CATALOG OF Technical Standards for Digital Identification Systems UPDATED AUGUST 2022 © 2022 International Bank for Reconstitution and Development/The World Bank 1818 H Street, NW, Washington, D.C., 20433 Telephone: 202-473-1000 Internet: www.worldbank.org Some Rights Reserved This work is a product of the staff of The World Bank with external contributions. The findings, interpretations, and conclusions expressed in this work do not necessarily reflect the views of The World Bank, its Board of Execu- tive Directors, or the governments they represent. The World Bank does not guarantee the accuracy of the data included in this work. The boundaries, colors, denominations, and other information shown on any map in this work do not imply any judgment on the part of The World Bank concerning the legal status of any territory or the endorsement or acceptance of such boundaries. Nothing herein shall constitute or be considered to be a limitation upon or waiver of the privileges and immunities of The World Bank, or of any participating organization to which such privileges and immunities may apply, all of which are specifically reserved. Rights and Permission This work is available under the Creative Commons Attribution 3.0 IGO license (CC BY 3.0 IGO) http://creative- commons.org/licenses/by/3.0/igo. Under the Creative Commons Attribution license, you are free to copy, distrib- ute, transmit, and adapt this work, including for commercial purposes, under the following conditions: Attribution—Attribution—Please cite the work as follows: Mittal, Anita. 2022. Catalog of Technical Standards for Digital Identification Systems, Washington, DC: World Bank License: Creative Commons Attribution 3.0 IGO (CC BY 3.0 IGO) Translations—If you create a translation of this work, please add the following disclaimer along with the attribu- tion: This translation was not created by The World Bank and should not be considered an official World Bank translation. The World Bank shall not be liable for any content or error in this translation. Adaptations—If you create an adaptation of this work, please add the following disclaimer along with the attribu- tion: This is an adaptation of an original work by The World Bank. Views and opinions expressed in the adaptation are the sole responsibility of the author or authors of the adaptation and are not endorsed by The World Bank. Third Party Content — The World Bank does not necessarily own each component of the content contained within the work. The World Bank therefore does not warrant that the use of any third-party-owned individual com- ponent or part contained in the work will not infringe on the rights of those third parties. The risk of claims resulting from such infringement rests solely with you. If you wish to re-use a component of the work, it is your responsibil- ity to determine whether permission is needed for that re-use and to obtain permission from the copyright owner. Examples of components can include, but are not limited to, tables, figures, or images. All queries on rights and licenses should be addressed to World Bank Publications, The World Bank, 1818 H Street, NW, Washington, DC, 20433; USA; email: pubrights@worldbank.org. Cover images: Shutterstock. TABLE OF CONTENTS ABBREVIATIONS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v ACKNOWLEDGMENTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii ABOUT ID4D . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii 1. INTRODUCTION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 2. OBJECTIVE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 3. SCOPE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 4. THE IDENTITY LIFECYCLE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 4.1 Registration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 4.1.1 Identity Claim . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 4.1.2 Identity Proofing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 4.2 Issuance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 4.3 Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 4.4  Lifecycle Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 4.5 Federation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 5. DIGITAL ID RELATED TECHNICAL STANDARDS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 5.1  Why Are Standards Important? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 5.2  Standards-Setting Bodies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 5.3  Technical Standards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Technical Standards for Interoperability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Technical Standards for Robust Identity Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 5.4  Levels of Assurance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 6. COUNTRY USE CASES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 Example 1: ID-Kaart in Estonia—Smart Card and Mobile ID . . . . . . . . . . . . . . . . . . . . 18 Example 2: Aadhaar Identity System of India—Biometric Based . . . . . . . . . . . . . . . . . 20 Example 3: Malawi—Biometrics and Smart Card . . . . . . . . . . . . . . . . . . . . . . . . . . 22 Example 4: Smart eID in Pakistan—Biometrics and Smart Card . . . . . . . . . . . . . . . . . 24 Example 5: eID with Digital Certificate in Peru . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 7. CONCLUSION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 BIBLIOGRAPHY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 APPENDIX A. ISO/IEC JTC SUBCOMMITTEE, WORKING GROUPS AND THEIR MANDATE . . . . . 31 Updated August 2022 iii LIST OF FIGURES FIGURE 1  IDENTITY LIFECYCLE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 FIGURE 2  STANDARDS FOR IDENTIFICATION SYSTEM . . . . . . . . . . . . . . . . . . . . . . . . . 8 FIGURE 3  DECISION TREE STANDARDS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 FIGURE 4  EXAMPLE LEVLES OF ASSURANCEVERSION. . . . . . . . . . . . . . . . . . . . . . . . . 17 FIGURE 5  ISO/IEC JOINT TECHNICAL COMMITTEE 1: SUBCOMMITTEES AND WORKING GROUPS FOR ID MANAGEMENT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 iv Updated August 2022 ABBREVIATIONS AFNOR Association Française de Normalisation (Organisation of the French Standardisation System) ANSI American National Standard Institute ASN.1 Abstract syntax notation one BAPI Biometric Application Programming Interface CAP Chip Authentication Program CBEFF Common Biometric Exchange Formats Framework CEN European Committee for Standards CITeR Center for Identification Technology Research DHS Department of Homeland Security DIN German Institute of Standardization eID Electronic Identification Card EMV Europay, MasterCard and Visa—Payment Smart Card Standard EMVCo EMV Company FIDO Fast IDentity Online GSM Global System for Mobile Communication GSMA The GSM Association IBIA International Biometrics and Identification Association ICAO International Civil Aviation Organization ICT Information and Communication Technologies ID Identification ID4D Identification for Development IEC The International Electrotechnical Commission ILO International Labor Organization INCITS International Committee for Information Technology Standards ISO The International Organization for Standardization IT Information Technologies ITU-T ITU’s Telecommunication Standardization Sector JTC Joint Technical Commission MRZ Machine-Readable Zone NADRA National Database and Registration Authority (of Pakistan) NICOP National Identity Cards for Overseas Pakistanis NIST National Institute of Standards and Technology OASIS Organization for the Advancement of Structural Information Standards OpenID Open ID Foundation PSA Pakistan Standards Authority PIN Personal Identification Number Updated August 2022 v PKI Public key infrastructure RFID Radio-Frequency Identification RMG Registration Management Group SA Standards Australia SDGs Sustainable Development Goals SIA Secure Identity Alliance SIS Swedish Standards Institute SNBA Swedish National Biometrics Association UIN Unique Identity Number UIDAI Unique Identification Authority of India WB The World Bank WG Working Group vi Updated August 2022 ABOUT ID4D The World Bank Group’s Identification for Development (ID4D) initiative uses global knowledge and exper- tise across sectors to help countries realize the transformational potential of digital identification systems to achieve the Sustainable Development Goals. It operates across the World Bank Group with global practices and units working on digital development, social protection, health, financial inclusion, governance, gender, legal, among others. The mission of ID4D is to enable all people to access services and exercise their rights, by increasing the number of people who have an official form of identification. ID4D makes this happen through its three pillars of work: thought leadership and analytics to generate evidence and fill knowledge gaps; global platforms and convening to amplify good practices, collaborate and raise awareness; and country and regional engagement to provide financial and technical assistance for the implementation of robust, inclusive and responsible digital identification systems and with civil registration. The work of ID4D is made possible through support from the Bill & Melinda Gates Foundation, the UK Govern- ment, the French Government, Norad, and the Omidyar Network. To find out more about ID4D, visit id4d.worldbank.org. To participate in the conversation on social media, use the hashtag #ID4D. ACKNOWLEDGMENTS The catalog was prepared by Anita Mittal with contributions from Tariq Malik, Ott Köstner, Flex Ortega De La Tora, Adam Cooper, Ted Dunstone, Seth Ayers, Daniel Bachenheimer, Alastair Treharne, Dr. Narjees Aden- wadker, Marta Ienco, Stephanie de Labriolle, Julien Drouet, Dr. Adeel Malik, and Anna Metz. nebi, Sanjay Dhar­ The catalog was presented and discussed during two workshops (September 2017 and March 2018), which informed the content and design. The following organizations participated in these workshops: Accenture; American National Standards Institute; Caribou Digital; Center for Global Development; DIAL; Digital Impact Alliance; Ernst & Young; European Commission; FIDO Alliance; Bill & Melinda Gates Foundation; Government Digital Service; GSMA; ID2020; ICAO; IOM; iSPIRIT; Mastercard; Mercy Corp; Microsoft; National Institute of Standards and Technology; Omidyar Network; One World Identity; Open Identity Exchange; Open Society Foundation; Plan International; PricewaterhouseCoopers; Secure Identity Alliance; Simprints; The World Eco- nomic Forum; United Nations Development Program; UNHCR; UNICEF; USAID; Vital Strategies; and WFP. The catalog was updated in August of 2022. Updated August 2022 vii 1. INTRODUCTION Trusted and inclusive identification (ID) systems are and operational sustainability of different technology crucial for development, as enshrined in Sustainable options. Development Goal (SDG) Target 16.9, which man- dates countries to provide “legal identity for all, includ- Novel approaches, including decentralized and fed- ing birth registration.” For individuals, proof of legal erated ID systems, are emerging rapidly along with identity is necessary to access rights, entitlements, new types of virtual and digital credentials. As people and services. Without it, they may face exclusion are looking to prove who they are in different settings from political, economic, and social life. For govern- including online and across borders, and service ments, modern identification systems allow for more providers look to more efficient and high-assurance efficient and transparent administration and service verification mechanisms, the need for trusted and delivery, a reduction in fraud and leakage related to interoperable identification system has also intensi- benefits payments, increased security, accurate vital fied. Adherence to technical standards – henceforth statistics for planning purposes, and greater capacity “standards” – is one of the core building blocks of to respond to disasters and epidemics. optimizing a system’s operations and its ability to support service delivery. To realize these benefits, many countries are in the process of modernizing their existing identification Standards establish universally understood and con- systems or building new ones. In doing so, most sistent interchange protocols, testing regimes, qual- have attempted to capitalize on the promise of new, ity measures, and best practices with regard to the digital identification technologies, including biometric capture, storage, transmission, and use of identity identification, electronic credentials, such as smart data, as well as the format and features of identity cards and mobile IDs, and online authentication credentials and authentication protocols. Therefore, infrastructure. they are crucial at each stage of the identity lifecy- cle, including registration, identity proofing, creden- These advancements, particularly when combined tialing, and authentication. The choice of standards with related digital technologies, such as online and has implications for a wide range of performance mobile payments systems, have the potential to metrics and system capabilities, including the accu- improve people’s lives by making it easier and more racy, quality, and consistency of data collection, the secure to access services and transactions. At the interoperability between ID subsystems, with other same time, the deployment of digital technologies domestic systems, and across borders, the level of in identification poses several challenges, including trust in identities and authentication protocols, sys- with respect to data protection and privacy, ensuring tem and information security, and vendor- and tech- the inclusion of the most vulnerable, and the financial nology neutrality. Updated August 2022 1 2. OBJECTIVE Standards are critical for identification systems the technical standards, organized by technology to be trusted, interoperable and sustainable. The area, is provided to help with the assessment and objective of this report is to identify the existing selection process. The application of the decision international technical standards and frameworks tree has been illustrated by country case studies of applicable across the identity lifecycle for technical Estonia, India, Malawi, Pakistan and Peru. In addi- interoperability. This catalog of technical standards tion, this catalog of existing standards, organized by can serve as a reference for stakeholders across category and subcategory, may also help to identify the identification ecosystem and support the selec- areas where standards are missing or where there tion of appropriate standards based on country con- are competing standards and a choice needs to be text and objectives of the system. A decision tree of made. 3. SCOPE Identification systems within and across countries (5) federation protocols. In some cases, standards may take a variety of forms, each with different appli- represent a clear consensus, and are used by a cable standards. This report focuses only on technical majority of ID systems globally. In other cases, there standards that relate to the design and implementa- are competing standards that countries must adju- tion of identity ecosystems in a digital context. More dicate between. Different standards will also apply specifically, the standards described in this catalog depending on the general design and goals of the center around the software and physical hardware ID system (e.g., whether the ID card will be used for components, systems, and platforms, which enable international travel). For a more detailed discussion machine-to-machine communication. Major stan- on standards and how they relate to different layers dards to facilitate the technical quality and interoper- of an interoperability framework, see the ID4D Prac- ability of the ID system related to: (1) biometrics, (2) titioner’s Guide.1 cards, (3) 2D barcodes, (4) digital signatures, and 1 https://id4d.worldbank.org/guide/standards; https://id4d.worldbank.org/guide/interoperability-frameworks. 2 Updated August 2022 4. THE IDENTITY LIFECYCLE FIGURE 1 Identity Lifecycle 1. REGISTRATION 2. ISSUANCE 3. USE 4. MANAGEMENT identity data is one or more identity is checked at maintenance of identities collected and proofed credentials are issued the point of transaction and credentials Identity claim Credentialing Authentication Maintenance A person claims their identity Credentials and authentication Tests of asserted credentials/ Updating, revoking, by providing personal data factors are issued and bound factors to establish confidence reactivating, retiring, etc. and supporting documents to the person. that the person is who they identities and credentials. or other evidence. claim to be. Grievance redressal Proofing Verification Validation: Determining the Responding to and correcting validity, authenticity, Verifying attributes (e.g., errors and other issues. accuracy, and/or veracity of name, age, address, etc.) identity data and evidence. specific to the purpose of the Engagement transaction. Communication and Deduplication: 1:N matching to ensure uniqueness (e.g., consultation with people and via biometric recognition or other users (i.e., relying demographic deduplication). parties). Verification: Confirmation that the person is the true owner of the identity. AUTHORIZATION Assigning rights or privileges—to access a service, resource, information, etc.—as determined by the relying party (e.g., service Identity registered and stored provider). Source: Practitioner's Guide https://documents1.worldbank.org/curated/en/248371559325561562/pdf/ID4D- Practitioner-s-Guide.pdf Globally, digital identity ecosystems are increasingly 4.1  Registration complex, and consist of a wide range of identity mod- els and actors with diverse responsibilities, interests, The lifecycle begins when an individual first registers and priorities. Understanding the processes and tech- their identity, which involves the identity claim and nology involved in identification is crucial for identi- the identity proofing process. fying the standards which are applicable in a given system. To that end, this section provides a general overview of the digital identity lifecycle (based on 4.1.1 Identity Claim Technology Landscape for Digital Identification report This process involves capturing and recording key 2018). This framework is then used to analyze rel- identity attributes from a person who claims a certain evant identification standards in Section 6. identity, such as biographic data (e.g., name, date of birth, gender, address, email), bio-metrics (e.g., Identities are created and used as part of a lifecycle fingerprints, face, iris scan). Which attributes and that includes four fundamental stages: (a) registra- supporting documentation or evidence are captured tion, including enrollment and validation, (b) issuance during this phase, the methods and standards used of documents or credentials, and (c) authentication to capture them, and the resulting data quality have and verification of identity attributes for service deliv- important implications for the inclusivity and trust- ery or transactions. Identity providers also engage in worthiness of the system and the credentials issued ongoing management of the system, including updat- as well as the speed of data collection, program cost, ing and revocation or termination of identities/creden- interoperability with other ID systems, and its utility tials, grievance redress, and public engagement (see for various stakeholders.. Figure 1). Updated August 2022 3 4.1.2 Identity Proofing The identity lifecycle requires technical standards at each stage and sub-stage, as discussed further in Once the person has claimed an identity, this data Section 6. they provide is then validated. This involves checking the validity, authenticity, and accuracy of the support- ing documents or evidence provided and confirming that the identity data is valid, current, and related to 4.5 Federation a real-life person. Federation is the ability of one organization to accept another organization’s identity credentials for authen- tication based on inter-organizational trust. The trust- 4.2 Issuance ing organization must be comfortable that the other identity provider has acceptable policies, and that After registration, the identity provider issues one or those policies are being followed. Federation proto- more credentials and/or authenticators—e.g., cards, cols and assurance and trust frameworks facilitate certificates, PINs, etc.—that can be used by a per- federation of digital identity between organizations. son alone or in combination to prove or “assert” the Federation protocols like SAML (Security Assertion identity that has just been created. For an ID to be Mark-up Language) and OpenID Connect are used considered digital, the credentials issued must store to convey the authentication result by the identity data electronically and/or be usable in a digital envi- provider to the trusting organization. For federation ronment (e.g., being machine readable and/or usable to be effectively used globally, agreement and map- on the internet).Types of such credentials include 2D ping with the ISO defined assurance framework and bar code cards, smart (chip) cards, and mobile IDs2. adoption of standards are critical. Federation can occur at multiple levels: 4.3 Authentication • A trusting organization can capture and send Once a person has been registered and credentialed, the credential to the issuing organization (i.e., they can then authenticate or “prove” their identity an identity provider) for verification, to authen- to access the associated benefits and services. The ticate an identity. After verification of the cre- authentication process can involve one or multiple dential, the issuing organization sends a yes/ factors—i.e., identity credentials and/or attributes. no confirmation and may, when warranted and For example, people may use their username and consented, send a set of claims giving informa- PIN to login to an e-government portal to pay their tion about the person, using federation proto- taxes, or use their card and photo or fingerprint to cols like SAML. prove their identity at a healthcare facility. • A trusting organization can accept credentials issued by another organization, but still authen- ticate and authorize the individual locally. For 4.4  Lifecycle Management example, a passport issued one country is accepted as a valid credential by a receiving Throughout the lifecycle, identity providers manage country (and could be validated, for example, identity data and credentials through a dynamic pro- through ICAO’s global Public Key Directory or cess. This includes updating and re-proofing identity PKD), but the receiving country’s immigration attributes that change over time—e.g., surname, office still authenticates the holder and requires address, facial image, etc.—as well as updating, a visa to authorize travel. renewing, revoking, or deactivating credentials. Iden- • A trusting organization can accept specific attri- tity providers also work to correct errors, address butes describing an individual from another grievances, and continuously engage with the public organization. For example, a bank can request and relying parties. 2 For more details on credential and authenticators, see: https://id4d.worldbank.org/guide/types-credentials-and-authenticators. 4 Updated August 2022 credit score from a credit bureau, rather than The identity lifecycle requires technical standards at maintaining its own registry of credit information. each stage and sub-stage, as discussed further in Section 6. Importantly, the type of attributes (biomet- • A trusting organization can accept an authori- zation decision from another organization (i.e., rics, biographic, and others) captured during enroll- mutual recognition). For example, a driver’s ment and the methodologies used to record them license authorizing a person to drive in one have important implications for the assurance and location may be accepted by another location. trust in the identity system as well as its utility and interoperability with other domestic and international identity systems. Updated August 2022 5 5. DIGITAL ID RELATED TECHNICAL STANDARDS 5.1  Why Are Standards Important? and country-specific (national) organizations. Each are described briefly below. In general, technical standards contain a set of specifications and procedures with respect to the • International Organizations. The follow- operation, maintenance, and reliability of materials, ing prominent international organizations are products, methods, and services used by individuals actively involved in setting relevant technical or organizations. Standards ensure the implemen- standards: the International Organization for tation of universally understood protocols neces- Standardization (ISO); the International Elec- sary for operation, performance, compatibility, and trotechnical Commission (IEC); ITU’s Telecom- interoperability, which are in turn necessary for prod- munication Standardization Sector (ITU-T); uct development and adoption. A lack of standards the International Civil Aviation Organization creates issues for the effective and sustainable (ICAO); International Labor Organization (ILO); implementation of identification systems, including and the European Committee for Standards with respect to interoperability, interconnectivity and (CEN), World Wide Web Consortium (W3C), vendor lock-in. Internet Engineering Task Force (IETF)/Inter- net Society. As digital systems and processes are replacing paper-based systems, the technologies, inter-device • National Organizations. In addition to interna- communication and security requirements underpin- tional organizations, country-specific organiza- ning identification systems have become more com- tions also develop technical standards based plex—increasing the importance of standards for on their needs and systems of measurement. identity management. However, choosing between Some important organizations include the standards is challenging due to rapid technologi- American National Standard Institute (ANSI); cal innovation and disruption, product diversifica- the U.S. National Institute of Standards and tion, changing interoperability and interconnectivity Technology (NIST); the U.S.-based Interna- requirements, and the need to continuously improve tional Committee for Information Technology the implementation of standards. Standards (INCITS), the U.S. Department of Homeland Security (DHS); the U.S. Depart- ment of Defense (DoD); Standards Australia (SA); the Swedish Standards Institute (SIS); 5.2 Standards-Setting Bodies the Swedish National Biometrics Association (SNBA); the German Institute of Standardiza- Standards are rigorously defined by organizations tion (DIN); Organization of the French Standard- that are created and tasked specifically for this pur- ization System (AFNOR); the Dutch Standards pose. In the case of ICT-related standards, these Organization (NEN); the Unique Identification organizations—with the help of experts—set up, Authority of India (UIDAI); the Bureau of Indian monitor, and continuously update technical stan- Standards (BIS); and the Pakistan Standards dards to address a range of issues, including but not Authority (PSA). limited to various protocols that help ensure product functionality and compatibility, as well as facilitate interoperability. These standards and related updates • Industry Consortia. Finally, industry consor- tia and some nonprofit organizations are also are regularly published for the general benefit of involved in either developing standards or pro- the public . According to the International Telecom- moting best practices to meet the needs of their munication Union’s (ITU) Technology Watch, sev- members. Prominent examples include: the eral organizations are actively developing technical U.S. government-sponsored consortium known standards for digital identification systems, includ- as the Biometric Consortium; Secure Identity ing international organizations such as the United Alliance (SIA), Center for Identification Tech- Nations’ specialized agencies, industry consortia, nology Research (CITeR); IEEE Biometrics 6 Updated August 2022 Council; Biometrics Institute, Australia; Smart For fingerprint image JPEG, JPEG2000 Card Alliance; International Biometrics and and WSQ standards are in use. Identification Association (IBIA); Kantara Initia- b. Biometric data interchange format tive; Open Identity Exchange; Open Security standards and biometric interface stan- Exchange; Asian Pacific Smart Card Associa- dards: Both of these standards are nec- tion (APSCA); Organization for the Advance- essary to achieve full data interchange ment of Structural Information of Standards and interoperability for biometric recog- (OASIS); Fast IDentity Online (FIDO) Alliance; nition in an open systems environment. and Open ID Foundation. The biometric data interchange format standards specify biometric data inter- Among the major-standard setting bodies, this review change formats for different biometric has found that most prominent countries and indus- modalities. Biometric data complying try consortia are connected to and collaborate with with a biometric data interchange for- ISO (for example, through subcommittees and work- mat of ISO 19794 represents the core ing groups (WG)) to modify or confirm standards for component of biometric interoperabil- their requirements. Information on the ISO technical ity. Parties that agree on a biometric committees, sub committees, and working groups data interchange format specified in involved with standards relevant to digital identity ISO 19794 should be able to decode lifecycle is placed at Appendix A. each other’s biometric data. Biometric interface standards support exchange of biometric data within a system or 5.3 Technical Standards among systems and include ISO 19785 Information technology — Common This section contains a compilation of technical stan- Biometric Exchange Formats Frame- dards identified as relevant for identification systems. work. ISO 19785 specifies the basic Most of them relate to credentials and authentication structure of a standardized Biomet- factors. The Technical Standards are grouped in two ric Information Record (BIR), which tables. Table 1 lists standards which are required for includes the biometric data interchange interoperability and the second lists standards which record with added metadata such as address additional requirements such as security when it was captured, its expiry date, and quality. The standards are continuously revised whether it is encrypted, etc. by the standards organizations. The standards in the 2. Card/Smart Card: For countries that issue table have hyperlinks to the website providing infor- a card-based credential, standards such as mation about the standard. The ISO standards page ISO-7810 are relevant to ensure interoper- provides information and link to the newer version of ability and interconnectivity. For contact cards, the standard if available. where the chip is embossed on the card, the ISO/IEC 7816 standard is followed globally; for Technical Standards for Interoperability contactless cards, where the chip is embedded inside the card, the ISO/IEC 14443 standard is The major categories of standards listed below fall followed. For cards that can also be used as into the following areas (Figure 2). electronic travel documents—including elec- tronic ID cards, passports, drivers’ licenses, or 1. Biometrics: any other machine-readable travel documents a. Image standard: Multiple competing (MRTDs) used for crossing borders— compli- standards are in use for capturing facial ance with ICAO 9303 should be followed. image (PNG, JPEG, JPEG2000 in most 3. Digital Signatures: Multiple non-compet- of the systems while GIF/TIFF (proprie- ing standards are listed whose applicability tary standards) may be in use in a few). depends on the approach taken by the specific Updated August 2022 7 system. The guidance note on the FIGURE 2 Standards for Identification System digital signature algorithm provides the pros and cons of the two digital signature algorithms RFC3447 RSA/ SELECTIONS EC 25519. 4. 2D bar code: The guidance note Biometric on standards selection column pro- standards vides the pros and cons of the two commonly used bar code standards, PDF417 and QR code, in ID systems. 5. Federation protocols: OpenID Con- Card nect and OAuth are being increas- standards ingly used for federation while SAML has been used extensively earlier. Standards for Identification The standards applicable to a specific ID System Digital signature system may be selected from all or some standards of the 5 categories. A decision tree to support easier selec- tion of applicable standards based on the choice of technologies used as part of an Bar code Identification system is diagrammatically standards presented in figure 3. 1. Start at the top of tree and traverse the tree along each branch further Federation down as long as the technology or protocol standard category mentioned at each node is relevant to the ID system. 2. The standards at the leaf level of the 3. Some of the leaf nodes (Selection 4) feature branch of the tree (Selection 4) are the appli- competing standards. The guidance note in the cable standards based on the selections made table of standards provides further information about the use of a particular technology or sys- about how to assess and select the appropriate tem feature (Selection 1 , 2 and 3). one from the available competing standards. 4. A short description and weblink to the standard is available in the standards catalog table. 8 Updated August 2022 FIGURE 3 DECISION DECISION STANDARDS TREESTANDARDS TREE SELECTION 1 SELECTION 2 SELECTION 3 SELECTION 4 SELECTION 1 SELECTION 2 SELECTION 3 SELECTION 4 Standards Standards Biometrics Biometrics Face Face Image standard Image standard JPEG/JPEG2000/PNG JPEG/JPEG2000/PNG See guidance note See guidance note Data interchange ISO 19794 - 5 Data interchange ISO 19794 - 5 format standard format standard Biometric Biometric interface interface ISO 19785 ISO 19785 (CBEFF) (CBEFF) standard standard Fingerprint Fingerprint Image standard JPEG/JPEG2000/PNG/WSQ JPEG/JPEG2000/PNG/WSQ Image standard note note See guidance See guidance Image Image quality quality NFIQ NIST v1, NIST NFIQ v2 v1, v2 standard standard note note See guidance See guidance DataData interchange interchange ISO 19794 - 4 (Fingerprint) ISO 19794 - 4 (Fingerprint) format standard format standard ISO 19794 - 2 (Minutiae) ISO 19794 - 2 (Minutiae) Biometric interface Biometric interface ISO 19785 (CBEFF) ISO 19785 (CBEFF) standard standard Iris Iris Image standard JPEG/JPEG2000/PNG JPEG/JPEG2000/PNG Image standard See guidance note See guidance note Data interchange ISO 19794 - 6 Data format interchange standard ISO 19794 - 6 format standard Biometric interface Biometric interface ISO 19785 (CBEFF) standard ISO 19785 (CBEFF) standard Cards Non Smart ISO 7810 Cards Non Smart Card ISO 7810 Card Smart Card Contact ISO 7810 and Smart Card ISO 7816 ISO 7810 and Contact ISO 7816 ISO 7810 and Contactless ISO 14443 ISO 7810 and Contactless ISO 14443 Machine Readable ICAO9303 (ISO 7501) Format Machine Readable ICAO9303 (ISO 7501) Format Digital Digital Signature Standard— FIPS 186-4 Signature Digital Generation, Verification Digital Signature Standard— FIPS 186-4 Signature Generation, Verification Digital Signature Algorithm RFC3447 RSA/EC 25519 See guidance note RFC3447 RSA/EC 25519 Digital Signature Algorithm See guidance FIPS PUB 180-4 note Secure Hash Standard (SHA-1, SHA-512/256 etc.) FIPS PUB 180-4 Secure Security Hash Standard Standard for (SHA-1, SHA-512/256 etc.) FIPS 140-2 Cryptographic Modules Security Standard for FIPS 140-2 Cryptographic Public Modules Key Certificate Standard ITU-T X.509 | ISO/IEC 9594-8 Public Key Certificate Standard ITU-T X.509 | ISO/IEC 9594-8 XML Digital Signature W3C/ETSI XAdES XML Digital Signature W3C/ETSI XAdES Bar code One Dimensional ISO/IEC 15417 Bar code Two Dimensional PDF417 / QR code One Dimensional ISO/IEC See guidance 15417 note Federation Two Dimensional PDF417 / QR code OIDC See guidance +OAuth note / SAML See guidance note Federation OIDC +OAuth / SAML Updated August 2022 See guidance note 9 Inter- Standard operability Specification/ Standards S.No Area SubArea (common name) Standard description Body Guidance note for standards selection A.1 Biometrics Image ISO/IEC 15444-1 Image Coding Standard (both lossy ISO and IEC PNG is a lossless image format which is not Standard (JPEG2000) and lossless compression) commonly used in identification systems. The JPEG and JPEG2000 are used in most of the identification systems as image standard for A.2 Biometrics Image ISO/IEC 15948, Technology—Computer graphics W3C photograph. India has used JPEG2000 as that Standard (PNG) processing— and image ­ is considered to be more open than JPEG stan- Graphics—loss- Portable Network ­ dard. ICAO 9303 standard permits both JPEG less compression and JPEG2000. JPEG2000 is recommended for EU-Passports because it results in smaller file A.3 Biometrics Image ISO/IEC 10918:1994 Image Coding Standard—lossy ISO and IEC sizes compared to JPEG compressed images Standard JPEG compression Traditionally WSQ has been used for fingerprint A.4 Biometrics Image WSQ Compression algorithm used for NIST image format. Many identification systems use Standard gray-scale fingerprint images WSQ as image format. India’s ID system uses JPEG2000 as fingerprint and iris image standard format. Most American law enforcement agencies use WSQ for efficient storage of compressed fingerprint images at 500 pixels per inch (ppi). For fingerprints recorded at 1000 ppi, law enforcement (including the FBI) uses JPEG 2000 instead of WSQ. B.1 Biometrics Data inter- ISO/IEC 19794- Biometric data interchange formats ISO and IEC In anticipation of the need for additional data change— 5:2011 (Face Image) for Face image specifies data elements and in order to avoid future compat- Face scene, photographic, digitiza- ibility issues, the ISO/IEC 39794 series are being tion and format requirements for formulated as the next version to provide biomet- images of faces to be used in the ric data interchange standard formats capable of context of both human verifica- being extended in a defined way. The adoption tion and computer automated of these would need to be monitored before recognition mandating adoption due to wide prevalence of the 19794 series of standards. B.2 Biometrics Data Inter- ISO/IEC 19794- Data record interchange format for ISO and IEC Another area to watch out for standards would change— 4:2011 (Finger print) storing, recording, and transmitting be for contactless biometrics capture and inter- Fingerprint the information from one or more change data format standards. finger or palm image areas for exchange or comparison B.3 Biometrics Data Inter- ISO/IEC 19794- Iris image interchange formats for ISO and IEC change— 6:2011 (Iris) biometric enrollment, verification Iris and identification system B.4 Biometrics Data Inter- ISO/IEC 19794- 3 data formats for representation of ISO and IEC change— 2:2011 (Minutiae) fingerprints using the fundamental Minutiae notion of minutiae for interchange and storage of this data: a) record- based format, and b) normal and c) compact formats for use on a smart card in a match-on-card application B.5 Biometrics Data inter- ISO/IEC 19794- Data interchange formats for ISO and IEC change— 7:2014 (Signature) ­ signature/sign behavioral data Signature captured in the form of a multi- dimensional time series using devices such as digitizing tablets or advanced pen systems (continued) 10 Updated August 2022 Inter- Standard operability Specification/ Standards S.No Area SubArea (common name) Standard description Body Guidance note for standards selection B.6 Biometrics Biometrics ISO 19785 :2015 The biometric interface standards ISO/IEC Interface Common Biometric include ISO/IEC 19785, and ISO/ Standard Exchange Format IEC 19784, (BioAPI). These Framework (CBEFF) standards support exchange of biometric data within a system or among systems. ISO/IEC 19785 specifies the basic structure of a standardized Biometric Information Record (BIR), which includes the biometric data interchange record with added metadata such as when it was captured, its expiry date, whether it is encrypted, etc B.7 Biometrics Fingerprint NIST NFIQ v1, NIST NIST Fingerprint Image Quality NIST NFIQ 2 is an open source software that links Image NFIQ v2 NFIQ 2 is (NFIQ) allows for the standardiza- image quality of optical and ink 500 PPI finger- Quality included as part of tion needed to support a worldwide prints to operational recognition performance Standard ISO/IEC 29794-4 deployment of fingerprint sensors and serves as a reference implementation of with universally interpretable image the I ISO/IEC 29794-4 standard . NFIQ 1 ( the qualities prior version) had quality range from 1 to 5 with 1 being the best quality where as NFIQ 2 has a range from 0 to 100 with 0 as image of no value and 100 is of highest quality C.1 Card ISO/IEC 7810 Identification Cards—Physical ISO and IEC Characteristics C.2 Smart Card ISO/IEC 7816 e-IDs/Smart Cards—Contact Card ISO and IEC Standards C.3 Smart Card ISO/IEC 14443 e-IDs/Smart Cards— ISO and IEC Contactless Card Standards C.4 Smart Card ICAO 9303 adopted Standard for Machine Readable ICAO as ISO/IEC 7501 Travel Documents ISO and IEC C.5 Smart Card ISO/IEC 24727 Set of programming interfaces for ISO and IEC interactions between integrated circuit cards (ICCs) and external applications (continued) Updated August 2022 11 Inter- Standard operability Specification/ Standards S.No Area SubArea (common name) Standard description Body Guidance note for standards selection D.1 Bar Code 1 D (D ISO/IEC 15417 :2012 Automatic identification and data ISO/IEC 1 D codes represent data horizontally using the - Dimen- capture techniques -- Code 128 bar format of black bars and white spaces. They are sional code symbology specification suitable for short numbers but beyond 25-30 characters they can become very long. Text and D.2 Bar Code 2D ISO/IEC QR Code symbology charac- ISO and IEC URLs cannot be encoded. 2D bar codes can 18004:2015—Quick teristics, data character encod- store over thousand characters, including URLs Response (QR) code ing methods, symbol formats, and images. dimensional characteristics, error PDF417 is a stacked barcode that can be read correction rules, reference decod- with a sim¬ple linear scan being swept over the ing algorithm, production quality symbol. It houses built in error correction capa- requirements, and user-selectable bilities within its high resolution linear rows, so application parameters defacement of these types of barcodes is not a large issue. It is displayed as a sleek rectangular D.3 Bar Code 2D ISO/IEC 15438: Requirements for the bar code ISO and IEC shape and hence popular in ID cards. It requires 2015—PDF417 symbology characteristics, data a much higher resolution either when printing character encodation, symbol these barcodes or displaying them on a device. formats, dimensions, error cor- rection rules, reference decoding QR code contains large squares and take up algorithm, and many application more room than the small, rectangular PDF417. parameters. However, QR code has 3-4 times more capacity than PDF 417 code. It’s also very straightforward creating QR codes in comparison to PDF417 barcodes. With QR codes, resolution is important but not to the extent of PDF417 barcodes as they use image sensors, not linear scans. Simple mobile applications can easily scan QR codes but it is more challenging to scan PDF417 bar- codes, hence needs expensive equipment just to scan these codes. India uses QR code for encrypted and digitally signed data embedded in QR code which is used for offline authentication. Some of the East African Community countries have PDF 417 stan- dard for the barcode on their ID cards. E.1 Digital Digital FIPS 186-4 This Standard defines methods NIST Signatures/ Signature for digital signature generation DSS cryptography Standard that can be used for the protection of binary data (commonly called a message), and for the verifica- tion and validation of those digital signatures E.2 Digital Digital RFC 3447 RSA The use of the RSA algorithm for IETF Internet Signatures/ Signature (PKCS #1) digital signature generation and Society cryptography Algorithm verification E.3 Digital Digital RFC 7748 Elliptic EC25519 digital signature algo- IETF Elliptic Curve 25519 algorithm has smaller key Signatures/ Signature curves for security/ rithm and its variants Ed25519 size of 256 bits vs 2048 bits for RSA algorithm. cryptography Algorithm FIPS 186-5 provide digital signature algorithm This is seeing increasing adoption especially with small key size 256 bits for secure QR codes which need to be compact but not yet as widely supported in comparison to RSA. (continued) 12 Updated August 2022 Inter- Standard operability Specification/ Standards S.No Area SubArea (common name) Standard description Body Guidance note for standards selection E.4 Digital Secure SHS (FIPS PUB This Standard specifies secure NIST Signatures/ Hash 180-4) hash algorithms—SHA-1, SHA- cryptography Standard 224, SHA-256, SHA-384, SHA-512, SHA-512/224 and SHA-512/256 E.5 Digital Security FIPS 140-2 Security Requirements for Crypto- NIST Signatures/ graphic Modules cryptography E.6 Digital Public Key ITU-T X.509 | ISO/ The public-key certificate frame- ITU-T, ISO Signatures/ Infrastruc- IEC 9594-8 work defined in this Recommen- and IEC cryptography ture dation | International Standard specifies the information objects and data types for a public-key infrastructure (PKI), including public-key certificates, certificate revocation lists (CRLs), trust broker and authorization and validation lists (AVLs) E.7 Digital XML XAdES W3C While XML-DSig is a general W3C Signatures/ Advanced framework for digitally signing cryptography Electronic documents, XAdES specifies Signatures precise profiles of XML-DSig mak- ing it compliant with the European eIDAS regulation F.1 Federation Protocol SAML v2—2005 Security Assertion Markup OASIS SAML was designed only for Web-based applica- Language (SAML) defines an XML tions whereas OpenID Connect was designed to based framework for communicat- also support native apps and mobile applications ing security and identity (e.g., in addition to Web applications. authentication, entitlements, and OpenId connect is newer and built on the OAuth attribute) information between 2.0 process flow. It is tried and tested and typi- computing entities. SAML promotes cally used in consumer websites, web apps and interoperability between disparate mobile apps. Mobile connect and Microsoft’s security systems, providing the Identity management solutions use this protocols. framework for secure e-business transactions across company SAML is its older cousin, and typically used in boundaries. enterprise settings eg. allowing single sign on to multiple applications within an enterprise using F.2 Federation Protocol RFC 6749/ OAUTH 2 OAuth 2.0 is the industry-standard IETF our Active Directory login. The EIDAS framework protocol for authorization providing is based on SAML. specific authorization flows for web applications, desktop applications, Open ID connect is gaining popularity for new mobile phones, and living room implementations as it can support both native devices apps and mobile apps in addition to web based applications. F.3 Federation Protocol Open ID connect OpenID Connect 1.0 is a simple The OpenID identity layer on top of the OAuth Foundation 2.0 protocol. It allows Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the End- User in an interoperable and Web Services-like manner. Updated August 2022 13 Technical Standards for Robust Identity Systems Table 2. lists standards that provide guidelines on matching performance. The relevant international quality-, testing-, privacy- and accessibility-related standards for biometric sample quality include: ISO/ aspects of identification systems. These can also IEC 29794-4:2017 (Finger image data); ISO/IEC serve as the basis of relevant operational documents TR 29794-5:2010 (Face image data); and ISO/IEC and guidelines. For instance, India's Ministry of Elec- 29794-6:2015 (Iris image data). NIST has also pub- tronics and Information Technology has drafted the lished NIST Fingerprint Image Quality (NFIQ) reports "Security Guidelines for use of Biometric Technology and corresponding SDKs which are used globally. in e-Governance Projects" based on the guidelines The purpose of the BioAPI (ISO 19784) specifica- in the standards ISO 24745, ISO19792, ISO 24714 tion is to define an architecture and all necessary and ISO 24760. interfaces to allow biometric applications to be inte- grated from modules provided by different vendors. Biometric sample quality standards are important to However, these have not been adopted in any known ensure that the biometric data collected is usable country implementation so far but may find trac- for automated recognition. Poor sample quality may tion in due course of time once the challenges are cause failure to enroll and/or degrade the overall addressed. S. No Area Standard No Standard Description 1 Biometrics ISO/IEC 29794 Series Biometric Sample Quality—Matching Performance 2 Biometrics ISO/IEC 29109 Series Testing Methodology for Biometric Data Interchange 3 Biometrics ISO/IEC 24745 Security Techniques—Biometric Information Protection 4 Biometrics ISO/IEC 24761 Authentication Context for Biometrics 5 Biometrics NIST MINEX Minutiae Interoperability Exchange Test (MINEX) is a program of NIST to do interoperability testing of minutia template generators and extractors for the United States Government's Personal Identity Verification (PIV) program 6 Biometrics ISO/IEC 19784-1:2018 BioAPI specification 7 Biometrics ISO/IEC 24709-1:2017 Conformance testing for the biometric application programming interface (BioAPI – ISO 19784) 8 Biometrics ISO/IEC 24708:2008 Specifies the syntax, semantics, and encodings of a set of messages (BIP mes- sages) that enable a BioAPI-conforming application to request biometric opera- tions in BioAPI-conforming biometric service providers (BSPs) 9 Biometrics ISO/IEC 29164:2011 This interface, called Embedded BioAPI provides a standard interface to hardware biometric modules designed to be integrated in embedded systems which can be constrained in memory and computational power. 10 Biometrics ISO/IEC 29141:2009 Specifies requirements for the use of ISO/IEC 19784-1 (BioAPI) for the purpose of performing a tenprint capture operation. 11 Biometrics SO/IEC 29197:2015 Evaluation methodology for environmental influence in biometric system performance 14 Updated August 2022 S. No Area Standard No Standard Description 12 Biometrics ISO/IEC 19795 series :2021 Multipart standard concerned with “technical performance testing” of biometric systems ISO/IEC 19795-9:2019 Part 1: Principles and framework ISO/IEC 19795-10 2019 Part 2: Testing methodologies for technology and scenario evaluation Part 3: Modality-specific testing [Technical Report] Part 4: Interoperability performance testing Part 5: Access control scenario and grading scheme Part 6: Testing methodologies for operational evaluation Part 7: Testing of on-card biometric comparison algorithms Part 8: Methodology and tools for the validation biometric methods for forensic evaluation and identification application Part 9 :guidance for testing and reporting methods for biometric systems embed- ded in mobile devices Part 10: Quantifying biometric system performance variation across demographic groups 13 Biometrics ISO/IEC 30107-1:2016 Biometric Presentation Attack Detection (PAD) ISO/IEC 30107-2:2017 Part 1 describes attacks that take place at the sensor during the presentation and collection of biometric characteristics ISO/IEC 30107-3:2017 Part 2 defines data formats for conveying the mechanism used in biometric PAD ISO/IEC 30107-4:2020 and for conveying the results of PAD methods. Part 3 principles and methods for performance assessment of PAD mechanisms and classification of attack types Part 4 provides requirements for testing biometric PAD mechanisms on mobile devices with local biometric recognition 14 Biometrics ISO/IEC 20027:2018 Guidelines for slap tenprint fingerprint capture 15 Biometrics ISO/IEC 21472:2021 Scenario evaluation methodology for user interaction influence in biometric system performance 16 Biometrics ISO/IEC 22116:2021 A study of the differential impact of demographic factors in biometric recognition system performance 17 Biometrics ISO/IEC 24713-1:2008 Biometric profiles for interoperability and data interchange — Part 1: Overview of biometric systems and biometric profiles provides common definitions used within the profile standards 18 Biometrics ISO/IEC 24741:2018 Biometrics — Overview and application 19 Biometrics ISO/IEC 24779 series Cross-jurisdictional and societal aspects of implementation of biometric technolo- gies — Pictograms, icons and symbols for use with biometric systems Part 1 : General Principles Part 4: Fingerprint applications Part 5: Face applications 20 Biometrics ISO/IEC TR 29156:2015 Guidance for specifying performance requirements to meet security and usability needs in applications using biometrics 21 Biometrics ISO/IEC 30136:2018 Performance testing of biometric template protection schemes supports evaluation of the accuracy, secrecy, and privacy of biometric template protection schemes. It establishes definitions, terminology, and metrics for stating the performance of such schemes. Updated August 2022 15 S. No Area Standard No Standard Description 22 Biometrics ISO/IEC TR 29194:2015 Guide on designing accessible and inclusive biometric systems 23 Biometrics ISO/IEC TR 29196:2015 Guidance for biometric enrolment 24 Biometrics ISO/IEC TR 30125:2016 Biometrics used with mobile devices 25 Biometrics ISO 19792:2015 Security techniques—Security evaluation of biometrics 26 Biometrics ISO 24714:2015 Biometrics—Jurisdictional and societal considerations for commercial applications -- Part 1: General guidance 27 Biometrics FIDO Biometric Component Provides implementation requirements for Vendors and Test Procedures for evalu- certification policy: oct 2020 ating the biometric component of a FIDO Authenticator Certification standard 28 Biometrics Android Compatibility Definition Certification standard for the testing of biometric systems that enumerates the Document (CDD)- Oct 2021 requirements to be compatible with the latest version of Android Android 12 29 General NIST 800-63-3 – June 2017 They define technical requirements in each of the areas of identity proofing, registration, authenticators, management processes, authentication protocols, federation, and related assertions Other parts SP 800-63A,SP 800-63B, SP 800-63C Next version NIST 800-63-4 under review 30 Privacy ISO/IEC 29100 Privacy framework 31 Privacy ISO/IEC 27018 Code of practice for PII protection in public clouds acting as PII processors 32 Privacy ISO/IEC 29190 Privacy capability assessment model 33 Privacy ISO/ IEC 29184 Guidelines for online privacy notice and consent 34 Management ISO/IEC 24760 Series Framework for Management of Identity Information Standard Name Standard Description Standard Body Comments ISO/IEC 29115 Entity Authentication ISO and IEC Sets out four levels of assurances for scalable identity management and Assurance Framework authentication services FIDO UAF Universal Authentication FIDO alliance Password less authentication experience framework eIDAS Electronic identification European Union Regulation for Identification and trust services for the European union— and trust services regulation framework for interoperability of EU identity systems 16 Updated August 2022 5.4  Levels of Assurance the level of assurance depends on the type of credential(s), the number of authentication factors A “level of (identity) assurance” is the certainty with used (i.e., one vs. multiple), and the cryptographic which a claim to a particular identity made by some strength of the transaction. person or entity can be trusted to actually be the claimant's “true” identity. Higher levels of assurance Both eIDAS and ISO/IEC 29115 have developed reduce the risk of a fraudulent identity and increase standards to classify levels of assurance based on the security of transactions. Assurance levels depend these processes and technologies. This framework on the strength of the identity proofing process and covers registration, credentialing, and authentication the types of credentials and authentication mecha- phases and provides guidance for technical as well Version 1.0 nisms used during transaction aSECTION (Figure 4). For iden- as organizational and management aspects. The ID4D Guide > III. Topics > Credentials & Authentication October 2019 tity proofing, the level of assurance depends on the LOAs selected depend on the use case; some sec- method of identification (e.g., in-person vs. remote), tors and types of transactions will require higher lev- The LOAs selected depend on the use case; some sectors els and types of assurance of transactions than others. will require the attributes collected, and the degree of certainty higher levels of assurance than others. For example, changing an address may rely on a lower level with which those attributes of assurance are verified than changing (e.g., through a password. Financial and health services often require a higher level cross-checks and deduplication). For authentication, of assurance than others due to the sensitivity of the data that is collected and maintained in those systems. Ideally, the ID system’s authentication architecture will be able to provide multiple levels of assurance appropriate to different use cases (see Table 35 for examples). FIGURE 4 Example levels of assurance T a b l e 35 . E x a m p l e l e v el s o f a s s u r a n c e Lo w (l ev el1 ) S u bs t a nt ia l (l ev el2 ) Hig h (l ev el 3) Identity Self-asserted identity (e.g., email Remote or in-person identity In-person (or supervised remote) assurance account creation on web), no proofing (e.g., provide credential identity proofing, collection of level (IAL) collection, validation or document for physical or backend biometrics and address verification of evidence. verification with authoritative verification mandatory. source), address verification required, biometric collection optional Authentication At least 1 authentication factor— At least 2 authentication factors At least two different categories assurance something you have, know, or are (e.g., a token with a password or of authentication factors and level (AAL) (e.g., password or PIN) PIN) protection against duplication and tampering by attackers with high attack potential (e.g., embed cryptographic key material in tamper-resistant hardware token + PIN, biometrics with liveness detection + PIN/smart card) Federation Permits the relying party to FAL1 + encryption of assertion FAL2 + user to present proof of Assurance receive a bearer assertion from using approved cryptography possession of a cryptographic Level (FAL) an identity provider. The identity key reference in the assertion provider must sign the assertion using approved cryptography Level of risk mitigated low minimal taken by relying party The selection of LOAs—and the identity proofing processes, types of credentials, and authentication Source: Practitioner's mechanisms that Guide https://documents1.worldbank.org/curated/en/248371559325561562/pdf/ID4D- enable them—should be based on a number of factors. including: Practitioner-s-Guide.pdf  The likelihood of a failure, breach, or unauthorized release of sensitive information  The risk to individuals, institutions, programs, public interest if a failure or breach occurs— i.e., based on the level of sensitivity of the service/information and the expected level of harm  The convenience and inclusivity of the identity proofing and authentication processes, as higher LOAs could increase the likelihood of exclusion errors. LOAs are particularly important for federation and mutual recognition across borders, where an ID system must meet a particular level of assurance in order to qualify for recognition for a given Updated August 2022 17 purpose. 6. COUNTRY USE CASES Depending on the country-specific environment, below to illustrate the choice of relevant standards which standards should be adopted? The answer by the respective authorities to meet their require- depends on the objectives, scope, and proposed use ments. These choices depend on a number of fac- for the identification system. Examples from Esto- tors, including the existing regulatory frame¬works nia, India, Malawi, Pakistan and Peru are presented within a country. Example 1: ID-Kaart in Estonia—Smart Card and Mobile ID Estonia has a highly developed digital identification system and is one of the most advanced countries in the world when it comes to digital public services. It has issued 1.5 million of smart ID-Kaarts, and boasts over 600,000 users for its smart ID solution as well as 225,000 mobile ID users. These credentials allow their holders to access over 1,000 public services, such as health care, online tax filing, and online voting. Key iden- tifying data such as name, date of birth, unique ID number and digital certificates are stored in the smart card chip or a special mobile SIM card for authentication and digital signing of documents. The access to each of these digital certificates keys is protected by a secret PIN which only the user knows. The ID-Kaart has advanced electronic functions that facilitate secure authentication and legally binding digital signatures that may be used for nationwide online services. The e-ID infrastructure is scalable, flexible, interoperable, and standards-based. All certifi- cates issued in association with the ID card scheme are qualified certificates conforming with European Directive 1999/93/ EC on the use of electronic signatures in electronic contracts within the European Union (EU). The card complies with the ICAO 9303 travel document standard. Two one dimensional bar codes, based on ISO 15417 standard, are used to encode personal ID number and the document identification number. The ID-Kaart serves as a trusted credential for accessing public services. To sign a document digitally, a communication model using standardized workflows in the form of a common document format (DigiDoc) has been employed. DigiDoc is based on XML Advanced Electronic Signatures Standard (XAdes), which is a profile of that standard. XAdes defines a format that enables structurally storing data signatures and security attributes associated with digital signatures and hence caters for common understand- ing and interoperability. Source: e-Estonia.com and the paper titled ‘The Estonian ID Card and Digital Signature Concept’ Ver 20030307 18 Updated August 2022 ESTONIA SELECTION 1 SELECTION 2 SELECTION 3 SELECTION 4 Standards Biometrics Face Image standard JPEG Data interchange ISO 19794 - 5 format standard Biometric interface ISO 19785 (CBEFF) standard Fingerprint Image standard WSQ Data interchange ISO 19794 - 4 format standard Biometric interface ISO 19785 (CBEFF) standard Iris Image standard JPEG/JPEG2000/PNG See guidance note Data interchange ISO 19794 - 6 format standard Biometric interface ISO 19785 (CBEFF) standard Cards Non Smart ISO 7810 Card Smart Card Contact ISO 7810 and ISO 7816 ISO 7810 and Contactless ISO 14443 Machine Readable ICAO9303 (ISO 7501) Format Digital Digital Signature Standard— FIPS 186-4 signature Generation, Verification RFC 3447 RSA Digital Signature Algorithm (PKCS #1) FIPS PUB 180-4 Secure Hash Standard (SHA-1, SHA-512/256 etc.) Security Standard for FIPS 140-2 Cryptographic Modules Public Key Certificate Standard ITU-T X.509 | ISO/IEC 9594-8 XML Digital Signature W3C/ETSI XAdES Bar code One Dimensional ISO/IEC 15417 PDF417 / QR code Two Dimensional See guidance note Federation NOT APPLICABLE/ NOT ADOPTED SAML Updated August 2022 19 INDIA SELECTION 1 SELECTION 2 SELECTION 3 SELECTION 4 Example 2: Aadhaar Identity System of India—Biometric Based Standards The Unique IdentificationBiometrics (UIDAI) has issued Authority of IndiaFace a unique Image ID number, standard JPEG2000 known as Aadhaar, to more than 1.3 billion residents. The photograph, fingerprints and irises along with a minimal set of biographic data of each resident Dataare captured before interchange ISO 19794 - 5 format standard issuing an Aadhaar. It is the world’s largest population register that is underpinned by a multimodal biometric database, with nearly the entire population having Biometric a digitally interface ISO 19785 (CBEFF) standard recorded and verifiable identity. Fingerprint Image standard JPEG2000 UIDAI set up a Biometric Standards Committee in 2009 to provide direction on biometric standards, suggest best practices, and recommend biometric procedures for the sys- Data interchange ISO 19794 - 4 tem. The committee recommended ISO/IEC 19794 Series (parts 4, 5, 6) and ISO/ 1, 2, standard format ISO 19794 - 2 IEC 19785 for biometric data interchange formats and a common biometric exchange Biometric interface ISO 19785 (CBEFF) framework to ensure interoperability. ISO/IEC 15444 (all parts) was selected as a coding standard system (JPEG 2000 image) for both photo, fingerprint and iris image. Iris Image standard JPEG2000 Additionally, UIDAI uses open source software as a principle, which have also been used successfully in the United States and Europe. UIDAI has Data interchange drafted the "Security ISO 19794 - 6 format standard Guidelines for use of Biometric Technology in e-Governance Projects" based on the guidelines in the standards ISO 24745, ISO 19792, ISO 24714Biometricand ISO interface 24760. DataISO 19785 (CBEFF) standard standards for the identity attributes captured during registration and subsequently used for demographic authentication have also been established (demographic standards committee). The AadhaarCardssystem also makes Non Smart use of PKI/HSM for encryption extensive ISO 7810 Card of data during transmission and storage and for protecting access to the API. Smart Card ISO 7810 and The Aadhaar system does not rely on a physical ID card as the primary means of Contact ISO 7816 authentication. The Aadhaar number combined with biometric authentication (1:1 ISO 7810 and matching) or an OTP can be used to verify a person’s identity in a wide variety of set- Contactless ISO 14443 tings. In addition, there is a mAadhaar mobile app which allows for electronic storage of demographic data, the Aadhaar number Machine Readable and photograph along with a QR code. A ICAO9303 (ISO 7501) Format laminated paper (‘Aadhaar letter’) is also sent to the residents with demographic data, photo and QR code (contains encrypted and digitally signed data). As of 2020, Aadhaar PVC card, which includes the same demographic details and holder can also request aDigital Digital Signature Standard— an encrypted QR code. The QR code from these signature physical Generation, credentials and the mAad- Verification FIPS 186-4 haar app is used in some scenarios for offline authentication with the help of a custom RFC 3447 RSA application. Digital Signature Algorithm (PKCS #1) Aadhaar Authentication can be performed in one or Secure more Hash of the following modes with Standard FIPS PUB 180-4 (SHA-2) yes/no responses: Security Standard for FIPS 140-2 • Demographic authentication Cryptographic Modules • Biometric authentication Public Key Certificate Standard ITU-T X.509 • One-time PIN mobile based authentication XMLofDigital Signature • Multifactor authentication is a combination two or three factors listed above W3C/ETSI XAdES • Source: UIDAI Website & Biometrics Standard Committee Recommendations 2009. Bar code One Dimensional ISO/IEC 15417 Source: UIDAI Website & Biometrics Standard Committee Recommendations 2009. Two Dimensional QR code Federation NOT APPLICABLE/ OIDC +OAuth / SAML NOT ADOPTED See guidance note 20 Updated August 2022 INDIA SELECTION 1 SELECTION 2 SELECTION 3 SELECTION 4 Standards Biometrics Face Image standard JPEG2000 Data interchange ISO 19794 - 5 format standard Biometric interface ISO 19785 (CBEFF) standard Fingerprint Image standard JPEG2000 Data interchange ISO 19794 - 4 format standard ISO 19794 - 2 Biometric interface ISO 19785 (CBEFF) standard Iris Image standard JPEG2000 Data interchange ISO 19794 - 6 format standard Biometric interface ISO 19785 (CBEFF) standard Cards Non Smart ISO 7810 Card Smart Card Contact ISO 7810 and ISO 7816 ISO 7810 and Contactless ISO 14443 Machine Readable ICAO9303 (ISO 7501) Format Digital Digital Signature Standard— FIPS 186-4 signature Generation, Verification RFC 3447 RSA Digital Signature Algorithm (PKCS #1) FIPS PUB 180-4 Secure Hash Standard (SHA-2) Security Standard for FIPS 140-2 Cryptographic Modules Public Key Certificate Standard ITU-T X.509 XML Digital Signature W3C/ETSI XAdES Bar code One Dimensional ISO/IEC 15417 Two Dimensional QR code Federation NOT APPLICABLE/ OIDC +OAuth / SAML NOT ADOPTED See guidance note Updated August 2022 21 MALAWI SELECTION 1 SELECTION 2 SELECTION 3 SELECTION 4 Example 3: Malawi—Biometrics and Smart Card Standards Biometrics The Government of Malawi has achieved high coverage of the adult Face Imagepopulation standard through JPEG2000 a mass registration and ID issuance effort launched in 2017, which provided more than 9 million people with a national ID card. The identification systemData is managed by the interchange ISO 19794 - 5 format standard National Registration Bureau (NRB) under the Ministry of Home Affairs and Internal Security. Malawians age 16 and above are eligible to obtain a national Biometric card. The reg- IDinterface ISO 19785 (CBEFF) standard istration process captures 10 fingerprints, a digital photograph, and electronic signature. Biometric deduplication is completed before the issuance of a unique ID and smart card. WSQ Fingerprint Image standard The ID card is ICAO (9303) and ISO (7816) compliant, with Data seven built-in security interchange ISO 19794 - 4 features to prevent forgery and includes a QR code. The chip stores a 19794 - 2 both biometric ISO format standard biographic information about the holder, including one fingerprint, a facial image, Biometric interface and ISO 19785 (CBEFF) a copy of their ink signature. Since the card meets international standards, it can, in standard principle, be used for a wide range of applications including international travel and health insurance (through the CWA 15974 and IrisISO 21549 standards-compliant Image standard eHealth JPEG/JPEG2000/PNG See guidance note applet). However, while the features are available, they are used only for authentication Data interchange services by a few service providers, primarily in the financial sector, and have not yet format standard ISO 19794 - 6 been used in practice for international travel or health. Biometric Interface ISO 19785 (CBEFF) Standard Source: Malawi’s Journey Towards Transformation: Lessons from its National ID Project by Tariq Malik. Center for Global Development 2018 Cards Non Smart ISO 7810 Card Smart Card Contact ISO 7810 and ISO 7816 ISO 7810 and Contactless ISO 14443 Machine Readable ICAO9303 (ISO 7501) Format Digital Digital Signature Standard— FIPS 186-4 Signature Generation, Verification RFC 3447 RSA Digital Signature Algorithm (PKCS #1) FIPS PUB 180-4 Secure Hash Standard (SHA-1, SHA-512/256 etc.) Security Standard for FIPS 140-2 Cryptographic Modules Public Key Certificate Standard ITU-T X.509 | ISO/IEC 9594-8 XML Digital Signature W3C/ETSI XAdES Bar code One Dimensional ISO/IEC 15417 Two Dimensional QR code Federation NOT APPLICABLE/ OIDC +OAuth / SAML NOT ADOPTED See guidance note 22 Updated August 2022 MALAWI SELECTION 1 SELECTION 2 SELECTION 3 SELECTION 4 Standards Biometrics Face Image standard JPEG2000 Data interchange ISO 19794 - 5 format standard Biometric interface ISO 19785 (CBEFF) standard Fingerprint Image standard WSQ Data interchange ISO 19794 - 4 format standard ISO 19794 - 2 Biometric interface ISO 19785 (CBEFF) standard Iris Image standard JPEG/JPEG2000/PNG See guidance note Data interchange ISO 19794 - 6 format standard Biometric Interface ISO 19785 (CBEFF) Standard Cards Non Smart ISO 7810 Card Smart Card Contact ISO 7810 and ISO 7816 ISO 7810 and Contactless ISO 14443 Machine Readable ICAO9303 (ISO 7501) Format Digital Digital Signature Standard— FIPS 186-4 Signature Generation, Verification RFC 3447 RSA Digital Signature Algorithm (PKCS #1) FIPS PUB 180-4 Secure Hash Standard (SHA-1, SHA-512/256 etc.) Security Standard for FIPS 140-2 Cryptographic Modules Public Key Certificate Standard ITU-T X.509 | ISO/IEC 9594-8 XML Digital Signature W3C/ETSI XAdES Bar code One Dimensional ISO/IEC 15417 Two Dimensional QR code Federation NOT APPLICABLE/ OIDC +OAuth / SAML NOT ADOPTED See guidance note Updated August 2022 23 PAKISTAN SELECTION 1 SELECTION 2 SELECTION 3 SELECTION 4 Example 4: Smart eID in Pakistan—Biometrics and Smart Card Standards Biometrics Pakistan’s National Database and Registration Authority (NADRA) Face has Image issued over 120 standard JPEG million ID cards and an estimated 88 percent of its adult citizens now have an ID. Over the years, Pakistan’s ID card has evolved into a smart eID that contains a data chip and Data interchange ISO 19794 - 5 format standard a match-on-card applet. The ID card complies with ICAO standard 9303 part 3 vol. 1 and is also ISO 7816-4 compliant. The smart ID card has more than 20 overt Biometric and covert interface ISO 19785 (CBEFF) security features to avoid forgery. It also includes QR code and standard MRZ zone at the back of card. Fingerprint Image standard WSQ NADRA uses open source as a guideline/principle for application development. Demo- Data interchange ISO 19794 - 2 deduplication graphic data is used along with biometric data to improve the format standard process. NADRA Quality Management and ID Card Production departments are ISO 9001:2000 Biometric interface ISO 19785 (CBEFF) certified. standard Source: Asian Development Bank. 2016. Identity for Iris Image standard JPEG/JPEG2000/PNG Development in Asia and the Pacific. Manila: Asian See guidance note Development Bank. Data interchange ISO 19794 - 6 format standard Biometric interface ISO 19785 (CBEFF) standard Cards Non Smart ISO 7810 Card Smart Card Contact ISO 7816 ISO 7810 and Contactless ISO 14443 Machine Readable ICAO9303 (ISO 7501) Format Digital Digital Signature Standard— FIPS 186-4 Signature Generation, Verification RFC 3447 RSA Digital Signature Algorithm (PKCS #1) FIPS PUB 180-4 Secure Hash Standard (SHA-2) Security Standard for FIPS 140-2 Cryptographic Modules Public Key Certificate Standard ITU-T X.509 XML Digital Signature W3C/ETSI XAdES Bar code One Dimensional ISO/IEC 15417 Two Dimensional QR code Federation NOT APPLICABLE/ OIDC +OAuth / SAML NOT ADOPTED See guidance note 24 Updated August 2022 PAKISTAN SELECTION 1 SELECTION 2 SELECTION 3 SELECTION 4 Standards Biometrics Face Image standard JPEG Data interchange ISO 19794 - 5 format standard Biometric interface ISO 19785 (CBEFF) standard Fingerprint Image standard WSQ Data interchange ISO 19794 - 2 format standard Biometric interface ISO 19785 (CBEFF) standard Iris Image standard JPEG/JPEG2000/PNG See guidance note Data interchange ISO 19794 - 6 format standard Biometric interface ISO 19785 (CBEFF) standard Cards Non Smart ISO 7810 Card Smart Card Contact ISO 7816 ISO 7810 and Contactless ISO 14443 Machine Readable ICAO9303 (ISO 7501) Format Digital Digital Signature Standard— FIPS 186-4 Signature Generation, Verification RFC 3447 RSA Digital Signature Algorithm (PKCS #1) FIPS PUB 180-4 Secure Hash Standard (SHA-2) Security Standard for FIPS 140-2 Cryptographic Modules Public Key Certificate Standard ITU-T X.509 XML Digital Signature W3C/ETSI XAdES Bar code One Dimensional ISO/IEC 15417 Two Dimensional QR code Federation NOT APPLICABLE/ OIDC +OAuth / SAML NOT ADOPTED See guidance note Updated August 2022 25 PERU SELECTION 1 SELECTION 2 SELECTION 3 SELECTION 4 Example 5: eID with Digital Certificate in Peru Standards Biometrics Peru’s National Registry of Identification and Imagehas Civil Status (RENIEC) Face introduced an standard JPEG2000 electronic National ID Card (DNIe) to facilitate online transactions and services, along- side its traditional ‘blue’ ID card, which is used for in-person transactions. RENIEC is an Data interchange ISO 19794 - 5 format standard autonomous entity whose mandate includes both civil registration and identification as well as the issuance of digital signatures. It has issued more than 30 million Biometric IDs cover- interface ISO 19785 (CBEFF) standard ing almost the entire population of the country. Demand for the electronic ID cards is growing steadily, which now make up about 12 percent of ID requests . JPEG/JPEG2000/PNG/WSQ Fingerprint Image standard See guidance note The DNIe provides Peruvian citizens with a digital identity, to facilitate both in-person Data interchange ISO 19794 - 2 and remote, online authentication. The DNIe includes two digital formatcertificates, standard which allows the cardholder to sign electronic documents with the same probative value as Biometric interface a handwritten signature. Peru’s eID complies with the ISO/ IEC-7816 standard ISO 19785 (CBEFF) standard and its biometrics system follows ISO/IEC 19794. The card also complies with ICAO 9303 and Iris can be used as a machine-readable travel document (MRTD). Image standard JPEG/JPEG2000/PNG See guidance note Data interchange Source:Interview with RENIEC official; www.gob.pe website; https://portales.reniec.gob.pe website ISO 19794 - 6 format standard Biometric interface standard ISO 19785 (CBEFF) Cards Non Smart ISO 7810 Card Smart Card Contact ISO 7810 and ISO 7816 ISO 7810 and Contactless ISO 14443 Machine Readable ICAO9303 (ISO 7501) Format Digital Digital Signature Standard— FIPS 186-4 Signature Generation, Verification RFC 3447 RSA Digital Signature Algorithm (PKCS #1) FIPS PUB 180-4 Secure Hash Standard (SHA-1, SHA-512/256 etc.) Security Standard for FIPS 140-2 Cryptographic Modules Public Key Certificate Standard ITU-T X.509 | ISO/IEC 9594-8 XML Digital Signature W3C/ETSI XAdES Bar code One Dimensional ISO/IEC 15417 PDF417 / QR code Two Dimensional See guidance note Federation NOT APPLICABLE/ NOT ADOPTED OIDC 26 Updated August 2022 PERU SELECTION 1 SELECTION 2 SELECTION 3 SELECTION 4 Standards Biometrics Face Image standard JPEG2000 Data interchange ISO 19794 - 5 format standard Biometric interface ISO 19785 (CBEFF) standard Fingerprint Image standard JPEG/JPEG2000/PNG/WSQ See guidance note Data interchange ISO 19794 - 2 format standard Biometric interface standard ISO 19785 (CBEFF) Iris Image standard JPEG/JPEG2000/PNG See guidance note Data interchange ISO 19794 - 6 format standard Biometric interface standard ISO 19785 (CBEFF) Cards Non Smart ISO 7810 Card Smart Card Contact ISO 7810 and ISO 7816 ISO 7810 and Contactless ISO 14443 Machine Readable ICAO9303 (ISO 7501) Format Digital Digital Signature Standard— FIPS 186-4 Signature Generation, Verification RFC 3447 RSA Digital Signature Algorithm (PKCS #1) FIPS PUB 180-4 Secure Hash Standard (SHA-1, SHA-512/256 etc.) Security Standard for FIPS 140-2 Cryptographic Modules Public Key Certificate Standard ITU-T X.509 | ISO/IEC 9594-8 XML Digital Signature W3C/ETSI XAdES Bar code One Dimensional ISO/IEC 15417 PDF417 / QR code Two Dimensional See guidance note Federation NOT APPLICABLE/ NOT ADOPTED OIDC Updated August 2022 27 7. CONCLUSION Standards are key to unlocking the value of identifi- are likely to exist. In some instances, a solution cation systems for development and supporting the reliant on a closed standard may offer greater establishment of interoperable, scalable, secure, performance than an open standard. In such a and efficient digital identification platforms for service case, it would still be important to ensure that delivery. Understanding the standards landscape the use of a closed standard does not result in and choosing which to adopt can be a challenge for vendor lock-in, e.g., by selecting systems com- ID practitioners. There are multiple international and ponents that support open API standards and national standards-setting bodies, such as ICAO, IEC, allow access to system data in portable open ISO, ITU-T, ANSI and NIST, and navigating their cata- data formats (see semantic standards later in logs and guidance can at times be challenging. The this section). This approach will also enable menu and choice of relevant standards will depend system components to be updated or replaced on the purpose, scope, and function of the specific over time following a modular approach, as identification system, as also highlighted through the vendors change or new, more efficient solutions country examples presented earlier. For instance, not present themselves. all ID systems will use fingerprint or iris biometrics 2. Technical Standards alone are not suffi- for deduplication or authentication purposes. The for- cient. In addition to using open technical stan- mat of the credential issued will also vary, with some dards, semantic standards are also important systems and countries placing more emphasis on to consider to enable interoperability. Semantic physical credentials while others are transitioning to standards define the data formats and meta- the use of ID numbers and mobile IDs in combina- data for identity attributes like name and date of tion with other authentication factors. Depending on birth (e.g., the number of characters allowed for the approach taken, the relevant set of standards will a name; order of specifying the first name, mid- vary. At the same time, ensuring that the features and dle, name; format of date—date of birth mm/dd/ technologies that are deployed are compliant with yyyy or dd/mm/yy) to facilitate seamless data international standards is key for its sustainability. exchange across systems. Beyond technical and semantic standards, it is important to adopt There are several issues that are important to keep strong procurement processes that minimize in mind when designing an ID system and using contractual constraints in the choice of tech- standards: nology and supplier(s) to mitigate the risks of vendor and technology lock-in scenarios. The 1. Use open standards when feasible. Using ID4D procurement guide and checklist pro- open standards can help ensure that an ID sys- vide additional considerations and recommen- tem is robust, interoperable and technology neu- dations on this area. The ID4D Practitioner’s tral. However, it is important to consider before Guide offers further guidance on inclusive and using an open standard if the standard is widely trusted ID system design. used in the market. In some instances, there has been little market uptake of open standards, 3. Be forward looking. Standards are not static, which may indicate that there is a performance and they will evolve over time as new technolo- issue or other issue to consider. If a standard gies emerge. Therefore, it is important to stay is not widely used, then it may be challenging abreast of emerging technologies and stan- to ensure competition when selecting a pro- dards relevant for ID systems. Some relevant spective product or solution. A full assessment emerging initiatives and standards are the of needs should be completed before select- following: ing solution components. Where an innovative • Verifiable credentials (VCs) are an open stan- solution is required, wide market adoption will dard for digital credentials standard and the data not necessarily exist, particularly if the solution model for verifiable credentials is a World Wide is designed for specific needs or challenges. Web Consortium (W3C) Recommendation. Equally, in niche applications only few suppliers 28 Updated August 2022 • OSIA is an open standard set of interfaces building blocks -i.e., reusable software com- (APIs) that supports seamless connectivity ponents that provide key functionality facilitat- between all components of the identity man- ing generic workflows across multiple sectors agement ecosystem – independent of technol- - along with others as a public good. It is also ogy, solution architecture or vendor initiative. creating a sandbox for reference implementa- tion and a certification process for checking • Modular Open Source Identity Platform compliance of solutions with the specifications. (MOSIP) provides a vendor neutral and interop- erable solution for the implementation of digital, • Trust frameworks for federations e.g., elec- foundational identification systems, designed tronic Identification, Authentication and Trust for easy integration and with security and pri- Services (eIDAS- EU) The Pan-Canadian Trust vacy as key principles. Framework (PCTF- Canada), and the Trusted Digital Identity Framework (TDIF - Australia) • The Govstack initiative is defining specifica- tions for an ‘identification and authentication’ Updated August 2022 29 BIBLIOGRAPHY Ashiq, J. A. The eIDAS Agenda: Innovation, Interop- ITU. Biometrics and Standards. Telecommunication erability and Transparency. Cryptomathic, Standardization Sector, International Telecommu- Retrieved 18 March 2016. nication Union, Accessed on April 11, 2016. ENISA. Mobile ID Management. European Network ITU. Biometric Standards: ITU-T Technology Watch and Information Security Agency, Accessed on Report. International Telecommunications Union, April 11, 2016. Dec. 2009. Europa.eu. Regulations, Directives and Other Acts. PIRA. The Future of Personal ID to 2019. Smithers The European Union, Retrieved 18 March 2016. PIRA International, 06 June 2014. Fumy, Walter, and Manfred Paeschke. Handbook of “Regulation (EU) No. 910/2014 of the European eID Security: Concepts, Practical Experiences, Parliament and of the Council of 23 July 2014 Technologies. John Wiley & Sons, Dec. 13, 2010. on electronic identification and trust services for electronic transactions in the internal market and Gelb, Alan, and Julia Clark. Identification for Devel- repealing Directive.” 1999/93/EC. opment: The Biometrics Revolution. Working Paper, Washington, DC: Center for Global Devel- Turner, Dawn M. eIDAS from Directive to Regula- opment, 2013. tion—Legal Aspects. Cryptomathic, Retrieved 18 March 2016. Gomes de Andrade, Norberto Nuno, Shara Mon- teleone, and Aaron Martin. Electronic Identity in Turner, Dawn M. Understanding Major Terms Around Europe: Legal Challenges and Future Perspec- Digital Signatures. Cryptomathic, Retrieved 18 tives (eID 2020). Joint Research Centre, Euro- March 2016. pean Commission, 2013. van Zijp, Jacques. Is the EU Ready for eIDAS? GSMA and SIA. Mobile Identity—Unlocking the Secure Identity Alliance, Retrieved 18 March Potential of the Digital Economy. Groupe Spéciale 2016. Mobile Association (GSMA) and Secure Identity Alliance, Oct. 2014. Williams-Grut, Oscar. “Estonia wants to become a ‘country as a service’.” Business Insider, 2016. IEEE. What Are Standards? Why Are They Impor- tant? IEEE, 2011. http://standardsinsight.com/ World Bank. ID4D Practitioner’ Guide: Version 1.0. ieee_company_detail/what-are-standards-why- Washington, DC: World Bank, 2019. are-they-important. 30 Updated August 2022 APPENDIX A ISO/IEC JTC SUBCOMMITTEE, WORKING GROUPS AND THEIR MANDATE ISO Technical Committees and Working Groups 1. ISO/IEC JTC 1/SC 37: Biometrics ISO has established technical committees, subcom- 2. ISO/IEC JTC 1/SC 27: IT Security Techniques mittees, and working groups that are in continuous 3. ISO/IEC JTC 1/SC 17: Cards and Personal communication with other international and national Identification organizations, as well as industry consortia involved 4. ISO/IEC JTC 1/SC 6: Telecommunications and in reviewing or establishing standards. A Joint Techni- information exchange between systems (stan- cal Committee, ISO/IEC JTC 1, has been formed by dards on digital signature/PKI) ISO and IEC to ensure a comprehensive and world- wide approach for the development and approval These subcommittees work with other subcommit- of international biometric standards. Within JTC1, tees within the ISO (liaison committees) as well as subcommittees 37, 27, and 17 are relevant for any external organizations (organizations in liaison), country that is planning to undertake a digital iden- some of whom are also involved in preparation of tity system. Various working groups within these sub- related standards. The table below identifies the role, committees focus on the development and updating scope, and mandate of the technical subcommittees of specific standards relevant to the digital identity and their subsequent working groups. lifecycle, including: Updated August 2022 31 FIGURE 5 ISO/IEC Joint Technical Committee 1: Subcommittees and Working Groups for ID Management Joint Technical Committee ISO/IEC JTC 1 Subcommittee Subcommittee Subcommittee Subcommittee ISO/IEC JTC 1/SC 17 ISO/IEC JTC 1/SC 6 ISO/IEC JTC 1/SC 37 ISO/IEC JTC 1/SC 27 Cards and Personal Biometrics Security Techniques Identification ISO/IEC JTC 1/SC 37/WG 1 ISO/IEC JTC 1/SC 27/SWG-M ISO/IEC JTC 1/SC 17/WG 1 ISO/IEC JTC 1/SC 6/WG 1 Harmonized Biometric Management Physical Characteristics & Physical and Data Link Vocabulary Test Method for ID Cards Layers ISO/IEC JTC 1/SC 37/WG 2 ISO/IEC JTC 1/SC 27/SWG-T ISO/IEC JTC 1/SC 17/WG 3 ISO/IEC JTC 1/SC 6/WG 7 Biometric Technical Transversal Items ID Cards—Machine Network, Transport and Interfaces Readable Travel Documents Future Network ISO/IEC JTC 1/SC 37/WG 3 ISO/IEC JTC 1/SC 27/WG 1 ISO/IEC JTC 1/SC 17/WG 4 ISO/IEC JTC 1/SC 6/WG 10 Biometric Data Information Security Integrated Circuit Cards Directory, ASN.1 and Interchange Formats Management Systems Registration ISO/IEC JTC 1/SC 37/WG 4 ISO/IEC JTC 1/SC 27/WG 2 ISO/IEC JTC 1/SC 17/WG 5 Technical Implementation Cryptography and Security Registration Management of Biometric Systems Mechanisms Group ISO/IEC JTC 1/SC 37/WG 5 ISO/IEC JTC 1/SC 27/WG 3 ISO/IEC JTC 1/SC 17/WG 8 Biometric Testing Security Evaluation, Integrated Circuit Cards and Reporting Testing and Specification without Contacts ISO/IEC JTC 1/SC 37/WG 6 ISO/IEC JTC 1/SC 27/WG 4 ISO/IEC JTC 1/SC 17/WG 9 Cross Jurisdictional & Security Controls Optical Memory Cards Societal Aspects and Services and Devices of Biometrics ISO/IEC JTC 1/SC 27/WG 5 ISO/IEC JTC 1/SC 17/WG 10 Identity Management and Motor Vehicle Driver Privacy Technologies Licence and Related Documents ISO/IEC JTC 1/SC 17/WG 11 Application of Biometrics Source: Author’s Analysis. to Cards and Personal ID 32 Updated August 2022 SubCommittees/Working Group Scope Description ISO/IEC JTC 1/SC 37 Standardization of generic biometric technologies per- Common file frameworks, Biometric application program- Biometrics taining to human beings to support interoperability and ming interfaces (BAPI), Biometric data interchange data interchange among applications and systems formats, Related biometric profiles, Application of evalua- tion criteria to biometric technologies, Methodologies for performance testing and reporting and cross jurisdictional and societal aspects ISO/IEC JTC 1/SC 37/WG 1 Harmonized Biometric Vocabulary   ISO/IEC JTC 1/SC 37/WG 2 Biometric Technical Interfaces   ISO/IEC JTC 1/SC 37/WG 3 Biometric Data Interchange Formats   ISO/IEC JTC 1/SC 37/WG 4 Technical Implementation of Biometric Systems   ISO/IEC JTC 1/SC 37/WG 5 Biometric Testing and Reporting   ISO/IEC JTC 1/SC 37/WG 6 Cross Jurisdictional and Societal Aspects of Biometrics ISO/IEC JTC 1/SC 27 IT The development of standards for the protection of Develops International Standards, Technical Reports, and Security techniques information and ICT. This includes generic methods, Technical Specifications within the field of information techniques and guidelines to address both security and IT security. Standardization activity by this subcom- and privacy aspects. 1) Security requirements capture mittee includes general methods, management system methodology; 2) Management of information and ICT requirements, techniques and guidelines to address both security, in particular information security management information security and privacy. systems, security processes, security controls and ser- vices; 3) Cryptographic and other security mechanisms, including but not limited to mechanisms for protecting the accountability, availability, integrity and confidentiality of information; 4) Security management support docu- mentation including terminology, guidelines as well as procedures for the registration of security components; 5) Security aspects of identity management, biometrics and privacy; 6) Conformance assessment, accreditation and auditing requirements in the area of information security management systems; 7) Security evaluation criteria and methodology. ISO/IEC JTC 1/SC 27/SWG-M Management   ISO/IEC JTC 1/SC 27/SWG-T Transversal items   ISO/IEC JTC 1/SC 27/WG 1 Information security management systems   ISO/IEC JTC 1/SC 27/WG 2 Cryptography and security mechanisms   ISO/IEC JTC 1/SC 27/WG 3 Security evaluation, testing and specification   ISO/IEC JTC 1/SC 27/WG 4 Security controls and services   ISO/IEC JTC 1/SC 27/WG 5 Identity management and privacy technologies   ISO/IEC JTC 1/SC 17 Standardization in the area of: Identification and Develops and facilitates standards within the field of for Cards and personal related documents, cards and, devices associated with identification cards and personal identification identification their use in inter-industry applications and international interchange Updated August 2022 33 SubCommittees/Working Group Scope Description ISO/IEC JTC 1/SC 17/WG 1 Physical characteristics and test methods for ID cards   ISO/IEC JTC 1/SC 17/WG 3 Identification cards—Machine readable travel   documents ISO/IEC JTC 1/SC 17/WG 4 Integrated circuit cards   ISO/IEC JTC 1/SC 17/WG 5 Registration Management Group (RMG)   ISO/IEC JTC 1/SC 17/WG 8 Integrated circuit cards without contacts   ISO/IEC JTC 1/SC 17/WG 9 Optical memory cards and devices   ISO/IEC JTC 1/SC 17/WG 10 Motor vehicle driver license and related documents   ISO/IEC JTC 1/SC 17/WG 11 Application of biometrics to cards and personal   identification Source: ISO http://www.iso.org/iso/home.htm. 34 Updated August 2022 Updated August 2022 35