocks the world, the importance of digital identity solutions are only emphasized. We are pleased to share a number of guest blogs in the context of the DIACC network, showcasing members with capabilities, solutions and forward-thinking ideas surrounding the pandemic.

Learn more about DIACC member initiatives and identity solutions within the COVID-19 Actions Directory, where we are pleased to share the actions taken to address the demands of these extraordinary circumstances. 

Due to the COVID-19 pandemic, society is moving towards an increasingly virtual lifestyle, as many of our daily activities are now taking place in the digital realm, including online banking and eCommerce. We are all traveling non-stop on an information superhighway that was not built with safety and security in mind, as the Internet was built for mass dissemination of information and not for secure transactions and other risky activity that could allow fraudsters to run rampant with identity theft. We see stories each day about emails being hacked and Operating Systems being subjected to malware, making online activity inherently vulnerable to fraud. Our increased reliance on online activity during the current pandemic highlights these long-standing problems, as SIM Swaps, email hacks, malware, man-in-the-middle attacks and other forms of fraud are all rising dramatically. The decentralization of customer support desks may also be contributing to the ability of fraudsters to wreak havoc on current security systems in place. 

So, what can be done to put real security in the hands of consumers? 

As activity on the Internet and Operating Systems are increasingly becoming easy prey to sophisticated fraudsters who routinely exploit this single point of failure, we need to consider new approaches to security that avoid such systems. Security should not only be multi-factor, but also multi-channel, eliminating the vulnerabilities of a single point of failure. “In app security” is still touching the inherently vulnerable Internet, meaning its users are still putting all of their eggs in an unstable basket. Out-of-band security is one option that stands as a viable alternative, meaning, when activity is on one channel, authentication should be on a separate channel, providing an independent lock-and-key that cannot be intercepted and compromised. 

At a time when the world is increasingly becoming aware of the inherent vulnerabilities of virtual technologies, we are also seeing the dangers of physically touching public Point of Sale devices, ATM keypads, finger scanners, or anything that could spread the virus. During a time of social distancing, conducting multi-factor and multi-channel security safely on one’s own device is an effective approach.

Along with data protection and privacy, authentication processes must also be considered. In Europe, for instance, the Payment Services Directive (PSD2) defines Secure Customer Authentication, and the General Data Protection Regulation (GDPR) defines the guidelines for protection of personal data, regardless of the form it might take. There is a need to address both. One way this can be achieved is with a multi-channel approach that provides real security (both what you possess and what you know). Authentication should strive to provide assurance to the question “Is this really you?” without being unnecessarily intrusive in its use of a consumer’s personal data.

At Boloro, we believe that authentication should be multi-factor and multi-channel, separating the security process from the activity itself in order to avoid the vulnerabilities of a single point of failure. Authentication should be secure, user-friendly, instantaneous and compatible with all mobile phones, giving everyone the opportunity to safely, securely and seamlessly participate in the global economy and social media using what should be their most trusted device – their own personal, mobile handset. 

We should all strive to work together to make the world safer and healthier, and doing this through secure mobile activity is one of the ways we can work towards achieving this goal.

About the Author: Karl P. Kilb III

Karl P. Kilb III has been the CEO of Boloro Global Limited since October 2016, focusing on the licensing of Boloro Authentication for all forms of identity verification and activity validation. Boloro Authentication is patented in 84 countries and approved by the GSMA, among others. Prior to Boloro, Kilb was a pioneer in data, analytics, media, and electronic trading at Bloomberg LP, serving as General Counsel for more than 15 years. Kilb regularly lectures on identity verification, cyber security, fraud prevention, and welcomes exploring collaboration opportunities.