-
Notifications
You must be signed in to change notification settings - Fork 113
Glossary
There are many different definitions for terms in the Identity Management ecosystem; here are those terms and their definitions.
The goal of the glossary is to define common Identity terms so that all parties can communicate about Identity without confusion. Some terms are used differently in specific contexts or dialects; we will map where these terms are used incorrectly or interchangeably.
An "industry" glossary worth scanning: http://solutionsreview.com/identity-management/identity-management-glossary/
AuthN
Authentication is the process by which users prove that their identities belong to them.
An authentication application is a mobile security application that generates sign-in passcodes; a few examples include Google Authenticator and Authy. These apps allow users to generate codes even without an internet connection or mobile service.
Authorization
A privacy architecture that allows the IdP and RP to collaborate with each other without the need for reading or modifying any User data traveling through the network with the intent there is zero disclosure of PII.
A privacy architecture that includes the Double Blind Privacy model, with the addition of the Hub having zero disclosure to User’s PII.
SOURCE Privacy By Design | SecureKey
Credit Card Number
An object or data structure that authoritatively binds an identity (and optionally, additional attributes) to a token possessed and controlled by a Subscriber. SOURCE: SP 800-63
Evidence attesting to one’s right to credit or authority. SOURCE: FIPS 201
Evidence or testimonials that support a claim of identity or assertion of an attribute and usually are intended to be used more than once. SOURCE: CNSSI-4009 | Searchable Source
CSP
A trusted entity that issues or registers Subscriber tokens and issues electronic credentials to Subscribers. The CSP may encompass Registration Authorities (RAs) and Verifiers that it operates. A CSP may be an independent third party, or may issue credentials for its own use. SOURCE: SP 800-63
A CSP is often also an IdP.
Documents that indicate that the holder is eligible for a service or benefit, such as health care.
A set of rules, defined by the IT resource owner, for managing access to a resource (asset, service, or entity) and for what purpose. A User's level of access is conditioned not only by your identity but is also likely to be constrained by a number of further security considerations.
SOURCE Entities and Entitlement
A factor is a type of evidence that users can provide to prove they own an identity record or an account. There are three types of factors:
- Something you know (like a password)
- Something you carry (like a telephone or PIV card) _Usually referred to as something you have
- Something your body has (like a fingerprint) _Usually referred to as something you are
Multi-factor authentication is a process that requires users to present valid examples of multiple factors. NB: We have rewritten the names of the factors for greater clarity and precision. See also Authentication, Two-Factor Authentication and Multi-Factor Authentication definitions.
Hub is the idea of an identity "traffic controller" that interacts with requesters and requestees during an identity authentication workflow. It "manages communications between Users, RP and IdP. It makes sure that users can assert their identities securely and safely, and that relying parties can be confident that users are who they say they are."
On the basis of this assertion, the Hub can aid in making an access control decision - it can decide whether to perform some service for the connecting parties. Will be revised as we make progress
SOURCE: Wikipedia | UK Digital Services
Identity Access Management
In everyday usage, identity refers to the characteristics, qualities, beliefs, and other factors that make a particular individual or group different from others. The technical definition of the word is much more precise. An identity is a record or statement that describes a person or thing. In the case of identity assurance and management, it refers to who or what an entity is, defined by certain attributes.
A property of a Digital Subject that may have zero or more values. Generally known as an attribute (name, first name, shoe size, Social Security number, religion, marital status, and so on) in digital form, an attribute is attached to a Digital Subject. The attributes exist whether or not they have a value and whether or not they're part of a Claim.
The process by which a CSP and a RA collect and verify information about a person for the purpose of issuing credentials to that person.
Identity Provider
An Identity Provider, also known as Identity Assertion Provider, is responsible for (a) providing identifiers for users looking to interact with a system, and (b) asserting to such a system that such an identifier presented by a user is known to the provider, and (c) possibly providing other information about the user that is known to the provider.
An Identity Provider can be described as a Service Provider for storing identity profiles and offering incentives to other SPs with the aim of federating user identities.
The ability to distinguish a person from all others within the context of the total population of persons of interest.
Identity Verification
LOA
Level of Assurance describes the degree of confidence in the vetting processes required for a user leading up to and including an authentication. With login.gov, it's the degree of confidence we require and that partner government agencies require ["that a user is who they say they are"] (https://alphagov.github.io/identity-assurance-documentation/shared/glossary.html), per [Gov.UK Verify] (https://www.gov.uk/government/publications/introducing-govuk-verify/introducing-govuk-verify), Great Britain's identity assurance service.
- Level of Assurance 1 (LOA1): Used when an entity needs to know that the same user is returning to the service but doesn’t need to know who that user is; low confidence in the asserted identity’s validity.
- Level of Assurance 2 (LOA2): Used when an entity needs to know who the user is and that they're real; some confidence in the asserted identity’s validity.
- Level of Assurance 3 (LOA3): Used when an entity needs to know beyond reasonable doubt who the user is and that they are a real person; high confidence in the asserted identity’s validity.
- Level of Assurance 4 (LOA4): Used when an entity needs to know beyond reasonable doubt who the user is and that they are a real person, usually involving biometric verification or unique identifiers such as fingerprints, retina and iris patterns, signatures, and DNA; very high confidence in the asserted identity’s validity.
Level Of Assurance
Two Party Model - User and Service Provider
Three Party Model - User, Identity Provider and Service Provider
Four Party model - User, Identity Provider, Attribute Provider and Service Provider
SOURCE: NISTIR 7817
Multi-factor authentication describes two-factor and higher levels of authentication. Anything that requires more than just a username and password is considered MFA (eg. passphrase + OTP via phone, passphrase + browser fingerprint + phone OTP). Note, however, that MFA is meant to describe combining different types of authentication factors: possession, knowledge, and inherence.
An identity record present in the database that is missing one or more of the attributes included in an analysis that causes a search error and renders that record invalid for the purpose of the analysis.
Token valid for one use. See https://en.wikipedia.org/wiki/One-time_password
A passcode works like a password but uses only numbers. In previous iterations, login.gov used one-time passcode to refer to the six-digit code sent during phone confirmation. However, usability tests suggested that the one-two sequence of two-factor authentication and one-time passcode might be misleading to non-experts.
- In technical documentation, use one-time passcode on first reference, OTP on second. Don’t use one-time password or TOTP unless it is clearly explained as an alternate term.
- Never use these alternatives in the interface. Instead, use "security code" to refer to any OTP sent to confirm device ownership.
A collection of random characters (words and numerals) or short words used to access an account. It has no spaces. A passphrase is a password with spaces in it. For interface copy, we will use "password" over "passphrase," which might be more technically accurate but is likely less recognizable to the intended enduser.
Personally Identifiable Information
Relying Party
An entity that relies upon the subscriber’s credentials, typically to process a transaction or grant access to information or a system.
SOURCE: CNSSI-4009 | Searchable Source
An entity that relies upon the Subscriber's token and credentials or a Verifier's assertion of a Claimant’s identity, typically to process a transaction or grant access to information or a system. SOURCE: SP 800-63
Registration Authority
A trusted entity that establishes and vouches for the identity or attributes of a Subscriber to a CSP. The RA may be an integral part of a CSP, or it may be independent of a CSP, but it has a relationship to the CSP(s).
Security Assertion Markup Language
SP
An application (or applications) within an ecosystem that provides a service to users; examples of SPs that relate to login.gov include vets.gov, myssa, and ELIS.
Single LogOut
Also called 2FA and two-factor authentication, two-step authentication is a way of logging into a website that increases security by requiring a password plus something else such as a physical trait, a PIN, or location or time of a login attempt. Two-factor authentication makes users' accounts more secure by requiring a mobile device (a phone or a tablet) as well as a password to sign in, reducing the threat of attackers being able to hack their way into accounts.
A user is the person accessing the government service via login.gov. For clarity, refer to agency partners as partners or integrators.
Identity proofing or verifying the identity of a user requires that user to provide information about themselves and answering questions to prove that they're really who they say they are. When login.gov conducts identity proofing, we need users to give us:
- An government-issued identifier such as their Social Security number
- Financial or utility account information
- An address on record with an institution that also verified (such as a phone company or a mortgage holder)
An entity that verifies the Claimant’s identity by verifying the Claimant’s possession and control of a token using an authentication protocol. To do this, the Verifier may also need to validate credentials that link the token and identity and check their status. SOURCE: SP 800-63
An entity which is or represents the entity requiring an authenticated identity. A verifier includes the functions necessary for engaging in authentication exchanges. SOURCE: FIPS 196