Being sure of someone's Digital Identity is only as important as the information you're trying to protect. Many online services can be adequately protected using simple usernames and passwords and most communications don't need to be encrypted. These are easily compromised, shared or copied but in most cases, the value of the information being protected isn't that important anyway.
Usernames and passwords offer One Factor Authentication because the end user is only required to have one item or factor: 'something they know' (the username and password). For other Factors of Authentication, you need to carefully balance the security level and Validation Process used, with how simple it is for the end user to understand and use.
The following sub sections may help to broaden your knowledge and help you to make the more informed decision:
For a Digital Identity to have any real value, the Validations Process [3] used to issue that identity is critical. This process checks each step that is taken to prove the person's Natural Identity before they are issued with their Digital Identity. And how this Natural Identity is proved is by the 'Layered Approach'.
| 1 | Public Information |
| 2 | Electronic Information |
| 3 | Location or Email Address |
| 4 | Unique Processes |
| 5 | Secret or Shared Secret Information |
| 6 | Possessions |
| 7 | Face, Eyes, Fingerprints, Biometrics, etc |
| 8 | DNA |
The approach is to carefully balance the level of Identity Assurance with the Complexity Use level your end users will experience. It is easy to reach this balance if you understand the Validation Sphere approach. The Digi-CAST™ Team [4] use the Validation Sphere system as part of their project planning for any Digi-Access™ [5] system implementation.
The Validation Sphere [6] creates the balance between security and ease of use and can be applied to any environment where authentication of the end user is required. Digi-Access™ Certificates are simple to deploy and use, and by applying the Validation Sphere, you can further simplify the Validation Process.
[7] In the 'real world' passports and ID cards identify people, crests or symbols identify institutions like the police or a hospital and a seal or stamp authenticates a document [8].
In the online world, a Digital Certificate [9] can be used to identify a person, an authority or device like a web site and/or an electronic file or piece of software.
The CA issues Digital Certificates. The purpose of the CA is to provide digital identities and/or to prove the authenticity of users, devices or files. The digital identities are proven by use of the Digital Certificates.
The Digital Certificate is the unique identifier that allows individuals and devices to be irrefutably linked to their actions, transactions and communications. In the case of an organization or corporate body, the Digi-SSL™ acts as a seal or crest of authenticity. For an individual, the Digital Certificate acts as the electronic equivalent of the passport or driver's license.
Another use for the Digital Certificate (also called an Electronic Signature) is for digitally signing electronic files and data just as a person’s signature or official seal is used to authenticate paper documents. This dual functionality of both identification and two factor authentication [10] enables many different types of electronic transactions.
If you want to use the Internet as a tool to improve communications, reduce costs, to improve customer service and retention or to expand your market reach, then Digi-Sign’s products, services and solutions will help you.
These same offerings can be used in physical border control, building access, electronic signatures and any situation where truly knowing the other person/device is a necessity to securing the transaction.
[7] In a correctly run and operated CA [11], a team of trained RA Administrators manually check and verify every request for an SSL Certificate [12] following an internationally recognised practice known as validations [13].
For expedience and to save on cost, some CAs [11] automate the Validation process so that the CA can deliver its Certificates cheaply and without the need for manual Validations. The Certificates are delivered quickly, but an automated Validations process is flawed and can undermine the integrity and values of the Certificates it issues.
Regardless of how you request a Certificate, the RA should validate the request and then issue the Certificate. Automated Certificate issuance from a CA is only one part of the overall Certificate life cycle and what it saves in expedience, it looses in security. Digi-Sign would only recommend using automated Certificates for very specific, closed environments where Certificate integrity is easily controlled. A customised version of Digi-CA™ [14] would be a good example of a closed and customised environment where automation can be implemented without affecting the security or integrity of the validations process.
Two-factor authentication, Machine Readable Travel Documents [MRTD [15] ] systems, national ID card systems, web access control, e Passports [16], device-to-device authentication and two factor authentication [10], can all require use Certificates. Integral to all of these environments is the requirement for digital authentication, digital identification, digital encryption, digital stamping and/or digital signing and being able to support these transactions with a legally binding infrastructure.
[7] Consider the following questions carefully:
Remember, the Digi-ID™ [17] can be used in a variety of different security situations, however the most common uses are for proving identity, digitally signing/sealing files and encrypting data or two factor authentication [10].
This is how the Digi-ID™ answers the above questions:
If the Bank is serious about security, they will use a Digi-SSL™ [18] Secure Web Server Certificate to prove its online web site identity.
Using a Digi-Code™ [19] Software/Code Signing Certificate, a pop up dialog box assures the user of the Publisher’s identity prior to download.
If the email is first encrypted using a Digi-ID™ for email [Digi-Mail™ [17]], then only the intended recipient can decrypt the email.
Passwords can be copied and misused, however, if each user has a Digi-ID™, using Digi-Access™ [5], security and identification is assured because this is strong two factor authentication [10].
The same Digi-SSL™ that confirms the identity of the website, automatically encrypts any data that is submitted through it.
Again using the Digi-ID™, because the identity of the owner has been verified, they can use it to sign any digital file.
Using a Digi-CA™ [14] combined with Digi-Access™, the systems can be secured and all users can be verified before offering them the correct access level.
[20] In a correctly run and operated CA, a team of trained RA Administrators manually check and verify every request for an SSL Certificate [12] following an internationally recognised practice known as validations [21].
This means that two or more Validations Officers physically check your details and entitlement to get the Digi-SSL™ [18] before it is issued to you. This rigorous checking procedure protects you from someone else stealing your online identity because the Digi-Sign Triple-Check Validations™ has a 100% track record of never issuing a Digital Certificate [9] to the wrong party. Once this Digi-SSL™ is put on your website, visitors know your site is genuine.
For expedience and to save on cost, some CAs have automated the Validation process so that the CA can deliver its Certificates cheaply and without the need for manual Validations. The Certificates are delivered quickly, but an automated Validations process is flawed and can undermine the integrity and values of the SSL it issues.
Regardless of how you request an SSL Certificate, the RA should validate the request and then issue the Certificate to you. Automated Certificate issuance from a CA is only one part of the overall Certificate life cycle and what it saves in expedience, it looses in security. We only recommend using automated SSL Certificates for very specific, closed environments where Certificate integrity is easily controlled. For reputable and reliable providers, you should use vendors like VeriSign® or Digi-Sign to ensure your SSL Certificates are correctly validated and have internationally recognised integrity.
Improtant Note: Automated SSL Certificate delivery from a CA should not be confused with ‘automated life cycle management’ that occurs inside your organisation once you receive the SSL(s) from the CA.
The important and separated function of the Validation process is never expedited and can take the RA several days to complete. There are considerable variations in time between the validation for one SSL Certificate and another. So the specific time that the RA will take to validate an SSL request from the CA can result in unexpected delays that further frustrate the process of actually getting your SSL Certificate.
[20] Any network where information is stored electronically needs to be secured. Up to now, the most common way of protecting such data has been through the use of usernames and passwords. This is no longer considered ‘secure’.
A single unsecured transaction could result in significant losses to an organization. This alone makes a strong argument for using Digital Certificates. Digital Certificates remove this risk completely.
Even more compelling business arguments in favour of using Digital Certificates [Digi-IDs™] would include the reduction or removal of paper forms and workflow from an organization. Paper business processes can be computerized and digital signatures replace handwritten signatures using Digi-IDs™ [17]. The savings to organizations as a result of using this technology are well documented.
However, the Digital Certificate is only as good as the security processes and procedures that surround the issuing of that Certificate to the individual, or device. This is where the validations [21] process, and its importance, must be understood thoroughly. If it is easy for one person to assume the identity of another and subsequently, as a result of poor policies and procedures, successfully apply for and receive another person’s Certificate, then the value of that digital identification is effectively useless. On the contrary, a correctly managed Certificate Authority, can bring endless value and cost savings to countless digital and physical environments.
Two-factor authentication, Machine Readable Travel Documents [MRTD [15] ] systems, national ID card systems, web access control, e Passports [16], device-to-device authentication and two factor authentication [10], can all benefit from the use of SSL and other Digital Certificates. Integral to all of these environments is the requirement for digital authentication, digital identification, digital encryption, digital stamping and/or digital signing and being able to support these transactions with a legally binding infrastructure. The Digi-SSL™ [18] Certificate is a basic component in each of these environments and the its presence is central to their correct performance. Whilst Digi-CA™ [14] can provide the end user identification required in each of the above cases.
[20] Any network where information is stored electronically needs to be secured. Up to now, the most common way of protecting such data has been through the use of usernames and passwords. This is no longer considered ‘secure’.
A single unsecured transaction could result in significant losses to an organization. This alone makes a strong argument for using Digital Certificates. Digital Certificates remove this risk completely.
Even more compelling business arguments in favour of using Digital Certificates [Digi-IDs™] would include the reduction or removal of paper forms and workflow from an organization. Paper business processes can be computerized and digital signatures replace handwritten signatures using Digi-IDs™ [17]. The savings to organizations as a result of using this technology are well documented.
However, the Digital Certificate is only as good as the security processes and procedures that surround the issuing of that Certificate to the individual, or device. This is where the validations [21] process, and its importance, must be understood thoroughly. If it is easy for one person to assume the identity of another and subsequently, as a result of poor policies and procedures, successfully apply for and receive another person’s Certificate, then the value of that digital identification is effectively useless. On the contrary, a correctly managed Certificate Authority, can bring endless value and cost savings to countless digital and physical environments.
Two-factor authentication, Machine Readable Travel Documents [MRTD [15] ] systems, national ID card systems, web access control, e Passport [16] s, device-to-device authentication and two factor authentication [10], can all benefit from the use of SSL and other Digital Certificates. Integral to all of these environments is the requirement for digital authentication, digital identification, digital encryption, digital stamping and/or digital signing and being able to support these transactions with a legally binding infrastructure. The Digi-SSL™ [18] Certificate is a basic component in each of these environments and the its presence is central to their correct performance. Whilst Digi-CA™ [14] can provide the end user identification required in each of the above cases.
Global Data Company [GDC [22]] specialises in on-line identity verification services for a broad range of markets including Anti-Money Laundering [AML], Know Your Customer [KYC] and a host of other risk & fraud mitigation and compliance purposes.
GDC has data assets in over 35 countries comprising government, credit, utility and other public data sources. The data coverage is based on their primary goal of being able to provide a seamless and robust service that has strong enough in-country data capabilities to provide a market leading identity verification service, whilst also providing clients with the ability to verify their customers in a diverse range of countries.
GDC's core business is international data and they make it their business to continually improve the breadth, quality and reach of their data. All of the data must meet strict guidelines and be deemed to be independent, reliable whilst coming from a transparent source.
GDC also have other data capabilities in other regions where data is more difficult to secure. They ensure that their data acquisition and integration team consults regularly with customers in order to prioritise data procurement needs.
The following is the current list of countries where the IDV service is offered:
Links:
[1] https://www.digi-sign.com/service/digi-cast
[2] https://www.digi-sign.com/compliance/introduction
[3] https://www.digi-sign.com/identity+authentication/validations
[4] https://www.digi-sign.com/en/digi-cast
[5] https://www.digi-sign.com/digi-access
[6] https://www.digi-sign.com/en/identity+authentication/index
[7] https://www.digi-sign.com/downloads/download.php?id=digi-ca-pdf
[8] https://www.digi-sign.com/digital+document
[9] https://www.digi-sign.com/digital+certificate
[10] https://www.digi-sign.com/two+factor+authentication
[11] https://www.digi-sign.com/certificate+authority
[12] https://www.digi-sign.com/ssl+certificate
[13] https://www.digi-sign.com/validations
[14] https://www.digi-sign.com/digi-ca
[15] https://www.digi-sign.com/electronic+identification
[16] https://www.digi-sign.com/e+passport
[17] https://www.digi-sign.com/digi-id
[18] https://www.digi-sign.com/digi-ssl
[19] https://www.digi-sign.com/digi-code
[20] https://www.digi-sign.com/downloads/download.php?id=aacd-pdf
[21] https://www.digi-sign.com/aacd/validations
[22] http://www.globaldatacompany.com
[23] https://www.digi-sign.com/product/idv
