BS 8626:2020

This standard BS 8626:2020 Design and operation of online user identification systems. Code of practice is classified in these ICS categories:

• 35.030 IT Security
• 35.240.01 Application of information technology in general

This British Standard gives recommendations and supporting guidance for the design and operation of an online user identification system (OUIS) and the corresponding user digital identity management systems (IdMS). As authorized users, individuals can act in a personal capacity (e.g. consumer, customer or citizen) or on behalf of another individual (e.g. as a proxy) in a role in a digital identity provider (IdP) and/or relying party (RP), e.g. employee or authorized contractor. In particular, recommendations are given for:

1. establishing or revising an OUIS, including:

   1. business objectives and requirements for an OUIS;

   2. requirements for protecting the life cycle management of digital identities associated with individuals;

   3. requirements for protecting data used specifically for identifying or authenticating individuals;

   4. requirements for protecting against attacks on specific types of user knowledge‑based authentication methods, possession-based authentication methods and biometric recognition methods and modes of operation;

2. the controls for managing the life cycle of users’ digital identities for an OUIS, including:

   1. creation, proofing and issuance of a digital identity and the formation of the digital identity’s associated credential;

   2. identification together with credential usage (where applicable);

   3. activities to update credentials and associated data, and notification of these changes to the user;

   4. revocation, expiration, reinstatement, disqualification or user cancellation of a digital identity’s credential and purging or archiving of digital identities; and

3. evaluating the effectiveness of an OUIS, including the management of user identification errors, such as false positives and false negatives, and efficiency, including the user identification transaction timings and demand on resources.

This British Standard:

1. describes various knowledge-based authentication methods, possession-based authentication methods and biometric recognition methods, together with their inherent vulnerabilities;

2. provides recommended measures to mitigate the potential exploitation of these identified vulnerabilities; and

3. assists in the development of a risk mitigation strategy, though it does not cover risk identification, protection, detection, response and recovery, as part of developing a supporting performance management strategy and plan.

The standard is applicable where the user initiates the process of user identification for an online service supplied by an RP and the processes of user identification to access an IdP’s IdMS (if applicable).

This standard covers the management of digital identities by organizations, including IdPs, and individuals’ management of the credentials allocated to them by an IdP and/or RP. It concentrates on the OUIS component of access control mechanisms. However, reference is made to the permission management associated with roles and authorization functions of associated policy decision points in decision authorization systems.

This standard is applicable to online authentication transactions that are associated with either online or offline identity proofing processes, but its recommendations might also be useful for the design of offline authentication transactions, though their applicability in these contexts requires careful consideration.

The scope of the transaction commences with the authentication/recognition request from an authorization system or access control mechanism through to the return response by the authentication/recognition subsystem, as illustrated in Figure 1. The authentication/recognition subsystem includes capture of signals from an individual through an input device, e.g. keyboard or sensing apparatus (e.g. camera), through to a decision component, which determines whether the identification data presented are sufficient to authenticate or recognize an individual within predetermined user identification assurance parameters.

Figure 1 Generic model of user identification

This standard covers the situations where the authentication and/or recognition decision engine resides either on the user’s intelligent device or in a remote information system.

This standard covers “man-in-the-middle” (MITM) attacks on authentication methods and biometric recognition methods only. It does not cover MITM authentication attacks or similar substitution attacks on networks, computer operating systems, computer programs, applications, router and/or certificate repositories. The vulnerabilities and associated mitigation controls relating to these technologies are outside the scope of this standard.

This standard does not cover security controls in networks, computers, operating systems, application software and supporting utilities or input devices.

This standard is not applicable to device identification, though, in most digital interactions, the user needs to bind their digital identity or their credential to the device, so that the device can be trusted by the network and/or IdP or RP. The exclusion of device identification applies equally to a user’s device and the user’s application authentication of a remote information system (e.g. web server gated cryptography hosting the RP’s application or resource).

NOTE An example of the use of device identification is the binding of a user to their mobile phone’s international mobile equipment identifier (IMEI) or to the subscriber identity module (SIM) or international mobile subscriber identity (IMSI), to prevent an attacker replacing the SIM in a stolen mobile phone and impersonating the genuine user.

This standard does not give specific recommendations for:

• single sign-on systems;

• digital identity federation schemes;

• password application managers and password generation software; and

• attributes sharing between organizations in a contractual relationship.

The de-identification of data relating to a digital identity is outside the scope of this standard, but guidance on this is given in BS ISO/IEC 20889.