The Digital ID and Authentication Council of Canada (DIACC) has released the Pan-Canadian Trust Framework (PCTF) Authentication Final Recommendation V1.2. It’s a significant milestone as the framework is now ready for inclusion in DIACC’s Certification Program.
The Authentication component of the PCTF is meant to ensure the integrity of login and authentication processes.It outlines eight Trusted Processes designed to ensure secure and reliable digital authentication. These processes begin with Credential Issuance, where credentials are created and assigned to subjects, binding them to appropriate authenticators like passwords or biometric data. This ensures the credential is correctly issued and can be used for future authentication. The Authentication process then verifies that a subject controls a valid credential, confirming their identity and authorizing access to the system.
Following authentication, the Authenticated Session Initiation process establishes a secure session between the subject’s device and the service provider, maintaining the authenticated state for continued interactions. This session is eventually terminated through the Authenticated Session Termination process, which ensures the session is unusable for further communications, triggered by logout or session expiration.
To handle credentials that may be compromised or require updates, the framework includes Credential Suspension and Credential Recovery processes. Suspension temporarily disables a credential due to suspicious activity or user request, while recovery reactivates it securely. Additionally, the Credential Maintenance process allows for updating or managing credentials to keep them secure and up-to-date. Finally, the Credential Revocation process permanently disables a credential when it is no longer needed or compromised, preventing any further use for unauthorized access. These processes collectively maintain the integrity and security of authentication credentials throughout their lifecycle, supporting trusted digital interactions.
The PCTF Authentication Component specifies four Levels of Assurance (LOA) to indicate the confidence in the authentication process. These levels range from low to very high confidence. LOA1 requires little or no confidence in the authentication process, suitable for less sensitive interactions where security risks are minimal. LOA2 demands a reasonable degree of confidence, ensuring that the subject’s identity is reasonably verified, appropriate for moderately sensitive transactions.
LOA3 requires a high degree of confidence, ensuring a robust verification process for the subject’s identity, suitable for high-risk or sensitive transactions. LOA4, while not yet fully defined in the current version, is intended for very high confidence levels, ensuring the utmost security for the most sensitive interactions.
Each level has specific Conformance Criteria that must be met, and the overall assurance level of any authentication system is determined by the lowest LOA of its constituent processes. This structured approach ensures that the appropriate level of security is applied based on the sensitivity and risk of the digital interaction.
The framework aligns with industry standards which recommend using biometrics in conjunction with other authentication factors, rather than as a sole factor. For example, a biometric could be used to unlock a local device that then authenticates to a remote service, adding an extra layer of security and reducing the risk of biometric replication or spoofing.
The PCTF Authentication component stands to benefit a broad range of participants. It ensures that login and authentication processes are repeatable and consistent, benefiting both those who offer and depend on these processes. It also provides assurances that identified users can engage in authorized interactions with remote systems.
When combined with the PCTF Wallet Component, it enhances the user experience by allowing the reuse of credentials across multiple Relying Parties. Relying Parties benefit from the assurance that Authentication Trusted Processes uniquely identify a Subject with an acceptable level of risk in their application or program space.
The DIACC is not a government organization; it is a non-profit coalition comprising leaders from both the public and private sectors. Nevertheless, the organization is highly influential in shaping Canada’s digital identity landscape. Through initiatives like the PCTF, DIACC sets critical standards and frameworks that ensure secure and interoperable digital identity solutions. The organization recently announced a partnership with the Open Identity Exchange (OIX) that will focus on extending digital ID functionality across borders.
Source: DIACC
–
July 16, 2024 – by Cass Kennedy
Follow Us