Upload
truongcong
View
229
Download
0
Embed Size (px)
Citation preview
Snapshot of Technical Standards for Digital Identity SystemsTechnical Standards
for Digital IdentityDRAFT FOR DISCUSSION
© 2017 International Bank for Reconstruction and Development/The World Bank 1818 H Street NW Washington DC 20433 Telephone: 202-473-1000 Internet: www.worldbank.org
This work is a product of the staff of The World Bank with external contributions. The findings, interpretations, and conclusions expressed in this work do not necessarily reflect the views of The World Bank, its Board of Executive Directors, or the governments they represent.
The World Bank does not guarantee the accuracy of the data included in this work. The boundaries, colors, denominations, and other information shown on any map in this work do not imply any judgment on the part of The World Bank concerning the legal status of any territory or the endorsement or acceptance of such boundaries.
Rights and Permissions
The material in this work is subject to copyright. Because The World Bank encourages dissemination of its knowl-edge, this work may be reproduced, in whole or in part, for noncommercial purposes as long as full attribution to this work is given.
Any queries on rights and licenses, including subsidiary rights, should be addressed to World Bank Publications, The World Bank Group, 1818 H Street NW, Washington, DC 20433, USA; fax: 202-522-2625; e-mail: [email protected].
Cover photo: © Digital Storm.
iiiDraft for Discussion
TABLE OF CONTENTSABBREVIATIONS v
ACKNOWLEDGMENTS vii
1. INTRODUCTION 1
2. OBJECTIVE 2
3. SCOPE 2
4. THE IDENTITY LIFECYCLE 3
4.1 RegistRation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
4 1 1 Enrollment 3
4 1 2 Validation 4
4.2 issuance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
4.3 authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
4.4 LifecycLe ManageMent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
4.5 fedeRation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
5. DIGITAL ID RELATED TECHNICAL STANDARDS 6
5.1 Why aRe standaRds iMpoRtant? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
5.2 standaRds-setting Bodies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
ISO Technical Committees and Working Groups 7
5.3 technicaL standaRds . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Technical Standards for Interoperability 9
Technical Standards for Robust Identity Systems 18
5.4 fRaMeWoRks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19
5 4 1 Levels of Assurance 19
6. COUNTRY USE CASES 22
6.1 aadhaaR identity systeM of india—BioMetRic Based . . . . . . . . . . . . . . . . . . . . . . . . . . 22
6.2 sMaRt eid in pakistan—BioMetRics and sMaRt caRd . . . . . . . . . . . . . . . . . . . . . . . . . . 23
6.3 eid With digitaL ceRtificate in peRu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
6.4 id-kaaRt in estonia—sMaRt caRd and MoBiLe id . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
7. CONSIDERATIONS WHILE ADOPTING STANDARDS FOR IDENTITY SYSTEMS 25
a Protecting Biometrics from Security Breaches 25
b Single or Multimodal Systems 25
iv Draft for Discussion
c Lack of Biometric Device Standards 25
d Modernizing Legacy Identification Systems 26
e Cost Effectiveness 26
f Interoperability and Interconnectivity 26
g Foundational Legal Identification Systems 27
h Privacy and Security 27
i New Standards Compliance 27
j Role of Development Partners 28
8. THE WAY FORWARD 28
BIBLIOGRAPHY 29
APPENDIX A ISO/IEC JTC SUBCOMMITTEE, WORKING GROUPS AND THEIR MANDATE 30
APPENDIX B STANDARDS DESCRIPTION 32
ENDNOTES 38
LIST OF FIGURESFIGURE 1 ISO/IEC JOINT TECHNICAL COMMITTEE 1: SUBCOMMITTEES AND WORKING GROUPS FOR ID MANAGEMENT 8
WG 5 IDENTITY MANAGEMENT & PRIVACY TECHNOLOGIES PRIVACY/PII STANDARDS IN SC 27/WG 5 AND ELSEWHERE 19
FIGURE 2 ISO AND EIDAS AUTHENTICATION LEVELS 21
vDraft for Discussion
ABBREVIATIONSAFNOR Association Française de Normalisation (Organisation of the French Standardisation System)
ANSI American National Standard Institute
ASN.1 Abstract syntax notation one
BAPI Biometric Application Programming Interface
CAP Chip Authentication Program
CBEFF Common Biometric Exchange Formats Framework
CEN European Committee for Standards
CITeR Center for Identification Technology Research
DHS Department of Homeland Security
DIN German Institute of Standardization
eID Electronic Identification Card
EMV Europay, MasterCard and Visa—Payment Smart Card Standard
EMVCo EMV Company
FIDO Fast IDentity Online
GSM Global System for Mobile Communication
GSMA The GSM Association
IBIA International Biometrics and Identification Association
ICAO International Civil Aviation Organization
ICT Information and Communication Technologies
ID Identification
ID4D Identification for Development
IEC The International Electrotechnical Commission
ILO International Labor Organization
INCITS International Committee for Information Technology Standards
ISO The International Organization for Standardization
IT Information Technologies
ITU-T ITU’s Telecommunication Standardization Sector
JTC Joint Technical Commission
MRZ Machine-Readable Zone
NADRA National Database and Registration Authority (of Pakistan)
NICOP National Identity Cards for Overseas Pakistanis
NIST National Institute of Standards and Technology
OASIS Organization for the Advancement of Structural Information Standards
OpenID Open ID Foundation
PSA Pakistan Standards Authority
vi Draft for Discussion
PIN Personal Identification Number
PKI Public key infrastructure
RFID Radio-Frequency Identification
RMG Registration Management Group
SA Standards Australia
SDGs Sustainable Development Goals
SIS Swedish Standards Institute
SNBA Swedish National Biometrics Association
UIN Unique Identity Number
UIDAI Unique Identification Authority of India
WB The World Bank
WG Working Group
viiDraft for Discussion
ACKNOWLEDGMENTSThis report was prepared by the Identification for Development (ID4D) initiative, the World Bank Group’s cross-departmental effort to support progress towards identification systems using 21st century solutions. The report was prepared by Tariq Malik and Anita Mittal with inputs from Julia Clark, Vyjayanti Desai, Samia Melhem and Yasin Janjua. The team also wishes to thank the reviewers who offered helpful suggestions, including Dr. Narjees Adennebi (ICAO), Daniel Bachenheimer (Accenture), Sanjay Dharwadker (WCC Group), Marta Ienco (Mobile-Connect/GSMA), Flex Ortega De La Tora (RENIEC), Stephanie de Labriolle (SIA), Waleed Malik (World Bank), and Dr. Adeel Malik (Oxford University).
This report was presented and discussed with the following organizations in September 2017: American National Standards Institute (ANSI); Center for Global Development; Digital Impact Alliance; European Commission; FIDO Alliance; Bill & Melinda Gates Foundation; Government Digital Service; GSMA; ICAO; IOM; National Institute of Standards and Technology (NIST); Omidyar Network; One World Identity; Open Identity Exchange; Open Soci-ety Foundation; Plan International; The World Economic Forum; UNDP; UNHCR; UNICEF; USAID; and WFP.
1Draft for Discussion
1. INTRODUCTIONRobust, inclusive identification systems are crucial for development, as enshrined in Sustainable Development Goal (SDG) Target 16.9, which mandates countries to provide “legal identity for all, including birth registration.” For individuals, proof of legal identity is necessary to access rights, entitlements, and services. Without it, they may face exclusion from political, economic, and social life. For governments, modern identification systems allow for more efficient and transparent administration and service delivery, a reduction in fraud and leakage related to transfers and benefits payments, increased security, accurate vital statistics for planning purposes, and greater capacity to respond to disasters and epidemics.1
Despite these benefits, however, some 1.1 billion individuals around the world lack proof of identity.2 In order to close this “identity gap,” many countries have therefore begun to reform existing identification systems and build new ones. In doing so, most have attempted to capitalize on the promise of new, digital identification technolo-gies, including biometric identification, electronic credentials including smart cards and mobile IDs, and online authentication infrastructure.
These advancements, particularly when combined with related digital technologies such as online and mobile payments systems, have the potential to leapfrog the inefficiencies of paper-based identification systems. At the same time, digital identification poses many challenges related to data protection and privacy, fiscal sustainabil-ity, and the choice and use of different technology options.
Robust Digital ID systems, if developed in a highly interoperable and scalable manner, can produce savings for citizens, government and businesses. Conversely, disparate initiatives and siloed investments in Digital ID sys-tems are likely to be wasteful and duplicative, detracting from the far-reaching public and private sector implica-tions of universal Digital IDs. Pooled approaches and federated ID systems at the regional or sub-regional level can also help strengthening the value proposition of Digital IDs programs. Trust in data security will be critical to achieving tangible results. The robustness and interoperability of an identification system depends on the degree to which it adheres to technical standards—henceforth “standards.”
Standards establish universally understood and consistent interchange protocols, testing regimes, quality mea-sures, and best practices with regard to the capture, storage, transmission, and use of identity data, as well as the format and features of identity credentials and authentication protocols.3 They are therefore crucial at each stage of the identity lifecycle, including enrollment, validation, deduplication, and authentication. Standards help ensure that the building blocks of identity systems are interoperable and testable, and can meet desired performance targets. The effectiveness of an interconnected and interoperable identification system cannot be ensured without standards.
However, the standards used for identification systems can vary significantly by country and economic region or trading bloc. This diversity presents a significant challenge with respect to interoperability and compatibility both within countries and across borders (Gomes de Andrade, Nuno, Monteleone and Martin 2013). Without a com-mon set of standards, countries with underdeveloped identification systems may not know which standards to follow, and may end up using sub-par technologies, and/or proprietary technology that results in vendor lock-in. The lack of a set of standards therefore poses a challenge for countries, as well as development partners who support country identification systems and provide technical assistance.
2 Draft for Discussion
2. OBJECTIVEStandards are critical for Identification systems to be robust, interoperable and sustainable. Process standards, data standards and technical standards are the three types of standards for ensuring interoperability at the orga-nizational, semantic and technical layers. The objective of this report is to identify the existing international tech-nical standards and frameworks applicable across the identity life cycle. This catalogue of technical standards could serve as a source of reference for the stakeholders in the identification systems ecosystem. This catalogue would also be the first step of a broader multi-stakeholder engagement to convene and explore the possibility of developing a minimal set of core technical standards for identification systems. It is envisaged that an analysis of the catalogue of existing standards, organized by category and subcategory, would help in a) identification of areas where standards are missing, b) identify areas where there are competing standards and choice needs to be made and c) assess applicability of standards in a developing country context. This could also help share experiences across countries and avoid reinvention of the wheel by each country/stakeholder.
3. SCOPE“Digital identity” is a broad term, with different meanings depending on the context. For this document, we con-sider digital identity as a set of electronically captured and stored attributes and credentials that can uniquely identify a person (World Bank, 2016, GSMA and SIA, Oct. 2014). Digital identity systems may take a variety of forms, each with different applicable standards. This report focuses on technical standards; data and process standards are not in scope of this document. The technical standards that are in scope of this report are those that are required to build robust interoperable digital identification systems which enables creation of digital iden-tities for individuals after validating their identity through defined processes, issuance of credentials linked to their identity and mechanisms to establish their identity (authenticate) using their digital identity/credentials.
The report is organized as follows:
• Section 4 reviews the identity lifecycle and the processes/stages in this lifecycle to contextualize the relevant technical standards;
• Section 5 then gives an overview of international organizations developing standards and a list of the most commonly used standards for digital identification systems with focus on applicability of standards;
• Section 6 discusses the use case of different identity systems of a few countries;
• Section 7 discusses the issues and challenges to be considered while adopting standards;
• Section 8 provides recommendations for future work on developing minimum technical standards for identification systems to ensure interoperability and avoid vendor lock in;
• The appendices provide details on the standard organization, standards mapping, table giving details on each standard.
3Draft for Discussion
4. THE IDENTITY LIFECYCLEGlobally, digital identity ecosystems are increasingly complex, and consist of a wide range of identity models and actors with diverse responsibilities, interests, and priorities.4 Understanding the processes and technology involved in digital identification is crucial for identifying the standards which are applicable in a given system. To that end, this section provides a general overview of the digital identity lifecycle (WB, GSMA and SIA, Oct. 2014)and describes briefly the various stages (WB, GSMA and SIA, Oct. 2014). This framework is then used to analyze relevant identification standards in Section 6.
Service Provider
Citizen/End-User
Digital Identity Lifecycle and Key Roles
Service Authentication
AuthenticationProvider
Updating Enrollment
Validation
RegistrationUse
Digital Identity
Issuance
Credential
Identity Provider
Attribute Provider
LifecycleManagement
?
Digital identities are created and used as part of a lifecycle that includes three fundamental stages: (a) registra-tion, including enrollment and validation, (b) issuance of documents or credentials, and (c) authentication for service delivery or transactions. Identity providers also engage in ongoing management of the system, includ-ing updating and revocation or termination of identities/credentials (see figure above (WB, GSMA and SIA, Oct. 2014)). The description of the various phases below has been included from the same report (WB, GSMA and SIA, Oct. 2014).
4.1 RegistRation
This is the most important step in creating a digital identity. The process begins with enrollment followed by validation.
4.1.1 Enrollment
This process involves capturing and recording key identity attributes from a person who claims a certain identity, which may include biographical data (e.g., name, date of birth, gender, address, email), biometrics (e.g., finger-prints, iris scan) and an increasing number of other attributes. Which attributes are captured during this phase and the method used to capture them have important implications for the trustworthiness of the identity (see the discussion of levels of assurance below) as well as its utility and interoperability with other domestic and inter-national identity systems.
4 Draft for Discussion
4.1.2 Validation
Once the person has claimed an identity during enrollment, this identity is then validated by checking the attri-butes presented against existing data. The validation process ensures that the identity exists (i.e., that the per-son is alive) and is claimed by one person (i.e., it is unique in the database). In modern digital identity systems, uniqueness is ensured through a deduplication process using biometric data. Links between the claimed identity and identities in other databases (e.g., civil registries, population registries, and so on) may also be established.
4.2 issuance
Before a credential can be used to assert identity by a person, a registered identity goes through an issuance or credentialing process, where identity providers may issue a variety of credentials (e.g., identifying numbers, smart cards, certificates, etc.). For an ID to be considered digital, the credentials issued must be electronic, in the sense that they store and communicate data electronically. Common types of electronic credentials used fall into these three categories
• Something you know (for example, a password).
• Something you have (for example, an ID card, mobile phone or a cryptographic key).
• Something you are (for example, a fingerprint or other biometric data).
Types of electronic credential systems include
• Smart cards: cards offer advanced security features and record digital cryptographic key and/or biometric on an embedded computer chip. Smart cards can come in the form of a contact/contactless card, or Near Field Communication (NFC)-enabled SIM card. Data stored on a smart card can be accessed offline for authentication where there is no internet connection or mobile network.
• 2D bar code card: Cards can be personalized with an encrypted 2D bar code containing a person’s personal data and biometrics, either instead of or in addition to a chip. The 2D bar code is a cost-efficient mean to provide a digital identity and to authenticate holders by comparing live biometric with that on the card. It has been widely deployed in Africa, Latin America, and the Middle East, includ-ing Lebanon, Mali, and Ghana, and more recently in Egypt to authenticate holders during the last elections.
• Mobile identity: Mobile phones and other devices can be used to provide portable digital identity and authentication for a variety of online transactions. For example, providers can issue SIM cards with digital certificates or use other mobile network assets that can enable secure and convenient identity and authentication of users for eGovernment (eGov) services and other public or private platforms.
• Identity (credential) in a central store/Cloud: Unlike portable credentials such as smart cards and SIM cards, some systems store certificates and biometrics on a server only. In this case, a physical credential storage device may not be issued. Identity number may be issued in non-electronic form (e.g., India’s Aadhaar program issues only a paper receipt). A tamper-resistant environment of crypto-graphic key generation and management to secure the ID credential in the central store against theft will increase the security and assurance level of the identity system.
4.3 authentication
Once a person has been registered and credentialed, they can use their digital identity to access the associated benefits and services. For example, citizens may use their eID number to pay taxes through an eGov portal, while bank customers can use smart debit cards or mobile financial services to make purchases. In order to
5Draft for Discussion
access services, the user must be authenticated using one or more factors that generally fall into one of three categories—something you know, something you have, something you are. Authentication using these attributes can occur through various pathways, including
• Smart cards: People with smart cards can authenticate their identity using multiple authentication factors for varying levels of assurance. For example, a simple PIN for low risk use cases or a digital signature based on public key infrastructure (PKI) technology for high risk use cases. Fingerprints can be used to establish a non-ambiguous link with the user. Because they store data locally on a chip, smart cards can also be used for offline digital authentication or remote locations where connectivity is limited.
• Mobile identity: Using smartphone applications, USSD or SMS-based authenticators, or SIM cards, mobile identity can incorporate multiple authentication factors for varying levels of assurance. For example, a simple PIN for low risk use cases, multiple-factor authentication solutions (including with the use of biometrics) or a mobile signature based on public key infrastructure (PKI) technology with a secure element (SE) for high-risk use cases. Authentication can be strengthened by using third and fourth factors such as the individual’s location or behaviour.
• ID in the central store/Cloud: Instead of issuing an identity document or mobile credential, a digital identity system can rely on biometrics for remote authentication. In this case, an identity is asserted and verified via a computer or other device with a biometric reader that connects to the Cloud. A Cloud-based system eliminates the need and cost of physical credentials, but requires robust ICT infrastructure for connectivity and security of the central storage.
4.4 LifecycLe ManageMent
Throughout the lifecycle, digital identity providers manage and organize the identity system, including facilities and staff, record keeping, compliance and auditing, and updating the status and content of digital identities. For example, users may need to update various identity attributes, such as address, marital status, profession, etc. In addition, identity providers may need to revoke an identity, which involves invalidating the digital identity for either fraud or security reasons, or terminate an identity in the case of the individual’s death.
4.5 fedeRation
Federation is the ability of one organization to accept another organization’s identity. Federation is based on inter-organizational trust. The trusting organization must be comfortable that the trusted organization has similar policies, and that those policies are being followed. Federation protocols and assurance framework facilitate fed-eration of digital identity intra and inter organizations/countries. Federation protocols like SAML (Security Asser-tion Mark-up Language) are used to convey the authentication result by the credential provider to the trusting organization. The trusting organization sends captures and sends the credential to the issuing organization for verification. After verification of the credential the issuing organizations sends a set of claims giving information about the user, result of authentication and the strength of the credentials used to authenticate the user. For fed-eration to be effectively used globally, agreement and mapping with the ISO defined assurance framework and adoption of federation protocols as standards are critical.
Federation can occur at multiple levels
• An organization can accept credentials issued by another organization, but still authenticate and authorize the individual locally:
• A passport issued by the U.S. Department of State is accepted as a valid credential by a foreign country, but that country’s immigration office still authenticates the holder and requires a visa (authorization).
6 Draft for Discussion
• An organization can accept specific characteristics (attributes) describing an individual from another organization:
• Your bank will request your credit score from one of the credit bureaus, rather than maintaining that information itself.
• An organization can accept an authorization decision from another organization:
• A driver’s license authorizing you to drive in one state is accepted by another.
The identity lifecycle requires technical standards at each stage and sub-stage, as discussed further in Section 6. Importantly, the type of attributes (biometrics, biographic, and others) captured during enrollment and the meth-odologies used to record them have important implications for the assurance and trust in the identity system as well as its utility and interoperability with other domestic and international identity systems.
5. DIGITAL ID RELATED TECHNICAL STANDARDS5.1 Why aRe standaRds iMpoRtant?
In general, technical standards contain a set of specifications and procedures with respect to the operation, maintenance, and reliability of materials, products, methods, and services used by individuals or organizations. Standards ensure the implementation of universally understood protocols necessary for operation, compatibility, and interoperability, which are in turn necessary for product development and adoption. While the adoption of standards has a positive impact in market penetration and international trade, a lack of standards creates issues for the effectiveness and robustness of an identity system, including problems with interoperability, interconnec-tivity and vendor lock-in.
As electronic IDs have begun to replace paper-based systems, the technologies, inter-device communication and security requirements underpinning identity systems have become more complex—increasing the impor-tance of standards for identity management. However, choosing between standards is challenging due to rapid technological innovation and disruption, product diversification, changing interoperability and interconnectivity requirements, and the need to continuously improve the implementation of standards.
5.2 standaRds-setting Bodies
Standards are rigorously defined by organizations that are created and tasked specifically for this purpose. In the case of ICT-related standards, these organizations—with the help of experts—set up, monitor, and continuously update technical standards to address a range of issues, including but not limited to various protocols that help ensure product functionality and compatibility, as well as facilitate interoperability. These standards and related updates are regularly published for the general benefit of the public.5
According to the International Telecommunication Union’s (ITU) Technology Watch, several organizations are actively developing technical standards for digital identification systems, including international organizations such as the United Nations’ specialized agencies, industry consortia, and country-specific (national) organiza-tions. Each are described briefly below.
• International Organizations. The following prominent international organizations are actively involved in setting relevant technical standards: the International Organization for Standardization (ISO); the International Electrotechnical Commission (IEC); ITU’s Telecommunication Standardization Sector (ITU-T); the International Civil Aviation Organization (ICAO); International Labor Organization (ILO); and the European Committee for Standards (CEN), World Wide Web Consortium (W3C), Inter-net Engineering Task Force (IETF)/Internet Society.
7Draft for Discussion
• National Organizations. In addition to international organizations, country-specific organizations also develop technical standards based on their needs and systems of measurement. Some impor-tant organizations include the American National Standard Institute (ANSI); the U.S. National Institute of Standards and Technology (NIST); the U.S.-based International Committee for Information Tech-nology Standards (INCITS), the U.S. Department of Homeland Security (DHS); the U.S. Department of Defense (DoD); Standards Australia (SA); the Swedish Standards Institute (SIS); the Swedish National Biometrics Association (SNBA); the German Institute of Standardization (DIN); Organiza-tion of the French Standardization System (AFNOR); the Dutch Standards Organization (NEN); the Unique Identification Authority of India (UIDAI); the Bureau of Indian Standards (BIS); and the Paki-stan Standards Authority (PSA).
• Industry Consortia. Finally, industry consortia and some nonprofit organizations are also involved in either developing standards or promoting best practices to meet the needs of their members. Promi-nent examples include: the U.S. government-sponsored consortium known as the Biometric Con-sortium; Secure Identity Alliance (SIA), Center for Identification Technology Research (CITeR); IEEE Biometrics Council; Biometrics Institute, Australia; Smart Card Alliance; International Biometrics and Identification Association (IBIA); Kantara Initiative; Open Identity Exchange; Open Security Exchange; Asian Pacific Smart Card Association (APSCA); Organization for the Advancement of Structural Infor-mation of Standards (OASIS); Fast IDentity Online (FIDO) Alliance; and Open ID Foundation.
Among the major-standard setting bodies, this review has found that most prominent countries and industry consortia are connected to and collaborate with ISO (for example, through subcommittees and working groups (WG)) to modify or confirm standards for their requirements. In addition, ISO standards have been followed by most large-scale ID programs and are widely supported and used by industry consortia. As the nucleus of major industry standard contributions, this study therefore focuses on the work of the ISO.
ISO Technical Committees and Working Groups
ISO has established technical committees, subcommittees, and working groups that are in continuous commu-nication with other international and national organizations, as well as industry consortia involved in reviewing or establishing standards. A Joint Technical Committee, ISO/IEC JTC 1, has been formed by ISO and IEC to ensure a comprehensive and worldwide approach for the development and approval of international biometric standards. Within JTC1, subcommittees 37, 27, and 17 are relevant for any country that is planning to undertake a digital identity system. Various working groups within these subcommittees focus on the development and updating of specific standards relevant to the digital identity lifecycle, including:
1. ISO/IEC JTC 1/SC 37: Biometrics
2. ISO/IEC JTC 1/SC 27: IT Security Techniques
3. ISO/IEC JTC 1/SC 17: Cards and Personal Identification
4. ISO/IEC JTC 1/SC 6: Telecommunications and information exchange between systems (standards on digital signature/PKI)
These subcommittees work with other subcommittees within the ISO (liaison committees) as well as external organizations (organizations in liaison), some of whom are also involved in preparation of related standards. Figure 1 identifies the role, scope, and mandate of the technical subcommittees and their subsequent working groups. For detailed description of these subcommittees, see Appendix A.
8 Draft for Discussion
FIGURE 1 ISO/IEC Joint Technical Committee 1: Subcommittees and Working Groups for ID Management
Joint Technical CommitteeISO/IEC JTC 1
SubcommitteeISO/IEC JTC 1/SC 37
Biometrics
ISO/IEC JTC 1/SC 37/WG 1Harmonized Biometric
Vocabulary
ISO/IEC JTC 1/SC 37/WG 2Biometric Technical
Interfaces
ISO/IEC JTC 1/SC 37/WG 3Biometric Data
Interchange Formats
ISO/IEC JTC 1/SC 37/WG 4Technical Implementation
of Biometric Systems
ISO/IEC JTC 1/SC 37/WG 5Biometric Testing
and Reporting
ISO/IEC JTC 1/SC 37/WG 6Cross Jurisdictional &
Societal Aspectsof Biometrics
SubcommitteeISO/IEC JTC 1/SC 27Security Techniques
ISO/IEC JTC 1/SC 27/SWG-MManagement
ISO/IEC JTC 1/SC 27/SWG-TTransversal Items
ISO/IEC JTC 1/SC 27/WG 1Information Security
Management Systems
ISO/IEC JTC 1/SC 27/WG 2Cryptography and Security
Mechanisms
ISO/IEC JTC 1/SC 27/WG 3Security Evaluation,
Testing and Specification
ISO/IEC JTC 1/SC 27/WG 4Security Controls
and Services
ISO/IEC JTC 1/SC 27/WG 5Identity Management and
Privacy Technologies
SubcommitteeISO/IEC JTC 1/SC 17Cards and Personal
Identification
ISO/IEC JTC 1/SC 17/WG 1Physical Characteristics & Test Method for ID Cards
ISO/IEC JTC 1/SC 17/WG 3ID Cards—Machine
Readable Travel Documents
SubcommitteeISO/IEC JTC 1/SC 6
ISO/IEC JTC 1/SC 6/WG 1Physical and Data Link
Layers
ISO/IEC JTC 1/SC 6/WG 7Network, Transport and
Future Network
ISO/IEC JTC 1/SC 17/WG 4Integrated Circuit Cards
ISO/IEC JTC 1/SC 6/WG 10Directory, ASN.1 and
Registration
ISO/IEC JTC 1/SC 17/WG 5Registration Management
Group
ISO/IEC JTC 1/SC 17/WG 8Integrated Circuit Cards
without Contacts
ISO/IEC JTC 1/SC 17/WG 9Optical Memory Cards
and Devices
ISO/IEC JTC 1/SC 17/WG 10Motor Vehicle Driver
Licence and Related Documents
ISO/IEC JTC 1/SC 17/WG 11Application of Biometricsto Cards and Personal ID
Source: Author’s Analysis
9Draft for Discussion
5.3 technicaL standaRds
This section contains a compilation of technical standards identified for identity systems. Most of them relate to the credential to be used for authenticating the user. Technical standards which are applicable to identity applica-tions that are common with any software application (web application/desktop/portal) are not listed/discussed in this report. The Technical Standards are grouped in two tables. The first table lists standards which are required for interoperability of systems and the second table of standards lists standards for robustness of identification systems which address the requirements like security, quality. The standards are continuously revised by the standards organizations. The standards in the table have hyperlinks to the website providing information about the standard. The ISO standards page provides information and link to the newer version of the standard if avail-able. For addition of any missing information/standard or correction required to the table of standards/report, please send your feedback to [email protected]
Technical Standards for Interoperability
The major categories of standards listed below fall into the following areas.
1. Biometrics—Image standard—Multiple competing standards are in use for capturing face image (PNG, JPEG, JPEG2000 in most of the systems while GIF/TIFF (proprietary standards) may be in use in a few). For fingerprint image (JPEG, JPEG2000 and WSQ) standard are in use. Comments provide guidelines on selection of image standard for images like face, fingerprint.
2. Biometrics—Data interchange format—ISO standards for different types of biometrics like fingerprint, iris, face are listed. The type(s) of biometrics selected for implementation of identity systems would dic-tate the standards to be complied with
3. Card/Smart Card—Different standards exist for the different types of card—card with chip and without chip and within chip category we have contact and contactless cards. Each identity system would select a card based on various criteria like cost, features. The standard to be selected depends on the category of card used for the identity system.
4. Digital Signatures—Multiple non-competing standards are listed which are applicable based on the use of digital signature for the identity systems.
5. 2D bar code—The standards commonly used PDF417 and QR code are listed. Comments provide guidelines on selection of standard for 2D bar code.
6. Federation protocols—Open ID connect and OAuth combination are being increasingly used for federa-tion while SAML has been used extensively earlier.
10 Draft for Discussion
S.N
O
INTE
R-
OP
ER
AB
ILIT
Y A
RE
AS
UB
AR
EA
STA
ND
AR
D
SP
EC
IFIC
ATIO
N/
(CO
MM
ON
NA
ME
)S
TAN
DA
RD
D
ES
CR
IPTI
ON
S
TAN
DA
RD
S
BO
DY
OTH
ER
CO
MP
ETI
NG
S
TAN
DA
RD
S
(IF A
NY
)C
OM
ME
NTS
A.1
Bio
met
rics
Imag
e S
tand
ard
ISO
/IEC
154
44-1
(J
PE
G20
00)
Imag
e C
odin
g S
tand
ard
(bot
h lo
ssy
and
loss
less
co
mpr
essi
on)
ISO
and
IEC
JPE
G (O
pen
with
so
me
parts
hav
ing
pate
nt is
sues
)
PN
G (O
pen)
GIF
(Pro
prie
tary
))
TIFF
(Pro
prie
tary
)
Use
d fo
r fac
e im
age,
fing
er-
prin
t, Iri
s im
age.
Exc
hang
e Fo
rmat
for R
estri
cted
M
emor
y D
evic
e ca
ses
like
Sm
art C
ards
.
A.2
Bio
met
rics
Imag
e S
tand
ard
ISO
/IEC
159
48,
(PN
G)
Tech
nolo
gy—
Com
-pu
ter g
raph
ics
and
imag
e pr
oces
sing
—
Por
tabl
e N
etw
ork
Gra
phic
s—lo
ssle
ss
com
pres
sion
W3C
JPE
G
JPE
G20
00
GIF
, TIF
F
Ext
ensi
ble
file
form
at fo
r lo
ssle
ss, p
orta
ble,
wel
l-co
mpr
esse
d st
orag
e of
rast
er
imag
es. P
NG
pro
vide
s a
pate
nt-fr
ee re
plac
emen
t for
G
IF a
nd c
an a
lso
repl
ace
man
y co
mm
on u
ses
of T
IFF.
A.3
Bio
met
rics
Imag
e S
tand
ard
ISO
/IEC
10
918:
1994
JP
EG
Imag
e C
odin
g S
tand
ard—
loss
y co
mpr
essi
on
ISO
and
IEC
JPE
G20
00
GIF
, TIF
F
Gra
phic
s—R
aste
r (Lo
ssy
Com
pres
sion
)—E
xcha
nge
Form
at fo
r Web
, Des
ktop
A
pplic
atio
ns
A.4
Bio
met
rics
Imag
e S
tand
ard
WS
QC
ompr
essi
on
algo
rithm
use
d fo
r gr
ay-s
cale
fing
erpr
int
imag
es
NIS
TJP
EG
2000
, JP
EG
WS
Q fo
r effi
cien
t sto
rage
of
com
pres
sed
finge
rprin
t im
ages
at 5
00 p
ixel
s pe
r in
ch (p
pi).
For f
inge
rprin
ts
reco
rded
at 1
000
ppi,
law
en
forc
emen
t (in
clud
ing
the
FBI)
uses
JP
EG
200
0 in
stea
d of
WS
Q.
(con
tinue
d)
11Draft for Discussion
S.N
O
INTE
R-
OP
ER
AB
ILIT
Y A
RE
AS
UB
AR
EA
STA
ND
AR
D
SP
EC
IFIC
ATIO
N/
(CO
MM
ON
NA
ME
)S
TAN
DA
RD
D
ES
CR
IPTI
ON
S
TAN
DA
RD
S
BO
DY
OTH
ER
CO
MP
ETI
NG
S
TAN
DA
RD
S
(IF A
NY
)C
OM
ME
NTS
B.1
Bio
met
rics
Dat
a in
ter-
chan
ge—
Face
ISO
/IEC
197
94-
5:20
11 (F
ace
Imag
e)
Bio
met
ric d
ata
inte
r-ch
ange
form
ats
for
Face
imag
e sp
ecifi
es
data
sce
ne, p
hoto
-gr
aphi
c, d
igiti
zatio
n an
d fo
rmat
requ
ire-
men
ts fo
r im
ages
of
face
s to
be
used
in
the
cont
ext o
f bot
h hu
man
ver
ifica
tion
and
com
pute
r aut
o-m
ated
reco
gniti
on
ISO
and
IEC
The
imag
e co
mpr
essi
on
algo
rithm
can
be
in a
ny o
f the
fo
llow
ing:
JP
EG
2000
, PN
G,
JPE
G e
tc.
JPE
G20
00 o
r PN
G o
pen
stan
dard
s ar
e re
com
men
ded
B.2
Bio
met
rics
Dat
a In
ter-
chan
ge—
Fing
erpr
int
ISO
/IEC
197
94-
4:20
11 (F
inge
r pr
int)
Dat
a re
cord
inte
r-ch
ange
form
at fo
r st
orin
g, re
cord
ing,
an
d tra
nsm
ittin
g th
e in
form
atio
n fro
m o
ne
or m
ore
finge
r or
palm
imag
e ar
eas
for e
xcha
nge
or
com
paris
on
ISO
and
IEC
JPE
G20
00, P
NG
, JP
EG
, W
SQ
etc
. for
mat
s al
low
ed
JPE
G20
00 re
com
men
ded
as
it is
ope
n st
anda
rd a
nd a
llow
s fo
r bot
h lo
ssy
and
loss
less
co
mpr
essi
on
B.3
Bio
met
rics
Dat
a In
ter-
chan
ge—
Iris
ISO
/IEC
197
94-
6:20
11 (I
ris)
Iris
imag
e in
ter-
chan
ge fo
rmat
s fo
r bi
omet
ric e
nrol
lmen
t, ve
rific
atio
n an
d id
en-
tific
atio
n sy
stem
ISO
and
IEC
(con
tinue
d)
Con
tinu
ed
12 Draft for Discussion
(con
tinue
d)
S.N
O
INTE
R-
OP
ER
AB
ILIT
Y A
RE
AS
UB
AR
EA
STA
ND
AR
D
SP
EC
IFIC
ATIO
N/
(CO
MM
ON
NA
ME
)S
TAN
DA
RD
D
ES
CR
IPTI
ON
S
TAN
DA
RD
S
BO
DY
OTH
ER
CO
MP
ETI
NG
S
TAN
DA
RD
S
(IF A
NY
)C
OM
ME
NTS
B.4
Bio
met
rics
Dat
a In
ter-
chan
ge—
Min
utia
e
ISO
/IEC
197
94-
2:20
11 (M
inut
iae)
3 da
ta fo
rmat
s fo
r re
pres
enta
tion
of
finge
rprin
ts u
sing
th
e fu
ndam
enta
l no
tion
of m
inut
iae
for
inte
rcha
nge
and
stor
-ag
e of
this
dat
a: a
) re
cord
-bas
ed fo
rmat
, an
d b)
nor
mal
and
c)
com
pact
form
ats
for u
se o
n a
smar
t ca
rd in
a m
atch
-on-
card
app
licat
ion
ISO
and
IEC
B.5
Bio
met
rics
Dat
a in
ter-
chan
ge—
Sig
natu
re
ISO
/IEC
197
94-
7:20
14 (S
igna
ture
)D
ata
inte
rcha
nge
form
ats
for s
igna
ture
/si
gn b
ehav
iora
l dat
a ca
ptur
ed in
the
form
of
a m
ulti-
dim
en-
sion
al ti
me
serie
s us
ing
devi
ces
such
as
dig
itizi
ng ta
blet
s or
adv
ance
d pe
n sy
stem
s
ISO
and
IEC
C.1
Car
dIS
O/IE
C 7
810
Iden
tific
atio
n C
ards
—P
hysi
cal
Cha
ract
eris
tics
ISO
and
IEC
Pla
stic
car
d w
ithou
t chi
p
C.2
Sm
art C
ard
ISO
/IEC
781
6e-
IDs/
Sm
art C
ards
—C
onta
ct C
ard
Sta
ndar
ds
ISO
and
IEC
C.3
Sm
art C
ard
ISO
/IEC
144
43e-
IDs/
Sm
art C
ards
—
Con
tact
less
Car
d S
tand
ards
ISO
and
IEC
Con
tinu
ed
13Draft for Discussion
S.N
O
INTE
R-
OP
ER
AB
ILIT
Y A
RE
AS
UB
AR
EA
STA
ND
AR
D
SP
EC
IFIC
ATIO
N/
(CO
MM
ON
NA
ME
)S
TAN
DA
RD
D
ES
CR
IPTI
ON
S
TAN
DA
RD
S
BO
DY
OTH
ER
CO
MP
ETI
NG
S
TAN
DA
RD
S
(IF A
NY
)C
OM
ME
NTS
C.4
Sm
art C
ard
ICA
O 9
303
adop
ted
as IS
O/IE
C 7
501
Sta
ndar
d fo
r M
achi
ne R
eada
ble
Trav
el D
ocum
ents
ICA
O
ISO
and
IEC
C.5
Sm
art C
ard
ISO
/IEC
247
27S
et o
f pro
gram
min
g in
terfa
ces
for i
nter
ac-
tions
bet
wee
n in
te-
grat
ed c
ircui
t car
ds
(ICC
s) a
nd e
xter
nal
appl
icat
ions
ISO
and
IEC
D.1
Bar
Cod
e2
DIS
O/IE
C
1800
4:20
15—
Qui
ck
Res
pons
e (Q
R)
code
QR
Cod
e sy
mbo
logy
ch
arac
teris
tics,
dat
a ch
arac
ter e
ncod
ing
met
hods
, sym
bol
form
ats,
dim
ensi
onal
ch
arac
teris
tics,
err
or
corr
ectio
n ru
les,
re
fere
nce
deco
ding
al
gorit
hm, p
rodu
ctio
n qu
ality
requ
irem
ents
, an
d us
er-s
elec
t-ab
le a
pplic
atio
n pa
ram
eter
s
ISO
and
IEC
Dat
a M
atrix
, PD
F417
A ba
rcod
e is
a m
achi
ne-r
ead-
able
opt
ical
labe
l tha
t con
-ta
ins
info
rmat
ion
abou
t the
ite
m to
whi
ch it
is a
ttach
ed
D.2
Bar
Cod
e2
DIS
O/IE
C 1
5438
: 20
15—
PD
F417
Req
uire
men
ts fo
r the
ba
r cod
e sy
mbo
logy
ch
arac
teris
tics,
dat
a ch
arac
ter e
ncod
a-tio
n, s
ymbo
l for
mat
s,
dim
ensi
ons,
err
or
corr
ectio
n ru
les,
re
fere
nce
deco
d-in
g al
gorit
hm, a
nd
man
y ap
plic
atio
n pa
ram
eter
s.
ISO
and
IEC
Dat
a M
atrix
QR
cod
e
PD
F417
is a
sta
cked
bar
code
th
at c
an b
e re
ad w
ith a
sim
-pl
e lin
ear s
can
bein
g sw
ept
over
the
sym
bol.
4 tim
es le
ss
capa
city
than
QR
cod
e.
Con
tinu
ed
(con
tinue
d)
14 Draft for Discussion
(con
tinue
d)
S.N
O
INTE
R-
OP
ER
AB
ILIT
Y A
RE
AS
UB
AR
EA
STA
ND
AR
D
SP
EC
IFIC
ATIO
N/
(CO
MM
ON
NA
ME
)S
TAN
DA
RD
D
ES
CR
IPTI
ON
S
TAN
DA
RD
S
BO
DY
OTH
ER
CO
MP
ETI
NG
S
TAN
DA
RD
S
(IF A
NY
)C
OM
ME
NTS
E.1
Dig
ital S
ig-
natu
res/
cryp
togr
aphy
Dig
ital
Sig
natu
re
Sta
ndar
d
FIP
S 1
86-4
DS
S
This
Sta
ndar
d de
fines
met
hods
fo
r dig
ital s
igna
ture
ge
nera
tion
that
can
be
use
d fo
r the
pro
-te
ctio
n of
bin
ary
data
(c
omm
only
cal
led
a m
essa
ge),
and
for
the
verif
icat
ion
and
valid
atio
n of
thos
e di
gita
l sig
natu
res
NIS
T
E.2
Dig
ital S
ig-
natu
res/
cryp
togr
aphy
Dig
ital
Sig
natu
re
Alg
orith
m
RFC
344
7 R
SA
(PK
CS
#1)
The
use
of th
e R
SA
algo
rithm
for d
igita
l si
gnat
ure
gene
ratio
n an
d ve
rific
atio
n
IETF
Inte
rnet
S
ocie
tyP
KC
S #
1 pu
blis
hed
by R
SA
labo
rato
ries—
repu
blis
hed
as
RFC
for i
nter
net c
omm
unity
E.3
Dig
ital S
ig-
natu
res/
cryp
togr
aphy
Sec
ure
Has
h S
tand
ard
SH
S (F
IPS
PU
B
180-
4)Th
is S
tand
ard
spec
i-fie
s se
cure
has
h al
gorit
hms—
SH
A-1
, S
HA
-224
, SH
A-2
56,
SH
A-3
84, S
HA
-512
, S
HA
-512
/224
and
S
HA
-512
/256
NIS
T
E.4
Dig
ital S
ig-
natu
res/
cryp
togr
aphy
Sec
urity
FIP
S 1
40-2
Sec
urity
Req
uire
-m
ents
for C
rypt
o-gr
aphi
c M
odul
es
NIS
T
Con
tinu
ed
15Draft for Discussion
S.N
O
INTE
R-
OP
ER
AB
ILIT
Y A
RE
AS
UB
AR
EA
STA
ND
AR
D
SP
EC
IFIC
ATIO
N/
(CO
MM
ON
NA
ME
)S
TAN
DA
RD
D
ES
CR
IPTI
ON
S
TAN
DA
RD
S
BO
DY
OTH
ER
CO
MP
ETI
NG
S
TAN
DA
RD
S
(IF A
NY
)C
OM
ME
NTS
E.5
Dig
ital S
ig-
natu
res/
cryp
togr
aphy
Pub
lic K
ey
Infra
stru
c-tu
re
ITU
-T X
.509
| IS
O/
IEC
959
4-8
The
publ
ic-k
ey
certi
ficat
e fra
mew
ork
defin
ed in
this
Rec
-om
men
datio
n | I
nter
-na
tiona
l Sta
ndar
d sp
ecifi
es th
e in
form
a-tio
n ob
ject
s an
d da
ta
type
s fo
r a p
ublic
-key
in
frast
ruct
ure
(PK
I),
incl
udin
g pu
blic
-key
ce
rtific
ates
, cer
tifi-
cate
revo
catio
n lis
ts
(CR
Ls),
trust
bro
ker
and
auth
oriz
atio
n an
d va
lidat
ion
lists
(A
VLs
)
ITU
-T, I
SO
an
d IE
C
E.6
Dig
ital S
ig-
natu
res/
cryp
togr
aphy
XM
L A
dvan
ced
Ele
ctro
nic
Sig
natu
res
XA
dES
W3C
Whi
le X
ML-
DS
ig is
a
gene
ral f
ram
ewor
k fo
r dig
itally
sig
ning
do
cum
ents
, XA
dES
sp
ecifi
es p
reci
se
prof
iles
of X
ML-
DS
ig
mak
ing
it co
mpl
iant
w
ith th
e E
urop
ean
eID
AS
regu
latio
n
W3C
Est
onia
Dig
ital I
D fo
llow
s th
is
stan
dard
Con
tinu
ed
(con
tinue
d)
16 Draft for Discussion
(con
tinue
d)
S.N
O
INTE
R-
OP
ER
AB
ILIT
Y A
RE
AS
UB
AR
EA
STA
ND
AR
D
SP
EC
IFIC
ATIO
N/
(CO
MM
ON
NA
ME
)S
TAN
DA
RD
D
ES
CR
IPTI
ON
S
TAN
DA
RD
S
BO
DY
OTH
ER
CO
MP
ETI
NG
S
TAN
DA
RD
S
(IF A
NY
)C
OM
ME
NTS
F.1
Fede
ratio
n P
roto
col
SA
ML
v2—
2005
Sec
urity
Ass
ertio
n M
arku
p La
ngua
ge
(SA
ML)
def
ines
an
XM
L ba
sed
fram
e-w
ork
for c
omm
u-ni
catin
g se
curit
y an
d id
entit
y (e
.g.,
auth
entic
atio
n,
entit
lem
ents
, and
at
tribu
te) i
nfor
mat
ion
betw
een
com
putin
g en
titie
s. S
AM
L pr
o-m
otes
inte
rope
rabi
lity
betw
een
disp
arat
e se
curit
y sy
stem
s,
prov
idin
g th
e fra
me-
wor
k fo
r sec
ure
e-bu
sine
ss tr
ansa
c-tio
ns a
cros
s co
m-
pany
bou
ndar
ies.
OA
SIS
Ope
n ID
con
nect
and
O
Aut
h
F.2
Fede
ratio
n P
roto
col
RFC
674
9/
OA
UTH
2O
Aut
h 2.
0 is
the
indu
stry
-sta
ndar
d pr
otoc
ol fo
r aut
ho-
rizat
ion
prov
idin
g sp
ecifi
c au
thor
iza-
tion
flow
s fo
r web
ap
plic
atio
ns, d
eskt
op
appl
icat
ions
, mob
ile
phon
es, a
nd li
ving
ro
om d
evic
es
IETF
SA
ML
Mob
ile C
onne
ct s
olut
ion
prov
idin
g pa
ssw
ord
less
au
then
ticat
ion
tied
to th
e m
obile
pho
ne o
f the
use
r is
base
d on
the
Ope
nID
Con
-ne
ct &
OA
uth2
Con
tinu
ed
17Draft for Discussion
S.N
O
INTE
R-
OP
ER
AB
ILIT
Y A
RE
AS
UB
AR
EA
STA
ND
AR
D
SP
EC
IFIC
ATIO
N/
(CO
MM
ON
NA
ME
)S
TAN
DA
RD
D
ES
CR
IPTI
ON
S
TAN
DA
RD
S
BO
DY
OTH
ER
CO
MP
ETI
NG
S
TAN
DA
RD
S
(IF A
NY
)C
OM
ME
NTS
F.3
Fede
ratio
n P
roto
col
Ope
n ID
con
nect
Ope
nID
Con
nect
1.0
is
a s
impl
e id
entit
y la
yer o
n to
p of
the
OA
uth
2.0
prot
ocol
. It
allo
ws
Clie
nts
to
verif
y th
e id
entit
y of
th
e E
nd-U
ser b
ased
on
the
auth
entic
a-tio
n pe
rform
ed b
y an
Aut
horiz
atio
n S
erve
r, as
wel
l as
to
obta
in b
asic
pro
file
info
rmat
ion
abou
t th
e E
nd-U
ser i
n an
in
tero
pera
ble
and
Web
Ser
vice
s-lik
e m
anne
r.
The
Ope
nID
Fo
unda
tion
SA
ML
Mob
ile C
onne
ct s
olut
ion
prov
idin
g pa
ssw
ord
less
au
then
ticat
ion
tied
to th
e m
obile
pho
ne o
f the
use
r is
base
d on
the
Ope
nID
Con
-ne
ct &
OA
uth2
Con
tinu
ed
18 Draft for Discussion
Tech
nica
l Sta
ndar
ds fo
r Rob
ust I
dent
ity S
yste
ms
S. N
O
STA
ND
AR
D
SP
EC
IFIC
ATIO
N/
(CO
MM
ON
NA
ME
)S
TAN
DA
RD
DE
SC
RIP
TIO
N
STA
ND
AR
DS
BO
DY
CO
MM
EN
TS1
ISO
/IEC
297
94 S
erie
sB
iom
etric
Sam
ple
Qua
lity—
M
atch
ing
Per
form
ance
ISO
and
IEC
Qua
lity
2IS
O/IE
C 2
9100
Priv
acy
fram
ewor
kIS
O a
nd IE
CIS
O/IE
C 2
9100
pro
vide
s a
priv
acy
fram
ewor
k w
hich
:
• sp
ecifi
es a
com
mon
priv
acy
term
inol
ogy;
• de
fines
the
acto
rs a
nd th
eir r
oles
in p
roce
ssin
g pe
r-so
nally
iden
tifia
ble
info
rmat
ion
(PII)
;
• de
scrib
es p
rivac
y sa
fegu
ardi
ng c
onsi
dera
tions
; and
• pr
ovid
es re
fere
nces
to k
now
n pr
ivac
y pr
inci
ples
fo
r IT
3IS
O/IE
C 2
7018
Cod
e of
pra
ctic
e fo
r PII
prot
ec-
tion
in p
ublic
clo
uds
actin
g as
P
II pr
oces
sors
ISO
and
IEC
ISO
/IEC
270
18 e
stab
lishe
s co
mm
only
acc
epte
d co
ntro
l ob
ject
ives
, con
trols
and
gui
delin
es fo
r im
plem
entin
g m
easu
res
to p
rote
ct P
erso
nally
Iden
tifia
ble
Info
rmat
ion
(PII)
in a
ccor
danc
e w
ith th
e pr
ivac
y pr
inci
ples
in IS
O/IE
C
2910
0 fo
r the
pub
lic c
loud
com
putin
g en
viro
nmen
t4
ISO
/IEC
291
90P
rivac
y ca
pabi
lity
asse
ssm
ent
mod
elIS
O a
nd IE
CIS
O/IE
C 2
9190
:201
5 pr
ovid
es o
rgan
izat
ions
with
hig
h-le
vel g
uida
nce
abou
t how
to a
sses
s th
eir c
apab
ility
to
man
age
priv
acy-
rela
ted
proc
esse
s5
ISO
/IEC
291
46A
fram
ewor
k fo
r acc
ess
man
agem
ent
ISO
and
IEC
ISO
/IEC
291
46 d
efin
es a
nd e
stab
lishe
s a
fram
ewor
k fo
r ac
cess
man
agem
ent (
AM
) and
the
secu
re m
anag
emen
t of
the
proc
ess
to a
cces
s in
form
atio
n an
d In
form
atio
n an
d C
omm
unic
atio
ns T
echn
olog
ies
(ICT)
reso
urce
s, a
ssoc
i-at
ed w
ith th
e ac
coun
tabi
lity
of a
sub
ject
with
in s
ome
cont
ext
6IS
O/IE
C 2
9134
Priv
acy
impa
ct
asse
ssm
ent—
Gui
delin
esIS
O a
nd IE
CIS
O/IE
C 2
9134
:201
7 gi
ves
guid
elin
es fo
r a p
roce
ss o
n pr
ivac
y im
pact
ass
essm
ents
, and
a s
truct
ure
and
cont
ent
of a
PIA
repo
rt7
ISO
/IEC
291
84G
uide
lines
for o
nlin
e pr
ivac
y no
tice
and
cons
ent
ISO
and
IEC
Und
er d
evel
opm
ent
(con
tinue
d)
19Draft for Discussion
S. N
O
STA
ND
AR
D
SP
EC
IFIC
ATIO
N/
(CO
MM
ON
NA
ME
)S
TAN
DA
RD
DE
SC
RIP
TIO
N
STA
ND
AR
DS
BO
DY
CO
MM
EN
TS8
ISO
/IEC
247
61A
uthe
ntic
atio
n
Con
text
for B
iom
etric
sIS
O a
nd IE
CR
emot
e si
te b
iom
etric
s au
then
ticat
ion
9IS
O/IE
C 2
4760
Ser
ies
Fram
ewor
k fo
r Man
agem
ent o
f Id
entit
y In
form
atio
nIS
O a
nd IE
CP
rote
ctin
g P
rivac
y &
Sec
urity
—fu
rther
dis
cuss
ion
need
ed
on u
se o
f thi
s st
anda
rd
10IS
O/IE
C 2
9109
Ser
ies
Test
ing
Met
hodo
logy
for B
iom
et-
ric D
ata
Inte
rcha
nge
ISO
and
IEC
11IS
O/IE
C 2
4745
Sec
urity
Tec
hniq
ues—
B
iom
etric
Info
rmat
ion
Pro
tect
ion
ISO
and
IEC
Con
tinu
ed
Sour
ce: h
ttps
://rm
coe
int/
wor
k-an
d-pr
ojec
ts-i
n-is
o-ie
c-jt
c-1-
sc-2
7-w
g-5-
iden
tity
-man
agem
ent-
priv
/16
80
73ff
03
WG
5 Id
enti
ty M
anag
emen
t & P
rivac
y Te
chno
logi
es P
rivac
y/PI
I sta
ndar
ds in
SC
27/W
G 5
and
els
ewhe
re
20 Draft for Discussion
5.4 fRaMeWoRks
ISO/IEC 29115 and eIDAS provide assurance levels framework for identity systems. Ideally the National Identity system should conform to the highest level. Further discussion on this would facilitate preparation of guidelines on options for implementation of Identity systems of the highest assurance levels. Also, guidelines on the dif-ferent options with their strengths and weaknesses with some example scenarios would help in selecting the appropriate identity system and relevant technical standards.
STANDARD NAME
STANDARD DESCRIPTION
STANDARD BODY COMMENTS
ISO/IEC 29115 Entity Authentica-tion Assurance Framework
ISO and IEC Sets out four levels of assurances for scalable iden-tity management and authentication services
FIDO UAF Universal Authentication framework
FIDO alliance Password less authentication experience
eIDAS Electronic identi-fication and trust services
European Union regulation
Regulation for Identification and trust services for the European union—framework for interoperability of EU identity systems
5.4.1 Levels of Assurance
When a person identifies or authenticates herself using one or multiple identity attributes, the degree of confi-dence that she is who she claims to be depends on the degree of security assurance provided and the context in which the information is captured, referred to as the level of assurance (LOA). Assurance levels depend on the strength of the identification and authentication processes, and are critical to access control and reducing identity theft. The higher the LOA, the lower is the risk that service providers will rely on a compromised credential during a transaction. For “identity proofing,” the LOA is dependent on the method of identification, including the scope of personal information and attributes collected about an individual during enrollment, and the degree of certainty with which these attributes are ascertained (i.e., have been validated). For example, if personal data are collected during enrollment but not de-duplicated or checked against existing databases for veracity, this would constitute a low LOA because there is no validation of the identity information.
ISO/IEC 29115 provides a framework for entity authentication assurance. Assurance within this Recommenda-tion | International Standard refers to the confidence placed in all the processes, management activities, and technologies used to establish and manage the identity of an entity for use in authentication transactions. This framework also identifies three phases enrollment, credentialing and authentication phases mapping to the three key activities listed in Identity Lifecycle. It also lists the organizational and management activities which map with Governance phase of Identity and addresses requirements of federation and role of assurance framework in the same without listing it as a separate process.
21Draft for Discussion
ISO 29115 sets out four levels of assurances for scalable identity management and authentication services. These levels are shown in Figure 2, along with corresponding definitions from the European Union’s eIDAS framework, and range from weak authentication protocols with extremely high security risk levels, to strong authentication protocols with minimal risk levels. The level of risk is based not only on the credentials and pro-cesses used for authentication, but also on the robustness of identity proofing during the registration phase. Depending on the type of application, countries may implement a variety of authentication protocols to meet the standards necessary for the use case.
FIGURE 2 ISO and eIDAS Authentication Levels
elDASdefinition
HIGH/SUBSTANTIAL+
SUBSTANTIAL/LOW+
LEVEL 4
LEVEL 3 LEVEL 3
In-personregistration with
verification
Presentation ofIdentity
Information
No IdentityProofing
MinimalMinimalLowMitigatedExtremely high
Verification of Identity Information
Very StrongAuthentication
StrongAuthentication • SIM Applet
with PKI• Smartphone
App in TEEwith PKI
• PKI eID (PIN)• PKI ID (PIN +
SE) (SIM/eSE)• Biometrics
• USSD• SIM Applet• Smartphone
App• Token OTP +
pw• Biometrics
LEVEL 2
LOW
LEVEL 1
Out ofScope
SecureAuthentication
• Seamless• SMS + URL• USSD• SIM Applet• Smartphone
App• Token or OTP
WeakAuthentication
Legacy password
StrongAuthentication
• SIM Applet• Smartphone
App in TEE• Token OTP
(PIN + certifiedTEE or SE)
• Biometrics
ISO 29115 levels
Authentication/electronic ID
Identity proofingduring registration
Risk level
Source: World Bank, 2016
22 Draft for Discussion
6. COUNTRY USE CASES Depending on the country-specific environment, which standards should be adopted and which should be ignored? The answer depends on the objectives, scope, and proposed use for the identity system. Examples of India, Pakistan, Peru, and Estonia are briefly discussed in Boxes 6.1, 6.2, 6.3 and 6.4 to illustrate the choice of relevant standards by respective national governments to meet their requirements. When designing an identi-fication system, however, a priority always to ensure that the choice of technologies and related standards are following existing regulatory frameworks within a country.
Three standards are vital for any legal identification system that involves biometrics: the ISO 19794, 29794 and 29109 series. The ISO 19794 series defines biometric interchange format for various types of biometric data (face image, fingerprint, iris), the ISO/IEC 29794 series refers to biometric quality, and the ISO 29109 series concerns conformance testing that could cover inter alia, testing, surveillance, inspection, audit, certification and accreditation.
ISO 19794 is crucial for cryptographic protection in interchange environments as biometric data are sensi-tive to cyber-attack or identity-theft. Since ID systems are tested rigorously before and after deployment, the use of the ISO 19794 series coupled with ISO/IEC the 29109 series becomes important because the latter describes and specifies conformance-testing methodology for biometric data interchange formats defined in ISO/IEC 19794. It also specifies elements of test assertions and test procedures as applicable to the biometric data interchange format standard.
Box 6.1: aadhaaR identity systeM of india—BioMetRic Based
The Unique Identification Authority of India (UIDAI) has issued a unique ID number, known as Aadhaar, to more than 1 billion residents. Photograph, fingerprints and irises of each resident are captured before issuing an Aadhaar. It is the world’s largest multimodal biometric database, and more than 93 percent of Indians now have a digital identity as a result of this system. UIDAI set up a Biometric Standards Commit-tee in 2009 to provide direction on biometric standards, suggest best practices, and recommend biometric procedures for the system. The committee recommended ISO/IEC 19794 Series (parts 1, 2, 4, 5, 6) and ISO/IEC 19785 for biometric data interchange formats and a common biometric exchange framework to ensure interoperability. ISO/IEC 15444 (all parts) was selected as a coding system (JPEG 2000 image) for both photo, fingerprint and iris image. Additionally, UIDAI uses open source software as a principle, which have also been used successfully in the United States and Europe. An important security standard, ISO 24745, which provides guidance for the protection of biometric information for confidentiality and integrity during storage or managing identities, was not implemented due to the complexity of applicable compliance procedures. UIDAI had also come up with standards (demographic standards committee) for the data standards for the identity attributes captured during registration and subsequently used for demographic authentication. Aadhaar system also makes extensive use of PKI/HSM for encryption of data during transmission and storage and for protecting access to API.
Aadhaar Authentication can be performed in one or more of the following modes with yes/no responses:
• Demographic authentication.
• Biometric authentication
• One-time PIN mobile based authentication
• Multifactor authentication is a combination of two or three factors listed above
Source: UIDAI Website & Biometrics Standard Committee Recommendations 2009.
23Draft for Discussion
Any system that uses biometric enrollment and/or authentication is advised to consider these biometric stan-dards. However, for countries that issue biometric-based unique identity numbers without ID cards (e.g., India, see Box 6.1), the standards for creating and managing biometric-based identities are of primary concern.
Smart Cards Related Standards
For countries that issue a tangible credential such as a physical eID card, standards such as ISO-7810 to ISO-7813 also become relevant to ensure interoperability and interconnectivity. For contact cards, where the chip is embossed on the card, the ISO/IEC 7816 standard is followed globally; for contactless cards, where the chip is embedded inside the card, the ISO/IEC 14443 standard is followed.
For cards that can also be used as electronic travel documents—including eID cards, passports, drivers’ licenses, or any other machine-readable travel documents (MRTDs) used for crossing borders—then compliance with ICAO 9303 should be followed. In addition, ICAO is developing an international framework of standards for MRTDs as part of their strategy, known as the Travelers Identification Program (TRIP) Strategy, which includes interoperable application standards. For travel ID cards used by seafarers, the guidelines issued by the Interna-tional Labor Organization (ILO) become relevant.
Box 6.2: sMaRt eid in pakistan—BioMetRics and sMaRt caRd
Pakistan’s National Database and Registration Authority (NADRA) has issued over 121 million ID cards and hence registered 98 percent of its adult citizens over the age of 18. Over the years, Pakistan’s ID card has evolved into a smart eID that contains multi-biometric features to meet the challenges of a digitally connected world. NADRA is now one of the world’s leading suppliers of eID services. It also designed its cards to meet the needs of its citizens living outside the country. As a result, its smart eID, known as the National Identity Card for Overseas Pakistanis (NICOP), complies with ICAO standard 9303 part 3 vol. 1 and is also ISO 7816-4 compliant. An ICAO compliant smart NICOP can be accepted as a form of digital ID in all international airports and at points of entry and departure. NADRA also uses open source as a guideline/principle for application development. Demographic data is used along with biometric data to improve the deduplication process. NADRA Quality Management and ID Card Production departments are also ISO 9001:2000 certified.
Source: Author’s Analysis.
Box 6.3: eid With digitaL ceRtificate in peRu
Peru’s National Electronic ID Card (DNIe), issued by the National Registry of Identification and Civil Status (RENIEC), was considered to be the best ID card in Latin America during the 2015 High Security Printing Latin American Conference in Lima. RENIEC, an autonomous entity with functions including civil registra-tion, identification, and digital signatures, has issued 30 million eIDs covering almost the entire population of the country. The DNIe provides Peruvian citizens with a digital identity, which can be authenticated physi-cally and virtually. The DNIe includes two digital certificates, which allows the cardholder to sign electronic documents with the same probative value as a handwritten signature. Peru’s eID complies with the ISO/IEC-7816 standard and its biometrics system follows ISO/IEC 19794. Because the card is also used as a machine-readable travel document (MRTD), it also complies with ICAO 9303.
Source: Interview with RENIEC official.
24 Draft for Discussion
If a Smart card such as an eID is intended to be used as a bank card, then EMV standards6 also become appli-cable. ISO 8583 defines the physical characteristics such as magnetic strip on the card if it is intended to be used as payment card. In countries where drivers’ licenses are the primary identity document used to confirm identity, the drivers’ license standard known as ISO 18103 is followed. As more functionality is added to an eID card, conforming with all relevant standards may become a complex or difficult task. For example, if an ID-card that is used as payment card and an ICAO compliant travel document as well, it may be cumbersome to fit a magnetic strip and ICAO machine readable zone on the card, in addition to a financial institution logo and details necessary for recognition as a valid payment instrument.
Box 6.4: id-kaaRt in estonia—sMaRt caRd and MoBiLe id
Estonia has the most highly developed national ID card system in the world (Williams-Grut 2016). It has issued 1.3 million of its smart ID-Kaarts, each with a unique identifier that allows citizens to access over 1,000 public services, such as health care, online tax filing, and online voting. Estonia is now one of the most digitally advanced nations in the world with regard to public services. It wants to become a “country as a service,” where secure digital identity plays a central role. Key identifying data such as signatures are stored in the system alongside a unique number, used by citizens as a unique identifier to sign documents online and verify online identity. The ID-Kaart has advanced electronic functions that facilitate secure authentication and legally binding digital signatures that may be used for nationwide online services. The e-ID infrastructure is scalable, flexible, interoperable, and standards-based. All certificates issued in asso-ciation with the ID card scheme are qualified certificates conforming with European Directive 1999/93/EC on the use of electronic signatures in electronic contracts within the European Union (EU). The card complies with the ICAO 9303 travel document standard.
The ID-Kaart is a secure credential for accessing public services. To sign a document digitally, a communi-cation model using standardized workflows in the form of a common document format (DigiDoc) has been employed. DigiDoc is based on XML Advanced Electronic Signatures Standard (XAdes), which is a profile of that standard. XAdes defines a format that enables structurally storing data signatures and security attri-butes associated with digital signatures and hence caters for common understanding and interoperability.
Source: e-Estonia.com and the paper titled ‘The Estonian ID Card and Digital Signature Concept’ Ver 20030307.
25Draft for Discussion
7. CONSIDERATIONS WHILE ADOPTING STANDARDS FOR IDENTITY SYSTEMSThe preceding sections highlight relevant standards that have been used for leading digital identification systems in a number of countries. These pioneering countries have spent considerable effort in studying and adopting standards to benchmark and test technology before deploying it, which underscores the value of adopting and implementing specific standards. There are also some lessons to be learnt from other countries which missed adopting standards leading to issues relating to interoperability, robustness and vendor lock-in. As various coun-tries embark on implementation of the digital identification systems for sustainable it would be prudent to identify and advocate a set of minimum technical standards for common good and enable development of robust interop-erable identity systems which are not plagued by vendor lock in
In addition, it underscores the need to review new solutions developed by industry consortia, such as Mobile Con-nect,7 and new regulations such as eIDAS,8 which are in the developmental stage and may become standards in near future as more countries adopt them. It is important to benchmark new standards before large-scale imple-mentation to see if these may compromise or hinder scalability, connectivity, interoperability, and compatibility.
Any forthcoming strategy on developing minimum standards for digital identity systems should address the fol-lowing issues and challenges:
a. Protecting Biometrics from Security Breaches
Digital biometric identification is fast becoming a standard tool to uniquely enroll a population, particularly given the diminishing costs of the technology. Heavy reliance on biometrics poses a challenge in protecting the per-sonal data of citizens, particularly where security infrastructure, technological capacity, and legal protections are weak. Unlike other forms of credentials (passwords and PINs, which can be replaced), breach of biometric data is costly and the consequences may be severe in the case of a hostile attack or hacking. This requires adoption and implementation of relevant security standards and a strong legal framework for privacy and data protection.
b. Single or Multimodal Systems
The choice between using a single or multiple biometric identifiers (fingerprints, iris, face, etc.) may require dif-ferent standards, and depends on many factors (for example, IT infrastructure cost, and cultural considerations). Multimodal systems have become increasingly popular because they produce more accurate results, as multiple unique attributes are authenticated instead of reliance on a single attribute. They also enable help in deduplica-tion of identities with greater accuracy. This is advantageous in terms of ensuring inclusiveness,9 which is an important consideration for the development agenda. In low- and middle-income countries, for example, the fingerprints of people involved in manual labor can become worn out and unreadable. The face is the most com-monly captured biometric, and is widely used in manual visual verification.
The biggest driver in selecting between a single or multimodal system is accuracy, driven by population size as well as demographic characteristics. In addition, the complexity of various operating systems and technologies in multimodal systems could pose operational challenges. If it becomes cost prohibitive to implement a multimodal system and a country is inclined to implement only part of a complete biometrics system, the risk of biometric failure must be identified and backup procedures for identity authentication (such as validation checks, built-in registration software, or manual examination of authenticity of breeder documents) should be defined.
c. Lack of Biometric Device Standards
The identity lifecycle can only work seamlessly when all IT systems and devices are integrated. Vendor lock-in risks must be mitigated by thoroughly examining previous records of similar implementations. As relevant ISO standards are mainly focused on interchange standards, quality standards and testing methodology standards
26 Draft for Discussion
(see Section 5.3), there is a lack of standards or certifications regarding devices that read or authenticate biomet-ric information and countries should rely on best practices offered by industry consortia.
d. Modernizing Legacy Identification Systems
Prior to the widespread use of digital biometric technology and databases, some countries had well-established paper-based civil registration systems and national ID systems that relied on collecting limited biometrics (com-monly a single fingerprint), that may or may not have been digital. Many countries enhanced these systems by switching to digital capture of biometrics and adding additional attributes (e.g., iris, digital photo). This transition requires standardizing biographic and identity resolution on both biographic and biometric data. Modernizing these systems by incorporating digital biometric technology may also necessitate changes to legal frameworks to modify registration procedures, and upgrading technology and technical skills of staff. These efforts would require adoption and implementation of standards that take into consideration multiple modalities, methodologies and sources for biometrics as well as the management of biographic data.
e. Cost Effectiveness
Digital identification systems are technology based, and new technologies are evolving at an exponential rate. The development of new technologies and equipment may render old technologies obsolete, requiring frequent upgrades that may be costly. For low-income countries, compliance with all proprietary standards may be chal-lenging from a cost perspective, hence the use of open standards is generally recommended. Meeting minimum ISO standards regarding the identity lifecycle for specific applications may be considered in terms of cost effec-tiveness, as these standards prevent countries from costly corrective actions or revamping identification system. For example, if a country rolls out an ID card which is not ICAO compliant and in future the same is used as travel card, it has to incur unnecessary additional costs to reissue ICAO-compliant cards hence.
f. Interoperability and Interconnectivity
As specified in the European interoperability framework for pan-European eGovernment services document (http://ec.europa.eu/idabc/servlets/Docd552.pdf?id=19529), three aspects of interoperability need to be considered:
• Organisational Interoperability
This aspect of interoperability is concerned with defining business goals, modelling business pro-cesses and bringing about the collaboration of administrations that wish to exchange information and may have different internal structures and processes. Moreover, organizational interoperability aims at addressing the requirements of the user community by making services available, easily identifiable, accessible and user-oriented. Example of an activity with reference to digital ID interoperability across organizations/countries would be to map the identity lifecycle processes of that organization with the ISO Authentication assurance framework levels.
• Semantic Interoperability
This aspect of interoperability is concerned with ensuring that the precise meaning of exchanged information is understandable by any other application that was not initially developed for this pur-pose. Semantic interoperability enables systems to combine received information with other infor-mation resources and to process it in a meaningful manner. Semantic interoperability is therefore a prerequisite for the front-end multilingual delivery of services to the user.
Example for digital identity system: Defining the data formats and metadata for identity attributes like name and date of birth would be important to achieve this objective. The format of capturing name and the data type and maximum length of this field is important to ensure correct interpretation and prevent loss of information (length of name, order of specifying the first name, middle name,) format of date—date of birth (mm/dd/yyyy) or dd/mm/yy etc. needs to be agreed upon to ensure correct and complete information/data exchange. For the Aadhaar project in India these standards were defined
27Draft for Discussion
in the demographic standard document to enable interoperability of identity data with other systems. This system is being extensively used to provide the Know your Customer (KYC) service based on these standards ensuring data field definition compatibility across various IT systems/applications.
• Technical Interoperability
This aspect of interoperability covers the technical issues of linking computer systems and services. It includes key aspects such as open interfaces, interconnection services, data integration and middle-ware, data presentation and exchange, accessibility and security. Example for digital identity system: Identification of standards for biometrics (fingerprints, face image and iris), digital signature standards, federation protocols
Developing a set of minimum relevant standards for these three layers will therefore help to ensure that identification systems are sufficiently robust and interoperable
g. Foundational Legal Identification Systems
Identity systems developed with the general purpose of identifying individuals and providing proof of ID—may require linking with other functional systems for the provision of services. IT devices from different vendors with varying architectures and operating systems pose interoperability challenges. The development of new technolo-gies also poses challenges regarding interconnectivity. A question arises: should a system be integrated with a central data warehouse, or should a distributed model be implemented? In addition, there is a concern that dif-ferent biometric devices have their own inherent standards that may result in interconnectivity issues. In addition, multimodal systems create complexity as well, since different vendors offer different biometric solutions. ISO standards should be adopted to ensure interoperability and avoid vendor lock-in.
h. Privacy and Security
It is important to build privacy and security into the architecture of a digital ID system. Privacy challenges arise because the various authorities, agencies, and governmental departments requiring and authenticating identities for service provision and administration may have access to citizens’ personal information. Similarly, the systems need to be guarded so that citizens’ information is secure and protected. In consequence, privacy- and security-related standards are of central importance.
i. New Standards Compliance
Compliance with new standards may be challenging for the countries who have already registered large popula-tions. With so many competing requirements for identification systems, choosing which standard to implement and which one to relax (for example, to take cultural considerations into account10) becomes challenging. For countries that have already collected biometric attributes of large populations, it would be challenging to go back and update their data to implement a new standard without recalling all the individuals for re-enrollment. In India, for example, the ISO 24745 security standard—which provides guidance for the protection of biometric informa-tion for confidentiality and integrity during storage or managing identities—was not implemented in the rollout of the Aadhaar project due to the complexity of applicable compliance procedures. Although a security standard to ensure the privacy of individuals became available in 2011, when millions had already registered, it would be dif-ficult to implement retroactively in such a large-scale implementation. Hence, compliance with standards should follow a functional or outcome-based approach.
28 Draft for Discussion
j. Role of Development Partners
Many countries need technical and financial support to implement standards, including support for infrastructure and training. This includes countries that are upgrading legacy identification systems, as well as those building entirely new systems. In addition, development partners can play a role in thought leadership and advocacy for adopting a standards approach to identification systems. This will require a communications strategy to appraise stakeholders on how market driven standards can encourage (a) business growth, (b) public private partner-ships, and (c) the inclusiveness of individuals to achieve development benefits at a local level.
An international effort to promote standards will require global coordination and partnership between a variety of actors. Such partnerships should also reach beyond the digital identity sector to include agencies such as the United Nations that work on CRVS, as the standards used for these documents have important implications for identity proofing in digital identity systems.
8. THE WAY FORWARDStandards are key to unlocking the value of digital identity for development and supporting an interoperable, scal-able, secure, and efficient digital identity platform for service delivery. Without standards, cross-functional sys-tems inter-operability will be difficult to achieve. With so many standards on the horizon, choosing which to adopt is a key issue. It has been observed that because most of the standard bodies involved in developing biometric enrollment, authentication, issuance and management of identity contribute to the Technical Committees and Working Groups of ISO, its standards are widely accepted. However, the precise choice of relevant standards depends on the purpose, scope, and function of the national identification system.
A strategic approach to developing a set of global minimum standards should translate into an actionable frame-work for country governments and their partners. To achieve this, the following next steps are recommended as a potential way forward:
1. Conduct an in-depth analysis of the standards identified in this document to see if a minimum universal set can be recommended.
2. Provide guidelines and options for implementing a high assurance identity system and applicable stan-dards for the option.
3. Identify standards to advocate for on a continuous basis. Provide thought leadership on promoting a common terminology and framework for standards.
4. Support standards development efforts at the international, regional, national, and country levels, in cooperation with a variety of stakeholders, including key international organizations and public-sector partners.
5. Support technical human resource development efforts at the country level to adopt or implement rel-evant standards.
6. Develop Data Standards and Process standards for semantic and organizational interoperability to achieve a truly interoperable system as described in the Government interoperability framework of vari-ous countries.
29Draft for Discussion
BIBLIOGRAPHYAshiq, J. A. The eIDAS Agenda: Innovation, Interoperability and Transparency. Cryptomathic, Retrieved 18
March 2016.
ENISA. Mobile ID Management. European Network and Information Security Agency, Accessed on April 11, 2016.
Europa.eu. Regulations, Directives and Other Acts. The European Union, Retrieved 18 March 2016.
Fumy, Walter, and Manfred Paeschke. Handbook of eID Security: Concepts, Practical Experiences, Technolo-gies. John Wiley & Sons, Dec. 13, 2010.
Gelb, Alan, and Julia Clark. Identification for Development: The Biometrics Revolution. Working Paper, Washing-ton, DC: Center for Global Development, 2013.
Gomes de Andrade, Norberto Nuno, Shara Monteleone, and Aaron Martin. Electronic Identity in Europe: Legal Challenges and Future Perspectives (eID 2020). Joint Research Centre, European Commission, 2013.
GSMA and SIA. Mobile Identity—Unlocking the Potential of the Digital Economy. Groupe Spéciale Mobile Asso-ciation (GSMA) and Secure Identity Alliance, Oct. 2014.
IEEE. What Are Standards? Why Are They Important? IEEE, 2011. http://standardsinsight.com/ieee_company_detail/what-are-standards-why-are-they-important.
ITU. Biometrics and Standards. Telecommunication Standardization Sector, International Telecommunication Union, Accessed on April 11, 2016.
ITU. Biometric Standards: ITU-T Technology Watch Report. International Telecommunications Union, Dec. 2009.
PIRA. The Future of Personal ID to 2019. Smithers PIRA International, 06 June 2014.
“Regulation (EU) No. 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive.” 1999/93/EC.
Turner, Dawn M. eIDAS from Directive to Regulation—Legal Aspects. Cryptomathic, Retrieved 18 March 2016.
Turner, Dawn M. Understanding Major Terms Around Digital Signatures. Cryptomathic, Retrieved 18 March 2016.
van Zijp, Jacques. Is the EU Ready for eIDAS? Secure Identity Alliance, Retrieved 18 March 2016.
Williams-Grut, Oscar. “Estonia wants to become a ‘country as a service’.” Business Insider, 2016.
World Bank. Digital Identity: Towards Shared Principles for Public and Private Sector Cooperation. Washington, DC: World Bank Group, 2016.
30 Draft for Discussion
APP
ENDI
X A
ISO
/IEC
JTC
SUBC
OM
MIT
TEE,
WO
RK
ING
GRO
UPS
AN
D TH
EIR
MA
NDA
TE
SU
BC
OM
MIT
TEE
S/
WO
RK
ING
GR
OU
PS
CO
PE
DE
SC
RIP
TIO
N
ISO
/IEC
JTC
1/S
C 3
7 B
iom
etric
sS
tand
ardi
zatio
n of
gen
eric
bio
met
ric te
chno
logi
es p
erta
inin
g to
hum
an
bein
gs to
sup
port
inte
rope
rabi
lity
and
data
inte
rcha
nge
amon
g ap
plic
a-tio
ns a
nd s
yste
ms
Com
mon
file
fram
ewor
ks, B
iom
etric
ap
plic
atio
n pr
ogra
mm
ing
inte
rface
s (B
AP
I), B
iom
etric
dat
a in
terc
hang
e fo
r-m
ats,
Rel
ated
bio
met
ric p
rofil
es, A
ppli-
catio
n of
eva
luat
ion
crite
ria to
bio
met
ric
tech
nolo
gies
, Met
hodo
logi
es fo
r per
for-
man
ce te
stin
g an
d re
porti
ng a
nd c
ross
ju
risdi
ctio
nal a
nd s
ocie
tal a
spec
ts
ISO
/IEC
JTC
1/S
C 3
7/W
G 1
Har
mon
ized
Bio
met
ric V
ocab
ular
y
ISO
/IEC
JTC
1/S
C 3
7/W
G 2
Bio
met
ric T
echn
ical
Inte
rface
s
ISO
/IEC
JTC
1/S
C 3
7/W
G 3
Bio
met
ric D
ata
Inte
rcha
nge
Form
ats
ISO
/IEC
JTC
1/S
C 3
7/W
G 4
Tech
nica
l Im
plem
enta
tion
of B
iom
etric
Sys
tem
s
ISO
/IEC
JTC
1/S
C 3
7/W
G 5
ISO
/IEC
JTC
1/S
C 3
7/W
G 6
Bio
met
ric T
estin
g an
d R
epor
ting
Cro
ss J
uris
dict
iona
l and
Soc
ieta
l Asp
ects
of B
iom
etric
s
ISO
/IEC
JTC
1/S
C 2
7 IT
Sec
urity
te
chni
ques
The
deve
lopm
ent o
f sta
ndar
ds fo
r the
pro
tect
ion
of in
form
atio
n an
d IC
T.
This
incl
udes
gen
eric
met
hods
, tec
hniq
ues
and
guid
elin
es to
add
ress
bot
h se
curit
y an
d pr
ivac
y as
pect
s. 1
) Sec
urity
requ
irem
ents
cap
ture
met
h-od
olog
y; 2
) Man
agem
ent o
f inf
orm
atio
n an
d IC
T se
curit
y, in
par
ticul
ar
info
rmat
ion
secu
rity
man
agem
ent s
yste
ms,
sec
urity
pro
cess
es, s
ecur
ity
cont
rols
and
ser
vice
s; 3
) Cry
ptog
raph
ic a
nd o
ther
sec
urity
mec
hani
sms,
in
clud
ing
but n
ot li
mite
d to
mec
hani
sms
for p
rote
ctin
g th
e ac
coun
tabi
lity,
av
aila
bilit
y, in
tegr
ity a
nd c
onfid
entia
lity
of in
form
atio
n; 4
) Sec
urity
man
-ag
emen
t sup
port
docu
men
tatio
n in
clud
ing
term
inol
ogy,
gui
delin
es a
s w
ell
as p
roce
dure
s fo
r the
regi
stra
tion
of s
ecur
ity c
ompo
nent
s; 5
) Sec
urity
as
pect
s of
iden
tity
man
agem
ent,
biom
etric
s an
d pr
ivac
y; 6
) Con
form
ance
as
sess
men
t, ac
cred
itatio
n an
d au
ditin
g re
quire
men
ts in
the
area
of i
nfor
-m
atio
n se
curit
y m
anag
emen
t sys
tem
s; 7
) Sec
urity
eva
luat
ion
crite
ria a
nd
met
hodo
logy
.
Dev
elop
s In
tern
atio
nal S
tand
ards
, Tec
h-ni
cal R
epor
ts, a
nd T
echn
ical
Spe
cific
a-tio
ns w
ithin
the
field
of i
nfor
mat
ion
and
IT
secu
rity.
Sta
ndar
diza
tion
activ
ity b
y th
is
subc
omm
ittee
incl
udes
gen
eral
met
hods
, m
anag
emen
t sys
tem
requ
irem
ents
, tec
h-ni
ques
and
gui
delin
es to
add
ress
bot
h in
form
atio
n se
curit
y an
d pr
ivac
y.
(con
tinue
d)
31Draft for Discussion
SU
BC
OM
MIT
TEE
S/
WO
RK
ING
GR
OU
PS
CO
PE
DE
SC
RIP
TIO
N
ISO
/IEC
JTC
1/S
C 2
7/S
WG
-MM
anag
emen
t
ISO
/IEC
JTC
1/S
C 2
7/S
WG
-TTr
ansv
ersa
l ite
ms
ISO
/IEC
JTC
1/S
C 2
7/W
G 1
Info
rmat
ion
secu
rity
man
agem
ent s
yste
ms
ISO
/IEC
JTC
1/S
C 2
7/W
G 2
Cry
ptog
raph
y an
d se
curit
y m
echa
nism
s
ISO
/IEC
JTC
1/S
C 2
7/W
G 3
Sec
urity
eva
luat
ion,
test
ing
and
spec
ifica
tion
ISO
/IEC
JTC
1/S
C 2
7/W
G 4
Sec
urity
con
trols
and
ser
vice
s
ISO
/IEC
JTC
1/S
C 2
7/W
G 5
Iden
tity
man
agem
ent a
nd p
rivac
y te
chno
logi
es
ISO
/IEC
JTC
1/S
C 1
7 fo
r Car
ds
and
pers
onal
iden
tific
atio
n S
tand
ardi
zatio
n in
the
area
of:
Iden
tific
atio
n an
d re
late
d do
cum
ents
, car
ds
and,
dev
ices
ass
ocia
ted
with
thei
r use
in in
ter-
indu
stry
app
licat
ions
and
in
tern
atio
nal i
nter
chan
ge
Dev
elop
s an
d fa
cilit
ates
sta
ndar
ds w
ithin
th
e fie
ld o
f ide
ntifi
catio
n ca
rds
and
per-
sona
l ide
ntifi
catio
n
ISO
/IEC
JTC
1/S
C 1
7/W
G 1
Phy
sica
l cha
ract
eris
tics
and
test
met
hods
for I
D c
ards
ISO
/IEC
JTC
1/S
C 1
7/W
G 3
Iden
tific
atio
n ca
rds—
Mac
hine
read
able
trav
el d
ocum
ents
ISO
/IEC
JTC
1/S
C 1
7/W
G 4
Inte
grat
ed c
ircui
t car
ds
ISO
/IEC
JTC
1/S
C 1
7/W
G 5
Reg
istra
tion
Man
agem
ent G
roup
(RM
G)
ISO
/IEC
JTC
1/S
C 1
7/W
G 8
Inte
grat
ed c
ircui
t car
ds w
ithou
t con
tact
s
ISO
/IEC
JTC
1/S
C 1
7/W
G 9
Opt
ical
mem
ory
card
s an
d de
vice
s
ISO
/IEC
JTC
1/S
C 1
7/W
G 1
0M
otor
veh
icle
driv
er li
cens
e an
d re
late
d do
cum
ents
ISO
/IEC
JTC
1/S
C 1
7/W
G 1
1A
pplic
atio
n of
bio
met
rics
to c
ards
and
per
sona
l ide
ntifi
catio
n
Sour
ce: I
SO
htt
p://
ww
w is
o or
g/is
o/ho
me
htm
Con
tinu
ed
32 Draft for Discussion
APP
END
IX B
ST
AN
DAR
DS
DES
CRIP
TIO
N
STA
ND
AR
DD
ES
CR
IPTI
ON
ISO
/IEC
197
85 In
for-
mat
ion
tech
nolo
gy—
Com
mon
Bio
met
ric
Exc
hang
e Fo
rmat
s Fr
amew
ork
(CB
EFF
)
The
stan
dard
def
ines
a b
asic
stru
ctur
e fo
r sta
ndar
dize
d bi
omet
ric in
form
atio
n re
cord
s (B
IRs)
with
in th
e C
omm
on B
iom
etric
E
xcha
nge
Form
ats
Fram
ewor
k (C
BE
FF).
This
stru
ctur
e co
nsis
ts o
f thr
ee p
arts
: the
sta
ndar
d bi
omet
ric h
eade
r (S
BH
), th
e bi
omet
-ric
dat
a bl
ock
(BD
B),
and
the
secu
rity
bloc
k (S
B).
CB
EFF
als
o de
fines
sev
eral
dat
a el
emen
ts a
nd th
eir s
tand
ardi
zed
abst
ract
val
-ue
s th
at c
an b
e us
ed in
SB
Hs
and
SB
s (C
BE
FF tr
eats
the
BD
B a
s op
aque
dat
a). C
BE
FF a
lso
esta
blis
hes
mec
hani
sms
by w
hich
or
gani
zatio
ns, c
alle
d “p
atro
ns” b
y C
BE
FF, c
an s
peci
fy a
nd p
ublis
h B
IR fo
rmat
spe
cific
atio
ns, w
hich
are
in tu
rn c
alle
d “p
atro
n fo
rmat
s.” C
BE
FF e
nabl
es p
atro
ns to
dev
elop
BIR
spe
cific
atio
ns th
at a
re fu
lly s
tand
ardi
zed
and
inte
rope
rabl
e, y
et a
re s
peci
fical
ly
adap
ted
to th
e re
quire
men
ts o
f a p
artic
ular
app
licat
ion
envi
ronm
ent.
CB
EFF
def
ines
rule
s fo
r BIR
s th
at c
onta
in o
nly
one
BD
B
(sim
ple
BIR
) and
that
con
tain
at l
east
one
BD
B (c
ompl
ex B
IR).
CB
EFF
def
ines
man
dato
ry d
ata
elem
ents
that
iden
tify
the
form
at
of a
BD
B a
nd it
s se
curit
y at
tribu
tes
(enc
rypt
ion
and
inte
grity
). A
ll th
e ot
her C
BE
FF-d
efin
ed d
ata
elem
ents
and
abs
tract
val
ues
are
optio
nal.
CB
EFF
ena
bles
pat
rons
to d
efin
e ad
ditio
nal d
ata
elem
ents
and
abs
tract
val
ues
as re
quire
d by
the
appl
icat
ion
envi
ron-
men
t. Th
e st
anda
rd w
as u
pdat
ed in
201
5. P
rote
ctio
n of
the
priv
acy
of in
divi
dual
s fro
m in
appr
opria
te d
isse
min
atio
n an
d us
e of
bi
omet
ric d
ata
is n
ot in
the
scop
e of
this
par
t of I
SO
/IEC
197
85 b
ut m
ay b
e su
bjec
t to
natio
nal r
egul
atio
n.
ISO
/IEC
197
94—
(Ser
ies)
Bio
met
ric
data
inte
rcha
nge
form
s
Fram
ewor
k de
scrib
es th
e ge
nera
l asp
ects
and
requ
irem
ents
for d
efin
ing
biom
etric
dat
a in
terc
hang
e fo
rmat
s. T
he n
otat
ion
and
trans
fer f
orm
ats
prov
ide
plat
form
inde
pend
ence
and
sep
arat
ion
of tr
ansf
er s
ynta
x fro
m c
onte
nt d
efin
ition
. Dat
a fo
rmat
s fo
r rep
re-
sent
atio
n of
fing
erpr
ints
usi
ng th
e fu
ndam
enta
l not
ion
of m
inut
iae.
Rel
evan
t for
aut
omat
ed fi
nger
prin
t rec
ogni
tion.
Fac
ial r
ecog
ni-
tion
form
ats.
ISO
/IEC
154
44 (a
ll pa
rts) I
nfor
mat
ion
tech
nolo
gy—
JPE
G
2000
imag
e co
ding
sy
stem
This
sta
ndar
d de
al w
ith J
PE
G 2
000
Imag
e co
ding
sys
tem
s. It
dea
ls w
ith S
patia
l (sa
mpl
es),
trans
form
ed (c
oeffi
cien
ts) a
nd C
om-
pres
sed
imag
e da
ta. V
ario
us e
lem
ents
suc
h as
enc
oder
, dec
oder
, cod
e st
ream
, opt
iona
l file
form
ats
with
syn
tax,
reco
nstru
ctio
n of
im
age
data
, and
gui
delin
es h
ow to
impl
emen
t the
se p
roce
sses
in p
ract
ice
are
expl
aine
d.
(con
tinue
d)
33Draft for Discussion
STA
ND
AR
DD
ES
CR
IPTI
ON
ISO
/IEC
297
94Q
ualit
y m
etric
s ar
e us
eful
for s
ever
al a
pplic
atio
ns in
the
field
of b
iom
etric
s. IS
O/IE
C 2
9794
def
ines
and
spe
cifie
s m
etho
dolo
gies
fo
r obj
ectiv
e, q
uant
itativ
e qu
ality
sco
re e
xpre
ssio
n, in
terp
reta
tion,
and
inte
rcha
nge.
Thi
s st
anda
rd is
inte
nded
to a
dd v
alue
to a
br
oad
spec
trum
of a
pplic
atio
ns in
a m
anne
r tha
t
a) e
ncou
rage
s co
mpe
titio
n, in
nova
tion,
inte
rope
rabi
lity
and
perfo
rman
ce im
prov
emen
ts; a
nd
b) a
void
s bi
as to
war
ds a
pplic
atio
ns, m
odal
ities
, or t
echn
ique
s.
It pr
esen
ts s
ever
al b
iom
etric
sam
ple
qual
ity s
corin
g to
ols,
the
use
of w
hich
is g
ener
ally
opt
iona
l but
can
be
dete
rmin
ed to
be
man
dato
ry b
y ap
plic
atio
n pr
ofile
s or
spe
cific
impl
emen
tatio
ns. I
t con
sist
s of
the
follo
win
g pa
rts, u
nder
the
gene
ral t
itle
Info
rmat
ion
tech
nolo
gy—
Bio
met
ric s
ampl
e qu
ality
:
• P
art 1
: Fra
mew
ork
• P
art 4
: Fin
ger i
mag
e da
ta
• P
art 5
: Fac
ial i
mag
e da
ta [T
echn
ical
Rep
ort]
• P
art 6
: Iris
imag
e da
ta
ISO
/IEC
781
0IS
O/IE
C 7
810
is o
ne o
f a s
erie
s of
sta
ndar
ds d
escr
ibin
g th
e ch
arac
teris
tics
of id
entif
icat
ion
card
s. T
he p
urpo
se is
to p
rovi
de
crite
ria to
whi
ch c
ards
sha
ll pe
rform
and
to s
peci
fy th
e re
quire
men
ts fo
r suc
h ca
rds
used
for i
nter
natio
nal i
nter
chan
ge. I
t tak
es in
to
cons
ider
atio
n bo
th h
uman
and
mac
hine
asp
ects
and
sta
tes
min
imum
requ
irem
ents
. It d
efin
es v
ario
us s
izes
(4) o
f the
ID c
ards
, th
e co
nditi
ons
for c
onfo
rman
ce, t
he d
imen
sion
s an
d to
lera
nces
of t
he id
entif
icat
ion
card
s; th
e co
nstru
ctio
n an
d m
ater
ials
of t
he
iden
tific
atio
n ca
rds;
and
the
phys
ical
cha
ract
eris
tics
of th
e ca
rds
such
as
bend
ing
stiff
ness
, fla
mm
abili
ty, t
oxic
ity, r
esis
tanc
e to
ch
emic
als,
dim
ensi
onal
sta
bilit
y, a
dhes
ion
or b
lock
ing,
war
page
, res
ista
nce
to h
eat,
surfa
ce d
isto
rtion
s, a
nd c
onta
min
atio
n—al
l ar
e el
abor
ated
in th
is s
tand
ard.
ISO
/IEC
781
1 S
erie
sIS
O/IE
C 7
811
Ser
ies
stan
dard
des
crib
es c
hara
cter
istic
s of
iden
tific
atio
n ca
rds
with
mag
netic
stri
pes.
It s
peci
fies
the
embo
ssin
g,
mag
netic
stri
pe, l
ocat
ion
of R
ead
Onl
y m
agne
tic tr
acks
, loc
atio
n of
Rea
d/W
rite
Mag
netic
Tra
cks,
etc
.
ISO
781
2IS
O/IE
C 7
812
Iden
tific
atio
n ca
rds—
Iden
tific
atio
n of
issu
ers
was
firs
t pub
lishe
d by
the
Inte
rnat
iona
l Org
aniz
atio
n fo
r Sta
ndar
d-iz
atio
n (IS
O) i
n 19
89. I
t is
the
inte
rnat
iona
l sta
ndar
d th
at s
peci
fies
“a n
umbe
ring
syst
em fo
r the
iden
tific
atio
n of
issu
ers
of c
ards
th
at re
quire
an
issu
er id
entif
icat
ion
num
ber (
IIN) t
o op
erat
e in
inte
rnat
iona
l, in
ter-
indu
stry
and
/or i
ntra
-indu
stry
inte
rcha
nge,
” and
pr
oced
ures
for r
egis
terin
g IIN
s. [2
] IS
O/IE
C 7
812
have
two
parts
:
Par
t 1: N
umbe
ring
syst
em
Par
t 2: A
pplic
atio
n an
d re
gist
ratio
n pr
oced
ures
(con
tinue
d)
Con
tinu
ed
34 Draft for Discussion
(con
tinue
d)
STA
ND
AR
DD
ES
CR
IPTI
ON
ISO
/IEC
781
3IS
O/IE
C 7
813
spec
ifies
the
stan
dard
s fo
r car
ds u
sed
for f
inan
cial
tran
sact
ions
. It s
peci
fies
the
data
stru
ctur
e an
d da
ta c
onte
nt
of m
agne
tic tr
acks
1 a
nd 2
, whi
ch a
re u
sed
to in
itiat
e fin
anci
al tr
ansa
ctio
ns. I
t tak
es in
to c
onsi
dera
tion
both
hum
an a
nd p
hysi
cal
aspe
cts
and
stat
es m
inim
um re
quire
men
ts o
f con
form
ity. I
t ref
eren
ces
layo
ut, r
ecor
ding
tech
niqu
es, n
umbe
ring
syst
ems,
regi
stra
-tio
n pr
oced
ures
, but
not
sec
urity
requ
irem
ents
.
ISO
/IEC
180
13Th
e IS
O/IE
C 1
8013
sta
ndar
d es
tabl
ishe
s gu
idel
ines
for t
he d
esig
n fo
rmat
and
dat
a co
nten
t of I
SO/IE
C-c
ompl
iant
driv
ing
licen
ses
(IDL)
with
rega
rd to
hum
an-re
adab
le fe
atur
es (I
SO/IE
C 1
8013
-1),
mac
hine
-read
able
tech
nolo
gies
(ISO
/IEC
180
13-2
), an
d ac
cess
co
ntro
l, au
then
ticat
ion
and
inte
grity
val
idat
ion
(ISO
/IEC
180
13-3
). It
crea
tes
a co
mm
on b
asis
for i
nter
natio
nal u
se a
nd m
utua
l rec
og-
nitio
n of
the
IDL
with
out i
mpe
ding
indi
vidu
al c
ount
ries/
stat
es fr
om a
pply
ing
thei
r priv
acy
rule
s an
d na
tiona
l/com
mun
ity/re
gion
al m
otor
ve
hicl
e au
thor
ities
in ta
king
car
e of
thei
r spe
cific
nee
ds.
ISO
/IEC
781
6IS
O/IE
C 7
816
is a
mul
ti-pa
rt in
tern
atio
nal s
tand
ard
brok
en in
to fo
urte
en p
arts
. IS
O/IE
C 7
816
Par
ts 1
, 2 a
nd 3
dea
ls o
nly
with
co
ntac
t sm
art c
ards
and
def
ine
the
vario
us a
spec
ts o
f the
car
d an
d its
inte
rface
s, in
clud
ing
the
card
’s p
hysi
cal d
imen
sion
s, th
e el
ectri
cal i
nter
face
and
the
com
mun
icat
ions
pro
toco
ls. I
SO
/IEC
781
6 P
arts
4, 5
, 6, 8
, 9, 1
1, 1
3 an
d 15
are
rele
vant
to a
ll ty
pes
of
smar
t car
ds (c
onta
ct a
s w
ell a
s co
ntac
tless
). Th
ey d
efin
e th
e ca
rd lo
gica
l stru
ctur
e (fi
les
and
data
ele
men
ts),
vario
us c
omm
ands
us
ed b
y th
e ap
plic
atio
n pr
ogra
mm
ing
inte
rface
for b
asic
use
, app
licat
ion
man
agem
ent,
biom
etric
ver
ifica
tion,
cry
ptog
raph
ic s
er-
vice
s an
d ap
plic
atio
n na
min
g. IS
O/IE
C 7
816
Par
t 10
is u
sed
by m
emor
y ca
rds
for a
pplic
atio
ns s
uch
as p
repa
id te
leph
one
card
s or
ve
ndin
g m
achi
nes.
ISO
/IEC
781
6 P
art 7
def
ines
a s
ecur
e re
latio
nal d
atab
ase
appr
oach
for s
mar
t car
ds b
ased
on
the
SQ
L in
ter-
face
s (S
CQ
L).
ISO
/IEC
144
43IS
O/IE
C 1
4443
is a
n in
tern
atio
nal s
tand
ard
that
def
ines
the
inte
rface
s to
a “c
lose
pro
xim
ity” c
onta
ctle
ss s
mar
t car
d, in
clud
ing
the
radi
o fre
quen
cy (R
F) in
terfa
ce, t
he e
lect
rical
inte
rface
, and
the
com
mun
icat
ions
and
ant
i-col
lisio
n pr
otoc
ols.
ISO
/IEC
144
43
com
plia
nt c
ards
ope
rate
at 1
3.56
MH
z an
d ha
ve a
n op
erat
iona
l ran
ge o
f up
to 1
0 ce
ntim
eter
s (3
.94
inch
es).
ISO
/IEC
144
43 is
the
prim
ary
cont
actle
ss s
mar
t car
d st
anda
rd b
eing
use
d fo
r tra
nsit,
fina
ncia
l, an
d ac
cess
con
trol a
pplic
atio
ns. I
t is
also
use
d in
ele
c-tro
nic
pass
ports
and
in th
e FI
PS
201
PIV
car
d.
ICA
O 9
303
Sta
ndar
d fo
r Mac
hine
Rea
dabl
e Tr
avel
Doc
umen
ts
A m
achi
ne-re
adab
le tr
avel
doc
umen
t (M
RTD
) is
in fa
ct a
trav
el d
ocum
ent w
ith th
e da
ta o
n th
e id
entit
y pa
ge e
ncod
ed in
opt
ical
ch
arac
ter r
ecog
nitio
n fo
rmat
. Man
y co
untri
es b
egan
to is
sue
mac
hine
-read
able
trav
el d
ocum
ents
in th
e 19
80s.
Mos
t tra
vel p
ass-
ports
wor
ldw
ide
are
MR
Ps. T
hey
are
stan
dard
ized
by
the
ICAO
Doc
umen
t 930
3 (e
ndor
sed
by th
e In
tern
atio
nal O
rgan
izat
ion
for
Stan
dard
izat
ion
and
the
Inte
rnat
iona
l Ele
ctro
tech
nica
l Com
mis
sion
as
ISO
/IEC
750
1-1)
and
hav
e a
spec
ial m
achi
ne- re
adab
le
zone
(MR
Z), w
hich
is u
sual
ly a
t the
bot
tom
of t
he id
entit
y pa
ge a
t the
beg
inni
ng o
f a p
assp
ort o
r tra
vel c
ard
with
bas
ic id
entit
y in
form
atio
n.
Con
tinu
ed
35Draft for Discussion
STA
ND
AR
DD
ES
CR
IPTI
ON
ISO
/IEC
858
3IS
O 8
583
prov
ides
a fr
amew
ork
for c
reat
ing
prot
ocol
s fo
r the
exc
hang
e of
fina
ncia
l tra
nsac
tion
mes
sage
s. T
ypic
ally,
thes
e ar
e m
es-
sage
s th
at in
volv
e tra
nsac
tions
orig
inat
ing
from
car
ds o
f som
e so
rt or
the
othe
r, be
they
cre
dit o
r deb
it ca
rds.
It is
impo
rtant
to re
aliz
e th
at 8
583
itsel
f is
not a
pro
toco
l, ju
st a
s XM
L is
not
a fi
le fo
rmat
. XM
L ca
n be
con
side
red
a de
scrip
tion
of h
ow to
spe
cify
file
form
ats
for
stru
ctur
ed d
ata
acco
rdin
g to
a s
et o
f rul
es. I
SO 8
583
is a
met
a-pr
otoc
ol p
rovi
ding
a s
et o
f rul
es fo
r the
def
initio
n of
fina
ncia
l tra
nsac
-tio
n pr
otoc
ols.
The
sta
ndar
d, o
ffici
ally
title
d “F
inan
cial
tran
sact
ion
card
orig
inat
ed m
essa
ges—
Inte
rcha
nge
mes
sage
spe
cific
atio
ns” i
s co
mpr
ised
of t
hree
par
ts:
• P
art 1
: Mes
sage
s, d
ata
elem
ents
and
cod
e va
lues
• P
art 2
: App
licat
ion
and
regi
stra
tion
proc
edur
es fo
r Ins
titut
ion
Iden
tific
atio
n C
odes
(IIC
)
• Pa
rt 3:
Mai
nten
ance
pro
cedu
res
for m
essa
ges,
dat
a el
emen
ts a
nd c
ode
valu
es
Eur
opay
, Mas
terc
ard
and
VIS
A (E
MV
) S
tand
ards
EMV
is a
tech
nica
l sta
ndar
d fo
r sm
art p
aym
ent c
ards
and
for p
aym
ent t
erm
inal
s an
d au
tom
ated
telle
r mac
hine
s th
at c
an a
ccep
t th
em. E
MV
(Eur
opay
, Mas
terC
ard
and
Visa
) car
ds a
re s
mar
t car
ds (a
lso
calle
d ch
ip c
ards
or I
C c
ards
), w
hich
sto
re th
eir d
ata
on
inte
grat
ed c
ircui
ts ra
ther
than
mag
netic
stri
pes,
alth
ough
man
y EM
V ca
rds
also
hav
e st
ripes
for b
ackw
ard
com
patib
ility.
The
y ca
n be
co
ntac
t car
ds th
at m
ust b
e ph
ysic
ally
inse
rted
(or “
dipp
ed”)
into
a re
ader
, or c
onta
ctle
ss c
ards
that
can
be
read
ove
r a s
hort
dist
ance
us
ing
radi
o-fre
quen
cy id
entif
icat
ion
(RFI
D) t
echn
olog
y. P
aym
ent c
ards
that
com
ply
with
the
EMV
stan
dard
are
ofte
n ca
lled
chip
-and
-PI
N o
r chi
p-an
d- si
gnat
ure
card
s, d
epen
ding
on
the
exac
t aut
hent
icat
ion
met
hods
requ
ired
to u
se th
em. E
MV
stan
ds fo
r Eur
opay
, M
aste
rCar
d, a
nd V
isa,
the
thre
e co
mpa
nies
that
orig
inal
ly c
reat
ed th
e st
anda
rd. T
he s
tand
ard
is n
ow m
anag
ed b
y EM
VCo,
a c
onso
r-tiu
m w
ith c
ontro
l spl
it eq
ually
am
ong
Visa
, Mas
terc
ard,
JC
B, A
mer
ican
Exp
ress
, Chi
na U
nion
Pay,
and
Dis
cove
r. Th
ere
are
stan
dard
s ba
sed
on IS
O/IE
C 7
816
for c
onta
ct c
ards
, and
sta
ndar
ds b
ased
on
ISO
/IEC
144
43 fo
r con
tact
less
car
ds (P
ayPa
ss, P
ayW
ave,
Ex
pres
sPay
). Vi
sa a
nd M
aste
rCar
d ha
ve a
lso
deve
lope
d st
anda
rds
for u
sing
EM
V ca
rds
in d
evic
es to
sup
port
card
-not
-pre
sent
tra
nsac
tions
ove
r the
tele
phon
e an
d In
tern
et. M
aste
rCar
d ha
s th
e C
hip
Auth
entic
atio
n Pr
ogra
m (C
AP) f
or s
ecur
e e-
com
mer
ce. I
ts
impl
emen
tatio
n is
kno
wn
as E
MV-
CAP
and
sup
ports
man
y m
odes
. Vis
a ha
s th
e D
ynam
ic P
assc
ode
Auth
entic
atio
n (D
PA) s
chem
e,
whi
ch is
thei
r im
plem
enta
tion
of C
AP u
sing
diff
eren
t def
ault
valu
es.
ISO
/IEC
247
61
Info
rmat
ion
te
chno
logy
—S
ecur
ity
tech
niqu
es—
A
uthe
ntic
atio
n co
ntex
t fo
r bio
met
rics
Spe
cifie
s th
e st
ruct
ure
and
the
data
ele
men
ts o
f Aut
hent
icat
ion
Con
text
for B
iom
etric
s (A
CB
io),
whi
ch is
use
d fo
r che
ckin
g th
e va
lidity
of t
he re
sult
of a
bio
met
ric v
erifi
catio
n pr
oces
s ex
ecut
ed a
t a re
mot
e si
te. I
SO
/IEC
247
61:2
009
allo
ws
any
AC
Bio
inst
ance
to
acc
ompa
ny a
ny d
ata
item
that
is in
volv
ed in
any
bio
met
ric p
roce
ss re
late
d to
ver
ifica
tion
and
enro
llmen
t. Th
e sp
ecifi
catio
n of
A
CB
io is
app
licab
le n
ot o
nly
to s
ingl
e m
odal
bio
met
ric v
erifi
catio
n bu
t als
o to
mul
timod
al fu
sion
. IS
O/IE
C 2
4761
:200
9 sp
ecifi
es th
e cr
ypto
grap
hic
synt
ax o
f an
AC
Bio
inst
ance
. The
cry
ptog
raph
ic s
ynta
x of
an
AC
Bio
inst
ance
is b
ased
on
an a
bstra
ct C
rypt
ogra
phic
M
essa
ge S
ynta
x (C
MS
) sch
ema
who
se c
oncr
ete
valu
es c
an b
e re
pres
ente
d us
ing
eith
er a
com
pact
bin
ary
enco
ding
or a
hum
an-
read
able
XM
L en
codi
ng. I
SO
/IEC
247
61:2
009
does
not
def
ine
prot
ocol
s to
be
used
bet
wee
n en
titie
s su
ch a
s bi
omet
ric p
roce
ssin
g un
its, c
laim
ant,
and
valid
ator
. Its
con
cern
is e
ntire
ly w
ith th
e co
nten
t and
enc
odin
g of
the
AC
Bio
inst
ance
s fo
r the
var
ious
pro
cess
-in
g ac
tiviti
es.
(con
tinue
d)
Con
tinu
ed
36 Draft for Discussion
STA
ND
AR
DD
ES
CR
IPTI
ON
Mob
ile C
onne
ct—
a ne
w in
dust
ry m
echa
-ni
sm fo
r onl
ine
iden
tity
Mob
ile C
onne
ct is
boa
sted
as
a se
cure
uni
vers
al lo
g-in
sol
utio
n. It
is in
crea
sing
ly b
ecom
ing
a ne
w s
tand
ard
in d
igita
l aut
hent
ica-
tion.
Sim
ply
by m
atch
ing
the
user
to th
eir m
obile
pho
ne, M
obile
Con
nect
allo
ws
them
to lo
g in
to w
ebsi
tes
and
appl
icat
ions
qui
ckly
w
ithou
t the
nee
d to
rem
embe
r pas
swor
ds a
nd u
ser n
ames
. It i
s ge
nera
lly c
onsi
dere
d as
saf
e, s
ecur
e an
d no
per
sona
l inf
orm
atio
n is
sha
red
with
out p
erm
issi
on. T
he s
tand
ard
is b
ack
by th
e m
obile
indu
stry
con
sorti
um k
now
n as
Gro
upe
Spe
cial
e M
obile
Ass
ocia
-tio
n (G
SM
A).
Eur
opea
n U
nion
end
orse
d th
e G
SM
pro
ject
in 1
986.
Mob
ile C
onne
ct is
ava
ilabl
e to
2 b
illio
n co
nsum
ers
glob
ally.
It
is b
ecom
ing
popu
lar a
s it
offe
rs a
sol
utio
n by
pro
vidi
ng c
itize
ns w
ith a
sec
ure
and
conv
enie
nt w
ay to
pro
ve w
ho th
ey a
re, w
ith th
e de
vice
that
is a
lway
s w
ith th
em: t
heir
mob
ile p
hone
. Mob
ile C
onne
ct c
an s
uppo
rt e-
gove
rnm
ent d
igita
l ide
ntity
aut
hent
icat
ion
for
citiz
ens
givi
ng a
cces
s to
pub
lic s
ervi
ces,
sm
art c
ities
, hea
lth c
are,
edu
catio
n, c
ross
bor
der p
ublic
ser
vice
s an
d vo
ting.
Thr
ough
the
in-b
uilt
priv
acy
prot
ectio
n of
fere
d, it
can
sim
plify
ano
nym
ous
regi
stra
tion
whe
re c
itize
n en
title
men
t doe
s no
t nee
d to
be
chec
ked,
an
d re
duce
the
risk
of d
ata
brea
ches
as
wel
l as
cut g
over
nmen
ts’ c
osts
to s
erve
. By
deliv
erin
g th
ese
bene
fits
to c
itize
ns a
nd
empl
oyee
s, M
obile
Con
nect
has
a p
oten
tial t
o st
reng
then
trus
t and
upt
ake
of e
-gov
ernm
ent s
ervi
ces.
ISO
/IEC
247
45:2
011
Info
rmat
ion
tech
nolo
gy-s
ecur
ity
tech
niqu
es—
Bio
met
ric
info
rmat
ion
prot
ectio
n
Pro
vide
s gu
idan
ce fo
r the
pro
tect
ion
of b
iom
etric
info
rmat
ion
unde
r var
ious
requ
irem
ents
for c
onfid
entia
lity,
inte
grity
and
rene
w-
abili
ty/re
voca
bilit
y du
ring
stor
age
and
trans
fer.
Add
ition
ally,
ISO
/IEC
247
45:2
011
prov
ides
requ
irem
ents
and
gui
delin
es fo
r the
se
cure
and
priv
acy-
com
plia
nt m
anag
emen
t and
pro
cess
ing
of b
iom
etric
info
rmat
ion.
• an
alys
is o
f the
thre
ats
to a
nd c
ount
erm
easu
res
inhe
rent
in a
bio
met
ric a
nd b
iom
etric
sys
tem
app
licat
ion
mod
els;
• se
curit
y re
quire
men
ts fo
r sec
ure
bind
ing
betw
een
a bi
omet
ric re
fere
nce
and
an id
entit
y re
fere
nce;
• bi
omet
ric s
yste
m a
pplic
atio
n m
odel
s w
ith d
iffer
ent s
cena
rios
for t
he s
tora
ge o
f bio
met
ric re
fere
nces
and
com
paris
on; a
nd
• gu
idan
ce o
n th
e pr
otec
tion
of a
n in
divi
dual
’s p
rivac
y du
ring
the
proc
essi
ng o
f bio
met
ric in
form
atio
n.
How
ever
, doe
s no
t inc
lude
mea
sure
s fo
r phy
sica
l, en
viro
nmen
tal s
ecur
ity a
nd k
ey m
anag
emen
t for
cry
ptog
raph
ic te
chni
ques
.
FID
O m
echa
nism
for
secu
rity
devi
ces
and
plug
-ins
The
FID
O (F
ast I
Den
tity
Onl
ine)
Alli
ance
is a
non
prof
it or
gani
zatio
n fo
rmed
in J
uly
2012
to a
ddre
ss th
e la
ck o
f int
erop
erab
ility
am
ong
stro
ng a
uthe
ntic
atio
n de
vice
s as
wel
l as
the
prob
lem
s us
ers
face
with
cre
atin
g an
d re
mem
berin
g m
ultip
le u
ser n
ames
an
d pa
ssw
ords
. The
FID
O A
llian
ce p
lans
to c
hang
e th
e na
ture
of a
uthe
ntic
atio
n by
dev
elop
ing
spec
ifica
tions
that
def
ine
an o
pen,
sc
alab
le, i
nter
oper
able
set
of m
echa
nism
s th
at s
uppl
ant r
elia
nce
on p
assw
ords
to s
ecur
ely
auth
entic
ate
user
s of
onl
ine
serv
ices
. Th
is n
ew s
tand
ard
for s
ecur
ity d
evic
es a
nd b
row
ser p
lug-
ins
will
allo
w a
ny w
ebsi
te o
r Clo
ud a
pplic
atio
n to
inte
rface
with
a b
road
va
riety
of e
xist
ing
and
futu
re F
IDO
-ena
bled
dev
ices
that
the
user
has
for o
nlin
e se
curit
y. F
IDO
pro
toco
ls a
re b
ased
on
publ
ic k
ey
cryp
togr
aphy
and
are
stro
ngly
resi
stan
t to
phis
hing
.
Con
tinu
ed
(con
tinue
d)
37Draft for Discussion
STA
ND
AR
DD
ES
CR
IPTI
ON
eID
AS
Reg
ulat
ion
of
Eur
opea
n U
nion
eID
AS
sta
nds
for E
U R
egul
atio
n N
o 91
0/20
14 o
n el
ectro
nic
iden
tific
atio
n an
d tru
st s
ervi
ces
for e
lect
roni
c tra
nsac
tions
. eID
AS
w
as p
ublis
hed
by th
e E
urop
ean
Par
liam
ent a
nd th
e E
urop
ean
Cou
ncil
on J
uly
23, 2
014.
eID
AS
ove
rsee
s el
ectro
nic
iden
tific
atio
n an
d tru
st s
ervi
ces
for e
lect
roni
c tra
nsac
tions
in th
e E
urop
ean
Uni
on’s
inte
rnal
mar
ket.
It re
gula
tes
elec
troni
c si
gnat
ures
, ele
c-tro
nic
trans
actio
ns, i
nvol
ved
bodi
es a
nd th
eir e
mbe
ddin
g pr
oces
ses
to p
rovi
de a
saf
e w
ay fo
r use
rs to
con
duct
bus
ines
s on
line
like
elec
troni
c fu
nds
trans
fer o
r tra
nsac
tions
with
pub
lic s
ervi
ces.
Bot
h th
e si
gnat
ory
and
reci
pien
t hav
e ac
cess
to a
hig
her l
evel
of
con
veni
ence
and
sec
urity
. Ins
tead
of r
elyi
ng o
n tra
ditio
nal m
etho
ds, s
uch
as m
ail,
facs
imile
ser
vice
, or a
ppea
ring
in p
erso
n to
su
bmit
pape
r-ba
sed
docu
men
ts, t
hey
may
now
per
form
tran
sact
ions
acr
oss
bord
ers,
e.g
., us
ing
“1-C
lick”
tech
nolo
gy. [
1][2
] eID
AS
ha
s cr
eate
d st
anda
rds
for w
hich
ele
ctro
nic
sign
atur
es, e
lect
roni
c se
als,
tim
e st
amps
and
oth
er p
roof
for a
uthe
ntic
atio
n pu
rpos
es
prov
ide
elec
troni
c tra
nsac
tions
with
the
sam
e le
gal s
tand
ing
as tr
ansa
ctio
ns p
erfo
rmed
on
pape
r.
ISO
/IEC
247
60
Info
rmat
ion
Tech
nolo
gy-S
ecur
ity
Tech
niqu
es—
A fra
mew
ork
of Id
entit
y M
anag
emen
t
Dat
a pr
oces
sing
syst
ems
com
mon
ly ga
ther
a ra
nge
of in
form
atio
n on
thei
r use
rs, b
e it
a pe
rson
, pie
ce o
f equ
ipm
ent,
or p
iece
of s
oftw
are
conn
ecte
d to
them
, and
mak
e de
cisio
ns b
ased
on
the
gath
ered
info
rmat
ion.
Suc
h id
entit
y-ba
sed
decis
ions
may
con
cern
acc
ess
to a
pplic
a-tio
ns o
r oth
er re
sour
ces.
To
addr
ess
the
need
to e
fficie
ntly
and
effe
ctive
ly im
plem
ent s
yste
ms
that
mak
e id
entit
y-ba
sed
decis
ions
, ISO
/IEC
24
760
spec
ifies
a fra
mew
ork
for t
he is
suan
ce, a
dmin
istra
tion,
and
use
of d
ata
that
ser
ves
to c
hara
cter
ize in
divid
uals,
org
aniza
tions
, or i
nfor
-m
atio
n te
chno
logy
com
pone
nts
that
ope
rate
on
beha
lf of
indi
vidua
ls or
org
aniza
tions
. For
man
y or
gani
zatio
ns, t
he p
rope
r man
agem
ent o
f id
entit
y in
form
atio
n is
cruc
ial t
o m
aint
ain
secu
rity
of th
e or
gani
zatio
nal p
roce
sses
. For
indi
vidua
ls, c
orre
ct id
entit
y m
anag
emen
t is
impo
rtant
to
prot
ect p
rivac
y. IS
O/IE
C 2
4760
Ser
ies
spec
ifies
fund
amen
tal c
once
pts
and
oper
atio
nal s
truct
ures
of i
dent
ity m
anag
emen
t with
the
purp
ose
to re
alize
info
rmat
ion
syst
em m
anag
emen
t so
that
info
rmat
ion
syst
ems
can
mee
t bus
ines
s, c
ontra
ctua
l, re
gula
tory
and
lega
l obl
igat
ions
.
ISO
/IEC
291
09IS
O/IE
C 2
9109
def
ines
the
conc
epts
of c
onfo
rman
ce te
stin
g fo
r bio
met
ric d
ata
inte
rcha
nge
form
ats
and
defin
es a
gen
eral
con
-fo
rman
ce-te
stin
g fra
mew
ork.
It s
peci
fies
com
mon
(mod
ality
-neu
tral)
elem
ents
of t
he te
stin
g m
etho
dolo
gy, s
uch
as te
st m
etho
ds
and
proc
edur
es, i
mpl
emen
tatio
n co
nfor
man
ce c
laim
s, a
nd te
st re
sults
repo
rting
. It a
lso
prov
ides
the
asse
rtion
lang
uage
def
ini-
tion
and
sets
forth
oth
er te
stin
g an
d re
porti
ng re
quire
men
ts, a
nd o
utlin
es o
ther
asp
ects
of t
he c
onfo
rman
ce te
stin
g m
etho
dol-
ogy
that
are
gen
eral
ly a
pplic
able
and
not
mod
ality
spe
cific
. As
part
of th
e co
nfor
man
ce te
stin
g m
etho
dolo
gy, d
iffer
ent t
ypes
and
le
vels
of c
onfo
rman
ce te
stin
g ar
e de
scrib
ed, a
s w
ell a
s th
eir a
pplic
abili
ty. T
he c
onfo
rman
ce te
stin
g m
etho
dolo
gy s
peci
fied
in
ISO
/IEC
291
09-1
:200
9 is
con
cern
ed o
nly
with
dat
a in
terc
hang
e fo
rmat
reco
rds
and
syst
ems
that
pro
duce
or u
se th
ese
reco
rds.
ISO
/IEC
291
15IS
O/IE
C 2
9115
:201
3 pr
ovid
es a
fram
ewor
k fo
r man
agin
g en
tity
auth
entic
atio
n as
sura
nce
in a
giv
en c
onte
xt. I
n pa
rticu
lar,
it:
• sp
ecifi
es fo
ur le
vels
of e
ntity
aut
hent
icat
ion
assu
ranc
e;
• sp
ecifi
es c
riter
ia a
nd g
uide
lines
for a
chie
ving
eac
h of
the
four
leve
ls o
f ent
ity a
uthe
ntic
atio
n as
sura
nce
(LoA
s);
• pr
ovid
es g
uida
nce
for m
appi
ng o
ther
aut
hent
icat
ion
assu
ranc
e sc
hem
es to
the
four
LoA
s;
• pr
ovid
es g
uida
nce
for e
xcha
ngin
g th
e re
sults
of a
uthe
ntic
atio
n th
at a
re b
ased
on
the
four
LoA
s; a
nd
• pr
ovid
es g
uida
nce
conc
erni
ng c
ontro
ls th
at s
houl
d be
use
d to
miti
gate
aut
hent
icat
ion
thre
ats.
Sour
ce: I
SO
htt
p://
ww
w is
o or
g/is
o/ho
me
htm
Con
tinu
ed
38 Draft for Discussion
endnotes
1 For more on the importance of identification for development, see (World Bank 2016, Gelb and Clark 2013).2 Estimates by the World Bank ID4D Dataset, as of February 2016. This dataset will be updated annually.3 IEEE. What are Standards? Why are they important? IEEE, 2011. 4 Digital Identity: Towards Shared Principles for Public and Private Sector Cooperation, World Bank-GSMA-SIA 2016.5 IEE FAQs https://supportcenter.ieee.org/app/answers/detail/a_id/83/~/what-are-standards%3F.6 Europay, MasterCard and Visa—Payment Smart Card Standard.7 https://mobileconnect.io.8 EU Regulation No 910/2014 on electronic identification and trust services for electronic transactions in the European internal market. See also Ashiq, J. A. 2016. “The eIDAS Agenda: Innovation, Interoperability and Transparency.” Cryptomathic. 25 January, https://www.cryptomathic.com/news-events/blog/the-eidas-agenda-innovation-interoperability-and-transparency; Turner, Dawn M. “eIDAS from Directive to Regulation—Legal Aspects.” Cryptomathic, https://www.cryptomathic.com/news-events/blog/eidas-from-directive-to-regulation-legal-aspects; van Zijp, Jacques. “Is the EU ready for eIDAS?,” Secure Identity Alliance. 9 A multimodal system does not require dependency on just one specific biometric feature.10 http://www.eiuperspectives.economist.com/technology-innovation/economic-empowerment-leaders/article/identifying-better-future.11 eID cards can be easily carried in a wallet, unlike large legal documents.12 Turner, Dawn M. “Understanding Major Terms Around Digital Signatures.” Cryptomathic.13 According to PIRA, “The global market for Personal ID credentials was valued at $5.3 billion in 2009, and is forecast to reach $9.1 billion by 2019” (PIRA, 2014).14 Excerpt from World Bank. 2016. Digital Identity: Towards Shared Principles for Public and Private Sector Coop-eration. Washington, D.C.: World Bank Group, p. 19.15 For example, see EU Cross-border Digital Authentication by Gemalto, http://www.gemalto.com/mobile/customer-cases/eu-cross-border-digital-authentication.