OASIS Electronic Secure Authentication (ESAT) Technical Committee

The Electronic Secure Authentication (ESAT) Technical Committee (TC) will survey methods that online relying partners and service providers currently use to authenticate electronic identities. It will include identity methods under development or described in theoretical models. The TC will compare and contrast these methods in order to propose a set of protocols service providers can reliably use. The set of protocols will enable authentication without static credentials or passwords, and provide increasing levels of identity assurance, risk mitigation, and authentication certainty.

The ESAT TC will collect information on no-shared-secret authentication techniques (in particular, quick response (QR) code) and risk mitigation techniques being standardized, marketed and implemented in the public or private sector. The TC will analyze the approaches and assess their effectiveness at assuring the identity of the electronic claimant. The goal will be to create a general model that describes how password replacement authentication/risk mitigation efforts can be used to create trusted online transactions. Once the initial collection and analyses have been completed, the TC will correlate the results with various other trusted credential and trusted transaction models. The objective will be to get the proposed protocols more widely-recognized and adopted, in order to make them more useful to governments, businesses, and individuals engaged in eGovernment and eCommerce.

The ESAT TC intends to solicit and respond to suggestions from governments in order to support private sector development of national and global identity infrastructures. It will assist private sector cooperation across providers, users, and subjects of trusted identity systems. The specifications produced by this TC will promote interoperability among multiple identity providers, identity federations, and frameworks. They will do this by facilitating clear communication about common and comparable operations that present, evaluate and apply identity data/assertions to sets of declared authorization levels.

Business Benefits

Strong authentication is needed to protect against account take-over and identity theft. Many technologies are being developed to reduce the reliance on passwords for authentication. Solutions based on FIDO Standards set a high bar by eliminating account take-overs based on phishing attacks. Unfortunately, many other solutions, and in particular those that are based on QR code, do not offer the same resistance to Man-in-the-Middle attacks. The work in this TC aims to remedy the risks associated with the use of QR code for strong authentication.

Overall, the benefits of assuring authentication will improve the user experience, and reduce the costs related to IdM, security and usability.

Any vendor involved in authenticating electronic identities, passwordless authentication providers, identity service providers, local and national governments, businesses, and individuals engaged in eGovernment and eCommerce will all benefit from this work.

Work within the ESAT TC's scope includes descriptions of the process steps and component services necessary to confirm a conclusion of Authentication steps that do not rely on providing a shared secret (i.e. a password). Those descriptions and analyses may include catalogs of data services (or types of services), taxonomies or functional definitions of the types of identity and assertion data on which those services operate, substantive data exchanges or models, and model message exchange patterns.

The TC may include functional data security and integrity requirements in its process descriptions. This may include recommendation of certain Authentication methods for enhancing online security, in particular when conducted within certain minimum levels of data integrity protection.

Where possible, the TC generally will rely on existing, widely-used definitions and data categories. The TC may also make functional comparisons of alternative assurance level schemes, so as to map its Secure Authentication processes to a variety of regulatory frameworks.

The following work will be out of scope for the TC:

• Mandates of specific message formats or schema. The TC will provide process and data requirements that can be equally applied regardless of the transport method or data schema encoding. No one data format or schema will be mandated. The TC may provide detailed instances of assurance and elevation message exchanges, as examples, but its output should be generally applicable regardless of schema encoding.

The Electronic Secure Authentication (ESAT) TC will create the following deliverables:

• The initial deliverable is a comprehensive list of methods currently being used to authenticate identities online to the degree necessary to transact business where material amounts of economic value or personally identifiable data are involved. First Public Review Draft to be completed by six months after the first meeting.
• The second deliverable is an analysis of the identified methods to determine each one's ability to provide a service provider with the assurance of the submitter's identity sufficient for elevation between each pair of assurance levels, to transact business where material amounts of economic value or personally identifiable data are involved. First Public Review Draft to be completed by [nine] months after the first meeting.
• The third deliverable will be a "Secure Authentication Methods Protocol" specification. This document will recommend particular methods as satisfying defined levels of assurance for elevating trust in an electronic identity credential, in order to assure the submitter's identity sufficiently to support elevation between each pair of assurance levels and to transact business where material amounts of economic value or personally identifiable data are involved. Alternative and optional methods may be included. The description of each recommended method shall include: functional definitions of the types of identity and assertion data employed by each method; specification of the data services required in each elevation; substantive data exchange patterns or models; message exchange patterns or models; and such other elements as the TC deems useful. The first Public Review Draft will be completed by [fifteen] months after the first meeting.
• Other deliverables that fall within the scope of the project may be identified over time as the TC engages in its work.

The TC may re-factor the deliverables above as it sees fit into fewer, more, or differently combined documents. In any case, the deliverables shall:

• Be vendor-neutral and product-agnostic. (The TC may also elect to provide proof-of-concept instances, but will strive to facilitate ease of implementation regardless of data schema choices.)
• To the extent feasible, re-use rather than re-invent suitable existing definitions of policy concepts such as identity tokens and personally-identifiable data.
• To the extent feasible, be consistent with generally accepted definitions of service-oriented architecture principles.
• Describe with specificity their application to established US NIST and European eIDAS levels of assurance.
• Include a catalog or list of common types of services and functions.
• Include a set of definitions or sources of definitions for common functional types of data elements.

The Secure Authentication TC will operate under the RF on Limited Terms mode of the OASIS IPR Policy.

Work group business and proceedings will be conducted in English.