FICAM TFS Component Identity Services Terminology

As part of a recent update, the concept of component identity services was incorporated into the FICAM Trust Framework Solutions (TFS). The component identity service model "separates the functions of authentication and attribute providers".

This is supported by an industry trend whereby these functions are now offered by separate service providers. This trend has been driven by the fact that:
  • Vendors have focused their offerings according to their core strengths, which leads to improved quality of service for agency Relying Parties.
  • Some identity solution architectures require or desire the use of separated services, which offers agency Relying Parties a greater quantity of service choice and increased flexibility in selecting only those services that are needed from an external provider.
The model, shown below, utilizes the following OMB and NIST terminology:
  • Token: Something that an individual possesses and controls that is used to authenticate the individual
    • Tokens are possessed by an individual and controlled through one or more of the traditional authentication factors (something you know, have, or are)
  • Identity: A set of attributes that uniquely describe an individual within a given context
  • Credential: An object or data structure that authoritatively binds an identity to a token possessed and controlled by an individual

NOTE: The above model is based on assurance and identity concepts that have been discussed in multiple jurisdictions and communities. In particular, the FICAM TFS Program would like to acknowledge the contributions of the Canada TBS and the Kantara IAWG.

The value of the model lies in the flexibility possible in combining the various functions as part of an industry service offering.

Within the framework of the FICAM TFS Program, the following three combinations are recognized:

A Credential Service Provider, which offers:
  • Token Management Services
  • Authentication Services
  • Identity Proofing Services
  • Attribute Validation Services

A Token Manager, which offers:
  • Token Management Services
  • Authentication Services 

An Identity Manager, which offers:
  • Identity Proofing Services
  • Attribute Validation Services

It should be noted that in all three cases, consent services are implementation specific and driven by policy.

The FICAM TFS Program recognizes that, especially in the private sector, identity service functions may be conducted by separate and independent entities that have relationships based on contracts as well as laws and regulations. As such, it supports a flexible conceptual model that brings together token managers, identity managers and credential service providers.

:- by Anil John