PCTF authentication component ready for inclusion in DIACC program
The Digital ID Authentication Council of Canada (DIACC) has released its Pan-Canadian Trust Framework (PCTF) Authentication Final Recommendation V1.2, making its authentication component ready to be added to the DIACC’s certification program.
In its own words, the PCTF Authentication Component defines “a set of processes that enable access to digital systems” and “a set of conformance criteria for each process that, when a process is shown to be compliant, enable the process to be trusted.” Criteria measure success and accuracy of authentication at login through an authentication service provider, as well as predictability and continuity in login processes.
The DIACC makes a point to note that trusted processes defined for the authentication component are “agnostic with respect to how digital IDs are issued and managed at the technology level. Each participant will need to determine which technologies and methods are best suited to the requirements of their constituents and their own target business outcomes.”
In other words, you may use biometrics, cryptographic security keys or other systems for authentication; the DIACC will only assess whether the processes can be trusted against its criteria.
However, a note on biometrics says “industry standards relevant to this PCTF component generally do not recommend the use of biometrics as the only Authentication Factor in a given system. Rather, current guidance suggests an appropriate use of biometrics is a means to unlock a local Authenticator (perhaps existing on a local device) to facilitate Authentication to a remote service.”
In this, it says, it aligns with guidance from the U.S. National Institute of Standards and Technology (NIST)’s publication 800-63-3 on digital identity, and from the Canadian Communications Security Establishment publication Information Technology Security Guidance for the Practitioner 30.031 V3 on authentication, in considering “biometric authentication appropriate only in combination with another authentication factor.”
An example of biometric authentication used in combination with another authentication factor “would be to employ a biometric solution that works across channels via facial, fingerprint or voice recognition (something you are) in addition to another authentication method such as control and possession of a mobile device (something you have).”
The DIACC believes that, by providing a reliable method for authentication, the PCTF will “foster trust and confidence among users, service providers, and stakeholders,” which is “crucial for the widespread adoption of digital services.”
The DIACC’s website has a link to access the full PCTF Authentication Component Overview Final Recommendation V1.2 document.
Article Topics
biometric authentication | Canada | certification | DIACC | digital identity | Pan-Canadian Trust Framework (PCTF) | trust framework
Comments