forked from 18F/identity-playbook
-
Notifications
You must be signed in to change notification settings - Fork 0
/
about.html
180 lines (179 loc) · 10.5 KB
/
about.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
---
layout: default
title: About identity management
permalink: /about/
js:
- 'build/bundle.js'
---
<div id="about-identity" class="bg-navy" tabIndex="-1">
<div class="container cntnr-wide px2 py5">
<h2 class="mt0 mb1 h2 sm-h1 white">
About identity management
</h2><img alt="hr" class="mb3" src="{{ '/img/hr-red-2.svg' | prepend: site.baseurl }}">
<p class="h3 sm-h2 mb2 serif white">
Before implementing login.gov or any other consumer identity management system, you should determine whether your agency or organization needs one. Below is a list of questions to ask and things to consider to help you figure that out.
</p>
</div>
</div>
<div class="bg-white">
<div class="container cntnr-wide px2 pt4 pb5">
<div class="clearfix">
<div class="sm-col sm-col-8 mb2">
<h3 id="protecting" class="mt0 mb2 pt2 h2 sm-h1" tabIndex="-1">
What are you protecting?
</h3>
<p class="mb4 serif fs-lead">
It’s worth assessing what you really need before beginning implementation. Not all information requires an identity system to manage access. You can protect the privacy of users and reduce the security risk to your systems by avoiding any unnecessary collection of personally identifiable information — this even includes contact details.
</p>
<h4 class="mt0 mb2 h3">
You might not need to implement an identity system if:
</h4>
<ul class="mb3 pl2 ml2 serif h4 pb-list--bullet">
<li class="mb2 fs-lead">
<div class="gray">
You do not need to have an ongoing relationship with users
</div>
</li>
<li class="mb2 fs-lead">
<div class="gray">
Transactions don’t depend upon personal information being accurate
</div>
</li>
<li class="mb2 fs-lead">
<div class="gray">
You can rely on other forms of security
</div>
</li>
</ul>
<h4 class="mt0 mb2 h3">
To answer this, ask
</h4>
<ul class="list-reset mb4 pb-list--checkbox">
<li class="mb3 pl3">
<div class="mb1 serif h4 bold">
What transactions will users need?
</div>
<p>
Will the transactions be ongoing, as when users bookmark benefits or grant applications to fill out later, then return repeatedly to check the application status? Or will they be a one-time or infrequent, as when people download medical or financial records?
</p>
</li>
<li class="mb3 pl3">
<div class="mb1 serif h4 bold">
What kind of information do you need to protect your customers?
</div>
<p>
Do you need full name and other personal information so that users can access private information? Or do you only need to verify that a user fits in certain categories, such as the veterans category or the senior citizens category?
</p>
</li>
<li class="mb3 pl3">
<div class="mb1 serif h4 bold">
What sort of crime might access to this information make possible?
</div>
<p>
Information that seems innocent on its own might still be valuable to fraudsters and other criminals in combination with other easily accessed information.
</p>
</li>
<li class="mb3 pl3">
<div class="mb1 serif h4 bold">
What other means of security are available?
</div>
<p>
Postal tracking numbers, for example, are not secrets because the package will only be delivered to a specific address. The safety of the delivery rests on the security of the building and the conduct of the delivery person, not on the secrecy of the number itself.
</p>
</li>
</ul>
<h4 class="mt0 mb2 h3">
What kinds of resources do you already have to identify customers?
</h4>
<p class="mb3 serif fs-lead">
Your agency may already have mission-specific information and resources that can be used to identify customers. By integrating resources you know and trust, you can increase the reliability of identification.
</p>
<h4 class="mt0 mb2 h3">
To answer this, ask
</h4>
<ul class="list-reset mb3 pb-list--checkbox">
<li class="mb3 pl3">
<div class="mb1 serif h4 bold">
What resources are unique to your agency?
</div>
<p>
Individuals’ confidential interactions with government agencies can generate a trail of metadata. Used carefully, that metadata can facilitate identity verification based on knowledge of those activities. Other government organizations serve as authoritative repositories of biometric data available for internal use. Some agencies may have physical locations that customers can visit.
</p>
</li>
</ul>
<h3 id="consumer-identity" class="mt0 mb1 pt2 h2 sm-h1" tabIndex="-1">
What is a consumer identity management system?
</h3><img alt="hr" class="mb3" src="{{ '/img/hr-red-5.svg' | prepend: site.baseurl }}">
<p class="mb5 serif fs-lead">
When you’re at home and someone knocks at your door it’s easy enough to decide whether or not to answer. Based on your knowledge of who’s outside, you can decide whether to open the door. Is the person outside a friend? A mail carrier or other expected service provider? A complete stranger? Online, the question of deciding “who’s there” is much harder. Consumer identity management systems make it easier for system administrators to decide whether or not to open the door, and how wide.
</p>
<h4 class="mt0 mb1 h3">
What is an identity?
</h4>
<p class="mb3">
In the world of security, “identity” has a very specific technical meaning that differs from a plain English sense. An “identity” in technical terms is a special kind of record — a bundle of different types of data that together describes only one system user [NIST 800-63-3]. That data can include references to official government records, such as driver’s license numbers and registered birth dates, as well as more mutable data such as email addresses and usernames. Physical attributes such as fingerprints and DNA can also be part of an identity record.
</p>
<h4 class="mt0 mb1 h3">
How does identity and access management work?
</h4>
<p>
System administrators assign access privileges to each identity record. These privileges authorize certain activities and forbid others. To “open the door” safely, however, administrators need confidence that the users knocking at the door are who they say they are.
</p>
<p class="mb3">
To give the system and its administrators confidence in their identities, users need to prove their identities through an activity called authentication. Users authenticate themselves by presenting evidence linking themselves to records. To do that, users first help the system validate their record — for example, by typing in a username. Then users hand over the evidence — often, passwords or other information only the real person would know.
</p>
<h4 class="mt0 mb1 h3">
What does having an identity record enable?
</h4>
<p class="mb3">
Identity systems don’t just benefit system administrators. Users can do some very handy things with an authenticated digital identity. Here’s a small list:
</p>
<ul class="mt0 mb5 ml1 pl1 pb-list--bullet">
<li class="mb2">
<span class="gray"><span class="bold">Pre-filling online forms with verified information speeds up application processing.</span> There’s less redundant effort, and users don’t need to worry about basic errors.</span>
</li>
<li class="mb2">
<span class="gray"><span class="bold">Authenticated users can access and download data the system holds about them, such as account activity.</span> With a verified legal identity, the user can access very sensitive medical or financial records and even download them.</span>
</li>
<li class="mb2">
<span class="gray"><span class="bold">Identity systems can protect your privacy.</span> If you need to be 21 or older to access a service, you can authorize an identity system to confirm your age without sharing your exact birth date.</span>
</li>
</ul>
<h3 id="implementation" class="mb2 pt2 h2 sm-h1" tabIndex="-1">
Implementation
</h3><img alt="hr" class="mb3" src="{{ '/img/hr-red-6.svg' | prepend: site.baseurl }}">
<ul class="list-reset mb5">
<li class="mb2">
<a href="https://pages.18f.gov/identity-dev-docs/">Please read the developer documentation.</a>
</li>
</ul>
<h3 id="resources" class="mb2 pt2 h2 sm-h1" tabIndex="-1">
Resources
</h3><img alt="hr" class="mb3" src="{{ '/img/hr-red-7.svg' | prepend: site.baseurl }}">
<ul class="list-reset mb3">
<li class="mb2">
<a href="https://pages.nist.gov/800-63-3/">National Institute of Standards in Technology</a> (NIST 800-63-3)
</li>
<li class="mb2">
<a href="https://playbook.cio.gov/#introduction">Digital Services Playbook</a>
</li>
<li class="mb2">
<a href="https://github.com/18F/identity-idp">GitHub repo for login.gov</a>
</li>
<li class="mb2">
<a href="https://en.wikipedia.org/wiki/On_the_Internet,_nobody_knows_you%27re_a_dog">On the Internet, nobody knows you're a dog</a>
</li>
</ul>
</div>
<nav id="pb-nav--side-cntnr" class="sm-col-right sm-col-3 sm-show">
<ul id="pb-nav--side" class="list-reset pt2 red nav">
<li class="mb2"><a class="h5 serif" href="#about-identity">About identity management</a></li>
<li class="mb2"><a class="h5 serif" href="#protecting">What are you protecting?</a></li>
<li class="mb2"><a class="h5 serif" href="#consumer-identity">What is a consumer identity management system?</a></li>
<li class="mb2"><a class="h5 serif" href="#implementation">Implementation</a></li>
<li class="mb2"><a class="h5 serif" href="#resources">Resources</a></li>
</ul>
</nav>
</div>
</div>
</div>