Identity Quality Assurance is a methodology for assuring that an identity assertion (credential plus identity infrastructure) is appropriate, as measured in each of eight categories, for access to and privileges in the specific digital and / or physical assets or procedures which use it.
The eight Dimensions of Identity Quality™
- Degree of Protection of Personal Assets Does the user have "skin in the game" or are the organization's assets the only ones at risk? If the only reliable way to prevent credential sharing is with credentials that protect the user's financial, reputational and identity assets then to what extent does the identity protect those personal assets? Ownership of the credential by the subject is considered part of this criterion, as the credential itself should be a valuable personal asset.
- Quality of Enrollment Practices What type of enrollment procedure was used? Did it involve PII corroboration (“KBA”)? Was it face-to-face notarial or remote? How is provisioning performed? How is the process supervised and audited? How many eyes are watching? Each risk profile and highest protected digital asset value will call for a particular enrollment procedure.
- Quality of Means of Assertion Does the credential support OpenID, i-Name, Shibboleth, CardSpace? Does it use SAML assertions? A well-used identity is a more reliable identity; the more places it is used the better.
- Quality of Authoritative Attestation Who attests to the validity of the assertion, that is, the claimed identity? Is the attesting party a certification authority? How reliable are their attestation practices? How is identity status reported: CRL or OCSP or another method?
- Quality of Other Attestations To what extent do colleagues of the subject corroborate the subject's claim of identity? The more acquaintances who are willing to put their own identity quality scores at risk, and the higher those scores are, the higher this score will be.
- Quality of the Credential What are the characteristics of the credential and its carrier? Is one key pair used for everything, or are different key pairs or simple serial numbers used for different applications? The carrier of the credential is equally important. Some risk profile / asset value situations call for two, three or four factor hardware tokens, or a one-time password, while a soft credential in the client computer or even a record in a directory will suffice for others.
- Quality of Assumption of Liability If fraud is committed with the use of the credential, who carries the liability? Is that commitment bonded? What are the terms of the bond? What is the source of funds for fulfillment of the bond? Are there caveats or is the commitment absolute, regardless of the circumstances that made the credential available to the perpetrator? To protect assets and processes of the highest value, where a compromised identity would have the most serious consequences, there should be both civil and criminal liability involved in the issuance and ongoing use of the credential. Equally important is protection against fraudulent repudiation. Nonrepudiation is perhaps the most difficult goal for a trust system to achieve, but it is necessary for the system to be useful to relying parties where significant transactions are involved.
- Reputation of the Credential How long has the credential been used without revocation or reported compromise? How many transactions and authentication events has it been used for in total? The longer a credential has been used without incident, the more reliable it tends to be. Note that the reputation of the credential is not the same thing as the reputation of the subject. For example, if a subject with a very good reputation has a habit of lending his or her credential to family members and colleagues, resulting in documented confusion over who is responsible for what, then the reputation of the credential is greatly diminished.
Each of the eight Dimensions of Identity Quality is measured using a scale of 0 to 9, with 0 being the lowest rating in a particular “dimension.”