Dynamic, Multi-Attribute Authentication – OASIS Trust Elevation TC /Open Meeting

From IIW

Session Topic: Dynamic Multi-Attribute Authentication (W3F)

Convener: Mary Ruddy, Don Thibeau, Joop K.

Note-Taker(s): Mary Ruddy

Tags for the session - technology discussed/ideas considered:

Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:


This session included an overview of the OASIS Electronic Identity Credential Trust Elevation Methods Technical Committee (TC), its phase 1 deliverables and a request for input to structuring phase 2.

What is trust elevation?

Trust elevation - Increasing the strength of trust by adding factors from the same or different categories of trust elevation methods that don’t have the same vulnerabilities. There are five categories of trust elevation methods: who you are, what you know, what you have, what you typically do and the context. What you typically do consists of behavioral habits that are independent of physical biometric attributes. Context includes, but is not limited to, location, time, party, prior relationship, social relationship and source. Elevation can be within the classic four NIST and ISO/ITU-T levels of assurance or across levels of assurance.

This includes concepts of step up authentication, continuous authentication, risk based authentication and dynamic multi-attribute authentication.

This is different from the traditional 3 factor model. The ITU-T’s x1254 added the behavioral factor and we elevate context to a fifth factor.

We reviewed some representative method examples captured in our survey. See below for link to TC’s website.

Why is it becoming more important

More and more, when dealing with consumers and citizens, there is a need for dynamic authentication. A customer should only be asked to do multi-factor auth when they want to do high value transaction, not as a prerequisite to visiting a website. Few consumers have high LOA- credentials.

Technical Committee’s three phase approach

  • Phase 1 - a survey of methods of trust elevation and a taxonomy of
five method factors (done)
  • Phase 2 - an analysis of the methods, which methods counter which threats and are complimentary, etc. (starting to structure the analysis)
  • Phase 3 - a proposed protocol

We had a good session. People were comfortable with our five factor taxonomy.

We discussed different ways to talk about the inflexion point in the adoption of more dynamic authentication (rather than authorize once and you are done, authentication.)

The chief feedback was that the analysis should include the dimensions of a privacy and making processes acceptable to users (usability and adoption can be as important as risk management in some sectors.

For more information, see: http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=trust-el