Digital Identity Glossary
A glossary of key terms related to digital identity.
This glossary provides definitions for select terms related to digital identity topics. Some of these terms are directly applicable to the processes public sector agencies might use in their operations, while other definitions are important for understanding the broader digital identity landscape.
Where relevant, definitions are drawn directly from the National Institute of Standards and Technology (NIST) Computer Security Resource Center Glossary and other NIST guidance. We use hyperlinks to cite to NIST definitions and other outside sources. (NIST is currently updating their digital guidelines–this glossary uses both definitions from the 2017 version which appear in the CSRC Glossary, and definitions from the current draft revision where definitions have been significantly updated.)
Terms
Attribute: “A quality or characteristic ascribed to someone or something.”
- A person’s identity is made up of an attribute or set of attributes (e.g., name, date of birth, address, fingerprints, etc.) that uniquely describe them in a given context.
Authentication: “The process by which a claimant proves possession and control of one or more authenticators bound to a subscriber account to demonstrate that they are the subscriber associated with that account.”
- Essentially, authentication is how a service provider (e.g., a bank or a government agency, etc.) tries to understand that someone accessing a service or an account is the same person each time. An authenticator tied to an account might be something you know, like a password or pin; something you have, like a one-time passcode sent to your device; or something you are, which could mean biometric information like a fingerprint or image of your face. Once you’ve established a username or other login credentials with a service, you authenticate your access when you return to the service, for example by entering a password or inputting an authentication code received via text to confirm that they have access to an account or system.
Authentication Assurance Levels (AAL): NIST category “describing the strength of an authentication process.”
Biometrics: “A measurable physical characteristic or personal behavioral trait used to recognize the identity, or verify the claimed identity, of an applicant. Facial images, fingerprints, and iris scan samples are all examples of biometrics.”
- In the context of digital identity/identity proofing, biometrics refers to the “automated recognition of individuals based on their biological and behavioral characteristics.”
- Importantly, biometrics can be physical (e.g., faceprints, iris scans, fingerprints, etc.) or behavioral (e.g., non biological or non physiological features such as distinctive and unique mannerisms (signature or keystroke patterns, habitual behaviors).
Claimed Identity: “An applicant’s declaration of unvalidated and unverified personal attributes.”
- When someone shares details about who they are but that information has not been validated or verified, that person is presenting a claimed or self-asserted identity.
Credential Service Provider (CSP): “A trusted entity whose functions include identity proofing applicants to the identity service and registering authenticators to subscriber accounts.”
- For example, a bank that issues account credentials for its online banking customers is a credential service provider.
Digital Identity: “An attribute or set of attributes that uniquely describes a subject within a given context.”
- Read more about what digital identity means in our primer.
Facial Recognition Technology: “A set of digital tools that can be used to perform different tasks on instances, images, or videos of human faces.”
- There are different ways that tools interact with images of faces. 1-1 comparison compares a faceprint (an image or recording of a face) to an existing faceprint of a known person. 1:1 comparison can be used to verify that someone is who they claim to be.
- 1-to-many comparison can be used to identify a face, for example, from surveillance footage or images of a crowd. With this approach, someone using the technology does not need to know who they are looking for in advance. They may compare one faceprint to a set of faceprints in a gallery (a collection of facial images) to find a match.
- See our primer, Digital Identity in Public Benefits, for more information on equity issues related to use of biometrics.
Federated Identity Management: “A process that allows for the conveyance of identity and authentication information across a set of networked systems.”
- Federated identity management allows users to use one set of credentials to log into multiple digital systems. For example, some websites allow users to log in with their Google credentials. This means individuals do not create a specific set of credentials when accessing other sites that are part of a federated network.
Federation Assurance Levels (FAL): NIST category “describing the assertion protocol used by a federated identity management system to communicate authentication and attribute information (if applicable) to a relying party.”
- Relying Party (RP) is an “entity that relies upon a verifier’s assertion of a subscriber’s identity, typically to process a transaction or grant access to information or a system.” This could be a government agency relying on an assertion of someone’s identity from another government agency, or from an outside entity.
- If federated identity management involves trusting credentials from one provider across other systems, the federation assurance level describes the protocols used to assert information across those systems.
Identity and Access Management (IAM): Coordination of “technologies, standards, and protocols, to enable individuals to access services, benefits, and data to which they are entitled.”
Identity Assurance Levels (IAL): NIST category “conveying the degree of confidence that a person’s claimed identity is their real identity.”
- Depending on the risks associated with a particular transaction, service providers (e.g., a bank, government agency, etc.) may need to be more confident that someone is who they say they are. Identity proofing can be conducted at different assurance levels based on the needs and risks of a given transaction.
Identity Evidence: “Information or documentation provided by an individual to support their claimed identity. Identity evidence may be physical, such as a driver’s license or digital.”
- For example, when you provide a copy of your driver’s license, passport, or other credential, you’re sharing evidence about your identity. Online, an assertion (e.g., evidence of access to an account, or of a mobile driver’s license) may constitute identity evidence.
Identity proofing: “The processes used to collect, validate, and verify information about a subject in order to establish assurance in the subject’s claimed identity.”
Identity proofing is the more official term for what is often informally referred to as identity verification. Identity proofing encompasses multiple distinct steps, including:
- Identity resolution: Identity resolution aims “to uniquely distinguish an individual within a given population or context.” Resolution describes the processes used to confirm that whatever personally identifiable information (PII) a user shares belongs to a single, real person. This can be accomplished by comparing self-asserted PII to information in publicly available databases. Basically, resolution is about confirming that the PII someone has presented corresponds to a real individual.
- Identity validation: Identity validation is meant to “collect the most appropriate identity evidence from the applicant and determine that it is genuine (not altered or forged), accurate (the pertinent data is correct, current, and related to the applicant), and valid.”
- Identity verification: Identity verification aims to “establish, to a specified level of confidence, the linkage between the claimed validated identity and the real-life applicant engaged in the identity proofing process.” Basically, this step is how a credential service provider tries to understand that someone presenting evidence about an identity is actually that person. (See NIST’s draft guidelines for a list of methods that may be used for identity verification.)
Knowledge-based verification (KBV): “A process of validating knowledge of personal or private information associated with an individual for the purpose of verifying the claimed identity of an applicant.”
- In practice, this looks like asking someone to answer multiple choice questions about their private information, for example their credit history. See our primer, Digital Identity in Public Benefits, for more information on security vulnerabilities and equity issues related to KBV.
Learning and Employment Records (LERs): “Digital record of interconnected (linked) data, such as employment, earnings, skills, and credentials.”
Mobile Driver’s License: “mDLs function much like a traditional driver’s license, carrying information such as name, date of birth, and address but in a digital format accessible through a dedicated mobile application, often referred to as a digital wallet.”
Multi-factor authentication: “An authentication system that requires more than one distinct type of authentication factor for successful authentication. MFA can be performed using a multi-factor authenticator or by combining single-factor authenticators that provide different types of factors.”
- MFA might look like using a password then entering a one-time code sent to your mobile device via SMS, or logging in with a password then responding to a prompt on a separate authentication application.
- Importantly, MFA refers to the use of more than one distinct factor, or type of authenticator. Using a password in addition to a user-generated PIN would not constitute MFA since those are two factors of the same type (something you know).
Passkey: “Software or hardware cryptographic authenticators that allow authentication keys to be cloned and exported to other storage in order to sync those keys to other authenticators (i.e., devices).”
- Passkeys rely on public key cryptography and are designed to replace passwords and be phishing resistant. From a user experience, a site or service may allow a user to create a passkey for that service. When logging in they are not prompted to share their username and password, but instead unlock a passkey with things like their fingerprint, face, or PIN. Passkeys may also be known as syncable authenticators, as passkeys allow for access across devices.
Personally identifiable information (PII): “Information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other information that is linked or linkable to a specific individual.”
- Examples of PII include Social Security Numbers, passport numbers, driver’s license numbers, taxpayer identification numbers, credit card numbers, telephone numbers, addresses, etc.
Presentation attack: Presentation attacks refer to instances where information or images are presented to a “biometric data capture system,” (e.g., technology used to recognize or analyze face images) to interfere with the system’s operation.
- In simpler terms, “presentation attacks are when someone uses a “spoof” or false image to gain access to a device, space, or service, or hide their identity.” As NIST explains, “presentation attacks can take many forms, such as wearing makeup, holding up a printed photo or displaying a digital photo of another person.”
Self-sovereign identity (SSI): “describes an identity management system created to operate independently of third-party public or private actors, based on decentralized technological architectures, and designed to prioritize user security, privacy, individual autonomy and self-empowerment.”
- Self-sovereign identity aims to give users more control over how their identity information is shared, stored, and used.
Single sign-on (SSO): An authentication framework that “allows multiple applications to use the same authentication session.”
- Organizations and governments may use single sign-on frameworks to enable employees or members of the public to use one set of login credentials across associated systems/services (e.g., using your state single sign-on credentials to ask multiple government websites).
- Single sign-on is distinct from a federated identity management approach, in which one set of credentials is recognized across distinct but networked systems.
Verifiable credentials: “A verifiable credential is a set of tamper-evident claims and metadata that cryptographically prove who issued it. Examples of verifiable credentials include, but are not limited to, digital employee identification cards, digital driver’s licenses, and digital educational certificates.”
- Verifiable credentials may be stored in a digital wallet.
Zero-trust/zero-trust architecture (ZTA): “Zero trust (ZT) is the term for an evolving set of cybersecurity paradigms that move defenses from static, network-based perimeters to focus on users, assets, and resources.”
- The zero trust security model “eliminates implicit trust in any one element, component, node, or service and instead requires continuous verification of the operational picture via real-time information from multiple sources to determine access and other system responses.”
- Basically, ZTA requires continuous verification and does not assume authorization or trust in terms of system access.
Keep Learning
You can read more about digital identity on the Digital Benefits Hub, where you will also find our other introductory resources including:
- A primer, What is Digital Identity?
- A short explainer, Digital Identity + Public Benefits
Citation
Cite as: Digital Benefits Network. “Digital Identity Glossary”, Digital Benefits Network, September 6, 2024.