Identity approach Call for Input from data providers February 2021
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Identity approach Call for Input from data providers February 2021
Contents Background 3 Digital Identities 4 Good Practice Guide (GPG) 45 7 Good Practice Guide (GPG) 44 7 Trust framework / model 9 Proposals 10 Request for feedback 11
Identity approach - Call for Input from data providers | February 2021 3
Background thereby supporting better planning
for retirement and growing financial
1. The Financial Conduct Authority wellbeing.
(FCA) recommended, in its Financial
Advice Market Review in 2016, that 5. The consultation response set out
industry should make pensions some overarching design principles,
dashboards available to individuals which indicated that all dashboards
to make it easier for them to engage should:
with their pensions, a view which the
government echoed in its budget that • put the individual at the heart of
same year. the process by giving individuals
access to clear information online
2. An industry-led project, set up in • ensure individuals’ data is
2016 sponsored by HM Treasury secure, accurate and simple to
and managed by the Association of understand - minimising the risks
British Insurers (ABI), developed to the individual and the potential
and demonstrated a prototype for confusion
for the dashboard in 2017. The
project continued independently of • ensure that the individual is
government, publishing its findings always in control over who has
in October 2017, which included the access to their data
call for a government-backed delivery
authority to drive the completion of 6. At the heart of the design is the need
the project. for a trust model that enables all
parties to operate within the system
3. In December 2018, government with complete confidence that other
launched a consultation, engaging participants are identifiable and have
widely with stakeholders across the authority to act in the way that they
pensions industry, to identify issues are. Within this framework, users are
and options for delivering the service. required to evidence their identity
In April 2019, it set out its position in through a digital identity solution,
a response document1, stating that: which will mandate a minimum level
of confidence is established.
“Government will legislate to compel
pension schemes to provide their 7. The government response to the
data; and consultations states:
The Money and Pensions Service “To enable a sufficient level of trust in
(MaPS) will have responsibility for the service, the department expects
enabling delivery of the dashboard a standard level of identity assurance
service working with the pensions for all users (individuals and
industry.” delegates) that satisfies the National
Cyber Security Centre’s Good Practice
4. As a result, the Pensions Dashboards Guide 45 on ‘Identity Proofing and
Programme (PDP) was created to Verification of an Individual’.
lead the work of delivering an eco-
system, via which members can find Our conclusion: the delivery
and view their pension holdings. group must agree on a
The widely shared aim for pensions standardised level of identity
dashboards is to enable individuals which complies with the National
to access their pensions information Cyber Security Centre’s Good
online, securely and all in one place, Practice Guide 452&3.”
1
Pension Dashboards government response to consultation
2
Good Practice Guide 45 - identity-proofing-and-verification-of-an-individual
3
Good Practice Guidelines are published by Government Digital Services (GDS)Identity approach - Call for Input from data providers | February 2021 4
8. This paper presents the basis of Digital Identities
an identity process and seeks
clarification from data providers (ie Why are identities important?
pension providers, schemes, trustees
etc) on what they believe would be an 10. Data providers, as data controllers,
acceptable identity standard for retain the responsibility for incorrect
them to provide pension information disclosure of data. It is vital that they
to a user. have confidence that the party to
whom they are releasing data is who
9. PDP has recently undertaken a they say they are and has authority to
Request for Information exercise receive the information.
with key participants from the
identity market which, along with the 11. The digital architecture includes an
feedback sought by this Call for Input, identity service at its core, which
will help shape the requirements is intended to ensure we can verify
defined for the identity service. the user to an acceptable level of
confidence.
Proposed digital architecture - overview of the Ecosystem
Dashboard Provider Dashboard Provider Dashboard Provider MaPS
Dashboard Dashboard Dashboard Dashboard
Pensions Find request
information and response
flows to dashboard
Pension Consent and Governance
Identity Service
Finder Service Authorisation Register
Find request Response - register with consent
and authorisation server
Pension Provider Pension Scheme Integrated Service
State Pensions
Provider
Pension Scheme Pension Provider
Key
Ecosystem Governance Framework
MaPS Digital Dashboards/Pension State
(technical, security, design, accessibility,
Dashboard - Architecture Providers and Pension -
performance and user experience
MaPS - PDP Schemes - Industry DWP
standards) - PDP to set and monitorIdentity approach - Call for Input from data providers | February 2021 5
12. The user will be passed from the dashboard of their choice to the consent and
authorisation service, which will orchestrate their consent and pass them to the
identity service.
User C&A checks
accesses existing consent
dashboard and passes user
to ID Service
Pensions Dashboard
Dashboard
passes user Consent and Identity Service
to C&A Authorisation
Verified IDP
Data Provider / ISP Pension Finder attributes establishes
Service returned identity
13. Before the user can find their pension 16. Additionally, the user may be asked to
entitlements, the identity service will provide the following, which may not
prove their identity to a standard be validated by the identity provider:
acceptable to the ecosystem as a
whole. e. national insurance number
f. address history
14. Data standards that are being
developed to support the eco-system, g. email address
include a matching data set that will h. telephone number
provide information that pension data
providers can use to search for a i. previous names
user’s entitlement.
17. The PDP undertook a data standards
15. At present, the user will consent to Call for Input, which helped our
an identity provider validating their understanding of the breadth
identity and confirming the following of information required by data
information: providers to enable them to locate a
pension entitlement.
a. first name
18. It is anticipated that the identity
b. family name service will provide verified identity
c. date of birth attributes to the pension finder
service, alongside user asserted
d. addressIdentity approach - Call for Input from data providers | February 2021 6
attributes (highlighted in 15 and 16 identity document from a trusted
above), which will then co-ordinate source (eg passport), if they match
communication with data providers. the image in the passport, you would
have a high degree of comfort that
19. Providing a central identity service they are who they say they are.
in the architecture provides certainty
in the strength of the identity 26. This is harder to do online, where
verification. Within the trust model, visible validation is more difficult
it ensures trust persists across the to achieve – this is where identity
ecosystem. providers and identity standards look
to fill the gap.
20. It has the additional benefit of
providing an open solution that 27. Identity services look to measure
enables the user to use a single a set of data attributes about the
identity to access and manage their claimed identity against known
consents, even if they view their sources and determine the assurance
pensions on more than one dashboard. of the identity.
21. This supports the principle defined in 28. The assurance of the identity is
the consultation response document benchmarked against a standard,
that users must be able to manage which determines the strength of the
their consent independently of any recognised identity.
dashboard provider.
29. Government Digital Services good
22. The Central Identity Service will practice guides are a framework that
manage identity verification and supports definition of standards for
dashboard providers are free identity to suit the purpose of the
to decide whether they wish service being provided. In this case,
to implement their own access that purpose is for the release of
management service. pension data to an individual.
23. The matching data from the pension 30. An identity standard under the good
finder service will be provided via a practice guides (for the purposes of
standard API implemented by the the Pensions Dashboards Programme)
data provider. The data provider will concentrates on two elements:
use the matching data to locate a
user’s entitlements based on their a. confidence in the identity
own search criteria, which reflects
b. confidence in the authentication
their interpretation of risk.
approach
What is an identity?
31. GPG 45, which reflects level of
confidence in an identity, should be
24. An identity is a combination of
considered alongside GPG 444, level of
verified attributes about an individual
authentication credential.
which, when considered in unison,
can provide assurance that a person
32. Level of confidence provides a view
is who they say they are.
of the evidence provided by the user
and attributes values across five
25. In simple terms, if you met someone
measures.
face to face and they provided an
4
Good Practice Guide 44 - Using authenticators to protect an online serviceIdentity approach - Call for Input from data providers | February 2021 7
33. Level of authentication credential • which parts of the identity
assesses the method by which an checking process are undertaken
identity service proves the person
• what scores each part of the
requesting access is the same person
identity checking process attain
as previously permitted.
39. Scores can be combined in a number
Good Practice Guide (GPG) 45 of ways, based on the identity
criteria, to provide an overall level of
34. As documented in GPG 45, an identity confidence. These are measured as:
is a combination of characteristics
that identifies a person. A single • low confidence
characteristic is not usually enough
to tell one person apart from another, • medium confidence
but a combination of characteristics • high confidence
might be.
• very high confidence
35. The process of checking an identity
40. Full details of how these levels
takes characteristics included in a
of confidence are attributed are
claimed identity (typically, but not
incorporated in GPG 45.
limited to: name, address and date of
birth) and validates them against five
41. PDP, with the assistance of identity
criteria / steps:
providers and data providers, will
determine the appropriate level of
• get evidence of the claimed identity
confidence required to support the
• check the evidence is genuine or release of information.
valid
• check the claimed identity has Good Practice Guide (GPG) 44
existed over time
42. Level of assurance through GPG 44,
• check if the claimed identity is at
takes into consideration the ways in
high risk of identity fraud
which the user is authenticated.
• check that the identity belongs to
the person who’s claiming it ‘You might need to know if someone
has already used your service before
36. By doing different parts of the you give them access to it. This is
identity checking process, the identity called ‘authentication’ and can be
provider can build confidence that an useful if users need to sign into your
identity is accurate. service more than once.’
37. Identity checking can be completed 43. There are different types of
at a point in time or can be built over authenticators. An authenticator will
a period as more experience and usually be one of the following:
verifiable sources become available.
Each element of the checking process • something the user knows (often
builds a score, which contributes to referred to as a secret)
an overall level of confidence.
• something the user has
38. A level of confidence depends on: • something the user is
• how many pieces of evidence are
collectedIdentity approach - Call for Input from data providers | February 2021 8
44. Something the user knows could be: 50. An authenticator can be low, medium
or high quality. The quality of an
• a PIN authenticator will depend on how
secure it is.
• a password
• an answer to a question that 51. The quality will be informed by how it
only the user knows the answer was:
to - also called knowledge-based
verification (KBV) • created by a user (or a
manufacturer if it’s something like
45. A secret is usually used with either: a physical token)
• another piece of information, such • managed (including how the
as a username or email address authenticator is issued and
updated, and what happens when
• a token, such as a chip and PIN it’s no longer being used)
card, single use authentication
code or digital certificate • captured (if it’s biometric
information)
46. A measure of something the user is
would normally take the form of a 52. Examples of low, medium and high-
biometric input. Biometric information quality authenticators can be found in
is a measurement of someone’s: the GPG 44 document.
• biological characteristics, such as 53. An authenticator can protect the
their fingerprint, facial recognition service from being accessed by
someone who should not be able
• behavioural characteristics, such to use it. How much protection the
as their signature service needs depends on:
47. Using biometric information means • what information the user needs
a service can easily tell if the user to use the service
who is trying to sign in is the same
person who created the account. This • what information the service
is because: gives the user access to
• what the service or user can do
• each person’s biometric with that information
information is unique to them
• it’s difficult for biometric 54. Selecting the appropriate
information to be forgotten, lost, authentication options is dependent
stolen or guessed on how data controllers view risk and
the level of protection required to
48. Services can be protected by using a ensure data integrity.
combination of two authenticators =-
‘2 factor authentication’ (2FA). 55. The level of protection afforded by
the authenticator/s is measured in a
49. 2FA should, but does not need range from low, through to very high
to, utilise two different types of dependent on the strength and quality
authenticator, as this will reduce of the authenticator/s used.
the risk of two similar types of
authenticator being compromised, 56. Other considerations which will need
which is more likely than two different to be factored include:
types.Identity approach - Call for Input from data providers | February 2021 9
• recovery processes for forgotten, each other within the common trust
lost and stolen authenticators framework.
– enabling the rightful user to
recover access 63. The consent and authorisation service
• revocation processes so that is the trust anchor for identity,
authenticators can be cancelled, authentication and authorisation: it
and access denied enforces user authentication by the
identity service, provides identity
• monitoring of the credential as attributes to the pension finder
it is in use to detect misuse or service, and access authorisation to
hijack data providers.
Trust framework / model 64. Data providers can rely on and
implicitly trust the consent for the
57. All components of the architecture, user to access an individual’s pension
including dashboard and data information by virtue of their trust
providers, are covered by a trust relationships within the framework.
model that is based on mutual and
federated trust. 65. The PDP, or an appointed operating
body, will monitor and audit with
58. All organisations abide by legal common standards, operational
conditions and standards that support practices and levels of assurance,
a common ‘root of trust’. under governance terms to be
determined.
59. This role is performed by the
governance register which maintains 66. The PDP are currently defining a
all affiliations within the eco-system liability model that supports the
eg dashboards, data providers, ID contractual arrangements that will
suppliers, and each component is be applied to support the trust
registered in the governance register framework.
and managed accordingly.
67. The identity service will be relied
60. Trust is assured and enforced by upon to provide strong authentication
services acting as trust brokers, credentials to a user and identity
on behalf of other services: eg the verified to a defined level of
identity service authenticates a confidence.
dashboard user, and the consent
and authorisation authorises release 68. Liability under the framework
of pension data based on the user’s is currently under review and
consent. proposals are in the process of being
determined. It will be incorporated
61. By the common root of trust, each within the governance framework
service may in turn trust each other, being defined for the programme and
eg the implicit trust of a relying the ongoing solution.
service (pension data provider)
to return data to an authorised Proposals
requesting service (pension
dashboard). 69. In making this proposal on the
approach for the identity service, PDP
62. All services within the ecosystem, recognises that feedback from identity
including pensions dashboards and providers and the pensions industry is
data providers, should explicitly trustIdentity approach - Call for Input from data providers | February 2021 10
important, and may suggest alternate 77. A Request for Information to the
approaches. identity industry was broadly in
agreement with this proposal.
70. The identity service will be required
to prove identities of individuals. 78. In the event that there is compelling
That may be a user viewing their own evidence that a lower level of
pension entitlements or representing confidence is adequate, PDP will
a regulated financial advice company review the option to adopt it,
or a guidance body, with delegated following consultation, even if it does
access rights. not match the GPG45 defined levels
of confidence, provided it follows the
71. In addition to assuring the identity principles.
of a user with delegated access, the
ecosystem will be required to ensure 79. Under GPG 44, PDP similarly
their registration / professional propose that a medium level
accreditation is appropriate and valid. of authentication might meet
the requirements of the pensions
72. At present PDP is not determining industry. This should incorporate a
whether the identity service will minimum of 2 factor authentication
include a single identity provider and attendant security of credential
or multiple identity providers. lifecycle and transaction monitoring.
73. Similarly, no decision has been made 80. A Request for Information to the
as to whether the service would identity industry was broadly in
directly integrate with multiple agreement with this proposal.
providers or whether the use of
a broker / hub would be more 81. Compelling reasons to support a
appropriate. This will depend on the different level of authentication will be
responses received during this call for considered, under consultation with
input and on the cross government data providers.
and private sector identity landscape
at the relevant time. 82. It is proposed that on initial
identity assertion, the consent and
74. PDP will define the APIs and authorisation module will issue a
communication protocols once the token that will have a defined life.
approach to identity has been further
clarified and other elements of the 83. This approach will streamline the user
architecture baselined. experience such that there will be no
need to reauthenticate until the token
75. In order to enable future development has expired. No defined life has been
and innovation, our preference is determined yet and proposals will be
for the identity service to support welcomed. We note Open Banking
interoperability with other markets / has set an expectation of 90 days
schemes. between strong reauthentications.
76. Under GPG 45, PDP indicatively 84. The identity service will need to reach
propose to the pensions industry that a high proportion of the holders of
medium level of confidence might UK pensions (regardless of current
meet their requirements for assurance domicile). One of the key challenges
of identity prior to data release will be to support members of the
relating to find and view. public that do not have access to
government issued identity documents,Identity approach - Call for Input from data providers | February 2021 11
such as passports and driving licence If Yes, what elements do you think
or have limited credit history. are the primary factors?
85. The ecosystem will be the only If No, what additional information
relying party supported by the would you need to be able to make an
Identity Service – the consent and assessment?
authorisation service will orchestrate 3. The suggested levels of confidence
transmission of asserted attributes, (GPG 45) and authentication (GPG
with the users consent, on successful 44) are ‘medium’, which equates to
validation of the user’s identity. the previous versions of the standard
level of assurance two. Do you agree
Request for feedback that this is the correct level?
As we move into the next phase of If No, what would you suggest is
analysis, ahead of a planned procurement the correct assurance level for both
exercise, the direction remains that the proofing of identity and strength of
identity solution should be based on authentication?
GPG 45 and authentication on GP 44. 4. Is there an alternative to the default
This assertion is based on the principle levels of assurance from the Good
that a consistent, repeatable and Practice Guidelines and how would
comprehensible standard, which can be you anticipate them being measured?
independently certified, should be applied
that will meet the requirements of both 5. Does your firm have any view on
government and industry participants. proofing or authentication methods
and operate a current internal
To validate that assumption and standard that differs from the GPGs
understand any additional requirements medium level?
that would need to be considered, the
PDP would welcome your feedback on If Yes, could you please provide an
the following points, both from your overview that could help direct the
company’s perspective and how you think programme’s approach?
it will be reflected across the industry: 6. The architecture includes the central
identity service to ensure that a
1. Do you agree that finding pensions uniform, controlled process exists,
and viewing pension details via a and that a user can easily manage
pensions dashboard should include a their own consents.
central digital identity, asserted to an
appropriate standard, in accordance Please provide your thoughts on this
with the GPG 45? approach and any challenges that you
may foresee.
If no, what alternative approach
7. Are there any specific requirements
would you recommend?
that you would anticipate the
2. The proposal includes a level of Pensions Dashboards Programme
confidence in identity and a level having to meet when seeking:
of authentication. Do you have
a view on the level of assurance a. your firm’s approval for a
that needs to be achieved to standard approach to identity
provide comfort to release pension assurance
information?
b. a cross industry agreement on a
standard for identity assuranceIdentity approach - Call for Input from data providers | February 2021 12
8. What security related controls
(other than identity proofing
and authentication) do you see
as important in your acceptance
of the PDP solution for Pensions
Dashboards?You can also read
