The InCommon Assurance Program
Good security and identity practices help ensure that an individual using an electronic credential is the person you think it is. For Service Providers in an identity federation, having Identity Provider Operators support a standard practice set (or profile) can mitigate the risk of service compromise. For Identity Providers it is a way to provide single sign-on access to applications requiring an increased level of confidence in a credential.
Version 1.2 Approved: Version 1.2 of the Identity Assurance Profiles and Framework have been approved by the InCommon Assurance Advisory Committee, the InCommon Steering Committee, and the U.S. government. What does this mean for you?
- New Simplified Bronze — Just sign the agreement and go. No audit required.
- Bronze to replace the POP — The Assurance Advisory Committee will be studying whether Bronze should eventually replace the Identity Provider Participant Operating Practices
- U.S. government-approved flexibility — You now have the flexibility to propose alternative approaches for meeting the assurance criteria, with community authority for approval (via the Assurance Advisory Committee).
- Process for evolving our profiles — When the community approves alternative means that meet or exceed the assurance criteria, those alternatives become part of the spec and, thus, useable by others.
Congratulations to Virginia Tech for becoming the first to achieve both Bronze and Silver; read their implementation story. Consider joining Virginia Tech on the U.S. government approved identity providers page.
Benefits of Assurance
Increases Confidence; Reduces Risk — Service Providers, whether on- or off-campus, have increased confidence because standards-based identity practices ensure that their risk requirements are met.
Getting Past Passwords — While many security experts deem passwords a thing of the past, we will continue to support them, even as we move to more secure methods. The Assurance profiles provide expert community guidance on managing your password-based infrastructures. Certification sends a message that you use a community standard that’s been approved by the U.S. government.
It’s not NIST 800-63. It’s Higher Ed’s Version — InCommon’s profiles are written by higher education for higher education and account for the unique needs and broad diversity of our campuses. The profiles are also comparable to level of assurance 1 and 2 described in the NIST 800-63 Electronic Authentication Guideline [PDF], meaning they meet the U.S. government's standards, as well.
Saves Time When Adding New Customers — Service Providers can rely on community-accepted standards in assessing Identity Provider systems, eliminating the burden of individual campus assessments. This will greatly reduce the time required to add new certified Identity Providers.
Access to Higher-Value Services — Certified Identity Providers can provide federated access to financial and health-related applications, sensitive research information, and other services that require greater confidence in an identity.
Protects Your Investment — InCommon is an approved Trust Framework Provider under the U.S. Identity, Credential, and Access Management Trust Framework Program. You’re one among many using this program.
Bronze, comparable to NIST Level of Assurance 1, provides provides reasonable assurance that a particular credential represents the same person each time it is used. Bronze is roughly the same confidence associated with common Internet identity.
Silver, equivalent to NIST Level of Assurance 2, has identity-proofing requirements that provide reasonable assurance of individual identity. Silver provides a security level roughly appropriate for basic financial transactions.
Need Detailed Information?
We recommend starting with the Program Components page to delve into the details.