Know with measurable certainty to what degree a digital identity can be trusted.
How is an IDQA score calculated?
Identities and Identity Management are two different things. You must know the quality, and therefore the reliability, of the identities in your system before you manage them. Be confident that the IDQA™ Score of each identity is appropriate to its current and planned application. We look at how an identity measures up across 8 different metrics. Each metric will yield a score of 0 to 9, which means the aggregate IDQA score will be between 0 and 72.
A few of the metrics...
A coworker may ask for your password to access a company asset, but they would never ask for your personal ATM card and PIN. Does the user have "skin in the game" or are the organization's assets the only ones at risk? If the only reliable way to prevent credential sharing is with credentials that protect the user's financial, reputational and identity assets then to what extent does the identity protect those personal assets? Ownership of the credential by the subject is considered part of this criterion, as the credential itself should be a valuable personal asset.
What type of enrollment procedure was used? Did it involve PII corroboration (“KBA”)? Was a notary involved and was it face-to-face notarial or remote? How is provisioning performed? How is the process supervised and audited? How many eyes are watching? Is there a digital recording of the event? Each risk profile and highest protected digital asset value will call for a particular enrollment procedure.
Does the credential support OpenID, i-Name, Shibboleth, CardSpace, others? Does it use SAML assertions? A well-used identity is a more reliable identity; the more places it is used the better.
What are the characteristics of the credential and its carrier? Is one key pair used for everything, or are different key pairs or simple serial numbers used for different applications? The carrier of the credential is equally important. Some risk profile / asset value situations call for two, three or four factor hardware tokens, or a one-time password, while a soft credential in the client computer or even a record in a directory will suffice for others.