FORMAT
BOOKS
PACKAGES
EDITION
PUBLISHER
CONTENT TYPE
Act
Admin Code
Announcements
Bill
Book
CADD File
CAN
CEU
Charter
Checklist
City Code
Code
Commentary
Comprehensive Plan
Conference Paper
County Code
Course
DHS Documents
Document
Errata
Executive Regulation
Federal Guideline
Firm Content
Guideline
Handbook
Interpretation
Journal
Land Use and Development
Law
Legislative Rule
Local Amendment
Local Code
Local Document
Local Regulation
Local Standards
Manual
Model Code
Model Standard
Notice
Ordinance
Other
Paperback
PASS
Periodicals
PIN
Plan
Policy
Product
Program
Provisions
Requirements
Revisions
Rules & Regulations
Standards
State Amendment
State Code
State Manual
State Plan
State Standards
Statute
Study Guide
Supplement
Technical Bulletin
All
|
Description of BS 8626:2020 2020This British Standard gives recommendations and supporting guidance for the design and operation of an online user identification system (OUIS) and the corresponding user digital identity management systems (IdMS). As authorized users, individuals can act in a personal capacity (e.g. consumer, customer or citizen) or on behalf of another individual (e.g. as a proxy) in a role in a digital identity provider (IdP) and/or relying party (RP), e.g. employee or authorized contractor. In particular, recommendations are given for:
This British Standard:
The standard is applicable where the user initiates the process of user identification for an online service supplied by an RP and the processes of user identification to access an IdP’s IdMS (if applicable). This standard covers the management of digital identities by organizations, including IdPs, and individuals’ management of the credentials allocated to them by an IdP and/or RP. It concentrates on the OUIS component of access control mechanisms. However, reference is made to the permission management associated with roles and authorization functions of associated policy decision points in decision authorization systems. This standard is applicable to online authentication transactions that are associated with either online or offline identity proofing processes, but its recommendations might also be useful for the design of offline authentication transactions, though their applicability in these contexts requires careful consideration. The scope of the transaction commences with the authentication/recognition request from an authorization system or access control mechanism through to the return response by the authentication/recognition subsystem, as illustrated in Figure 1. The authentication/recognition subsystem includes capture of signals from an individual through an input device, e.g. keyboard or sensing apparatus (e.g. camera), through to a decision component, which determines whether the identification data presented are sufficient to authenticate or recognize an individual within predetermined user identification assurance parameters. Figure 1 Generic model of user identification This standard covers the situations where the authentication and/or recognition decision engine resides either on the user’s intelligent device or in a remote information system. This standard covers “man-in-the-middle” (MITM) attacks on authentication methods and biometric recognition methods only. It does not cover MITM authentication attacks or similar substitution attacks on networks, computer operating systems, computer programs, applications, router and/or certificate repositories. The vulnerabilities and associated mitigation controls relating to these technologies are outside the scope of this standard. This standard does not cover security controls in networks, computers, operating systems, application software and supporting utilities or input devices. This standard is not applicable to device identification, though, in most digital interactions, the user needs to bind their digital identity or their credential to the device, so that the device can be trusted by the network and/or IdP or RP. The exclusion of device identification applies equally to a user’s device and the user’s application authentication of a remote information system (e.g. web server gated cryptography hosting the RP’s application or resource).
This standard does not give specific recommendations for:
The de-identification of data relating to a digital identity is outside the scope of this standard, but guidance on this is given in BS ISO/IEC 20889.
About BSIBSI Group, also known as the British Standards Institution is the national standards body of the United Kingdom. BSI produces technical standards on a wide range of products and services and also supplies certification and standards-related services to businesses. |
GROUPS
|