Digital identity is a fast-growing yet fragmented ecosystem. Around the world, there are numerous initiatives underway aiming to create reusable digital identities and rails on which they can be used. Some of these initiatives are being driven by the public sector; others from the private sector. Some are based around the idea of a digital wallet; others are focused more on APIs.
Key to the success of these initiatives will be interoperability and trust. Large scale adoption will only occur when reusable digital identities work seamlessly no matter where they are presented. They also need both the user presenting their identification, and the parties relying on verified digital identity data to have sufficient confidence that such solutions are safe and secure.
This is why we need certification schemes - to demonstrate that solutions meet the required standards before they are used in production. The need for certification schemes is clearly demonstrated in payments, where both interoperability and security certifications have played an essential role for many years.
Digital identity certification is itself an evolving space but there is an emerging picture of the scope and approach needed as digital identity scales up.
Defining the scope of Certification.
The scope of the certification should include all elements that are required to ensure the smooth functioning of the scheme at scale.
Figure 3: Potential Scope of a Certification Scheme.
Potential areas of certification include:
Compliance - auditing solutions to gain operational assurance.
Interoperability - testing that solutions conform to technical specifications.
Functionality - auditing solutions to gain assurance in functional aspects such as identity assurance processes.
User Experience - testing the user experience against branding or usability
Security - evaluating the technical security of systems and components.
The exact scope will depend on the scheme. For example, the Canadian Voila Verified scheme assesses solutions against the Pan-Canadian Trust Framework which is technology agnostic. Hence its scope includes compliance and security but not interoperability.
Establishing a Certification approach.
The scope of the certification should include all elements that are required to ensure the smooth functioning of the scheme at scale.
The basic certification structure is as follows:
Figure 2: Basic Structure of a Certification Scheme.
The Certification Scheme is the organization that sets the rules for certification. The scope can be narrow, such as the Transportation Security Administration (TSA) specifying its requirements for Mobile Driver’s License (mDL) acceptance for domestic air travel in the US. Or it can be broad, such as the UK Digital Identity and Attributes Trust Framework (DIATF) scheme for certifying all types of digital verification services.
The certification itself will be conducted by a Certification Body. ISO 17065 sets out the requirements for Certification Bodies. This includes requiring an appropriate organizational structure, management system, processes for conducting a conformity assessment and ensuring that the assessors have the necessary skills and expertise. The objective is to ensure that conformity assessment is both impartial and consistent.
A Certification Body may choose to employ the services of one or more specialist laboratories. For example, technical conformance testing could be performed by a laboratory accredited under ISO 17025.
The Certification Scheme may appoint an Accreditation Body to audit the Certification Bodies and laboratories that are part of the certification scheme. Accreditation Bodies can be national or non-national bodies and have their own compliance standard – ISO 17011.
Accreditation Bodies assess Certification Bodies within the context of a specific scheme. One of the things they are assessing is whether they have the competence to carry out the specific certification activities they will undertake. A soil assessment Certification Body, for example, is unlikely to be equipped to assess digital identity solutions. Not only does this mean that only certain Certification Bodies will be able to perform digital identity certifications. It also means that those Certification Bodies need to be accredited for every scheme that they wish to support. Whilst the digital identity space remains fragmented, this could mean many accreditations are needed for Certification Bodies that wish to have a broad reach.
There are several approaches being taken:
In Australia, the Australian Competition and Consumer Commission (ACCC) is the scheme for the Trusted Digital Identity Framework (TDIF). It sets out the requirements for independent assessors, requiring them to meet specified standards (e.g. ISO 17025 for biometric testing). The ACCC appears to not use an independent accreditation body to accredit the assessors. Somewhat confusingly, the term accreditation is used for the services being assessed, which diverges from the ISO terminology above.
The FIDO Alliance runs three certification programs. The FIDO Alliance is the scheme owner. It sets the rules. The scheme is overseen by the FIDO Scheme Secretariat. The rules require labs accredited by a "third-party accreditation program" to ISO 17025, suggesting that they recognize schemes in the market.
GlobalPlatform operates security-related certification schemes related to Secure Element (SE) and Trusted Execution Environment (TEE) technology. They operate the Certification Body and have had it accredited by an independent non-national accreditation body. The GlobalPlatform rules require labs to be accredited under ISO 17025 by a national accreditation body but allow for those accreditations to have a different technical scope.
In the EU, the eIDAS regulation and associated implementing acts make member states responsible for creating ISO 17065 based certification schemes with a focus on security. Individual member states cannot, however, address interoperability at an EU level.
In the US, you could view the growing number of mDL implementations as state-defined schemes. There is alignment around the ISO 18013 standards and AAMVA is helping with coordination, but no organization is setting certification rules for the overall ecosystem - apart from TSA in its own specific context.
Although ISO has established standardized structures for certification schemes, there is not complete alignment within the market.As digital identity becomes increasingly critical to secure online interactions, robust and trusted certification schemes are not just beneficial—they are essential. At Fime, we are working closely with our customers and partners to create standardized digital identity certification schemes to support the rapid growth in digital identity solutions over the next few years, driven by regulation and demand.
Get in touch if you want to find out more.
