Page 48 - ITU-T Focus Group Digital Financial Services – Technology, innovation and competition
P. 48
ITU-T Focus Group Digital Financial Services
Technology, Innovation and Competition
• Functional: A digital identity (such as the voter registration programme in Ghana) which is created to
6
address the specific needs of an individual sector, such as healthcare.
• Transactional: A digital identity (such as the Consult Hyperion Token Administration Platform (TAP)
programme in Nigeria), which is intended to ease the conduct of financial or other transactions (either
7
face to face or across the Internet) across multiple sectors.
A state-issued eID acts as a strong, reliable foundational identity. However, there are a number of additional
use cases that require more flexible or extensible identities, and the functional or transactional identities,
derived as they are from the foundational state-issued eID, can fulfil this role.
2.3 Level of assurance
Level of assurance is a measure of the quality of a digital identity, based on: (1) the quality of the steps taken to
verify the claimed attributes; and (2) the robustness of the authentication credentials established. It provides
assurance that the identity was correctly assigned, and that the entity asserting a particular identity is the
entity to which that identity was assigned.
As defined by ISO/IEC 29115, there are 4 LoAs:
• LoA 1: Minimal confidence in the asserted identity of the entity, but enough confidence that the entity
is the same over consecutive authentication events. LoA 1 is used when minimum risk is associated with
erroneous authentication. There is no specific requirement for the authentication mechanism used; only
that it provides some minimal assurance.
• LoA 2: Some confidence in the asserted identity of the entity. LoA 2 is used when moderate risk is
associated with erroneous authentication. Successful authentication will be dependent upon the entity
proving, through a secure authentication protocol, that the entity has control of an agreed credential.
LoA 2 implementations often make use of second factor authentication (2FA), such as demonstrating
access to a registered mobile phone.
• LoA 3: High confidence in an asserted identity of the entity. LoA 3 is used where a substantial risk
is associated with erroneous authentication. Identity proofing procedures shall be dependent
upon verification of identity information. An LoA 3 implementation might for example extend 2FA
implementations, by requiring the entry of a PIN into a registered mobile phone.
• LoA 4: Very high confidence in an asserted identity of the entity. This LoA is used when a high risk is
associated with erroneous authentication. LoA 4 provides the highest level of entity authentication
assurance defined by this standard. LoA 4 is similar to LoA 3, but it adds the requirements of in-person
identity proofing.
The trust that is placed in a digital identity by a system or service should be based on the LoA associated with
it. However, that trust is exclusively within that system/service and across the federations participating within
that system/service.
2.4 Digital identity architectures
Deployments of digital identity systems in countries around the world, including emerging markets, have been
met with varying levels of success. We have identified a number of high level architectures of the systems
deployed in these countries (both current and planned) and analysed their associated characteristics as relevant
to applications within DFS. The high level architectural models identified are:
• monolithic identity provider (IDP) architecture,
• federated Internet IDP architecture,
6 https:// eisa. org. za/ wep/ gharegistration. htm
7 http:// www. chyp. com/ token- administration- platform- tap- e- goods- delivery/
34