Implementing the Binding Assurance Standard
Guidance on the interpretation of Binding Assurance Standard controls and how to conform with them.
Help us create the best guidance possible
If you would like anything added to or clarified in this guidance, email the Identification Management team at idmstandards@gdda.govt.nz.
Introduction
Binding Assurance is about the degree to which an Entity claiming information is the actual subject of that information (does the information belong to or relate to it or them).
If Entity binding is not done or insufficiently done, it increases the likelihood of identity theft and service takeover. The controls for Entity binding are covered in the Binding Assurance Standard.
Binding Assurance does not make any judgement as to whether the Entity Information is accurate or not, this is covered as part of the Information Assurance Standard.
Entity binding is carried out on each piece of information, not to a record or account. The connection of an Entity to a record or account is Authentication, this is covered in the Authentication Assurance Standard.
To meet a specific level of binding assurance all controls at that level need to be met. The levels aren’t accumulative, so multiple levels aren’t applied. If the Entity binding process has not been assessed or was unable to achieve the lowest level, the process is not conformant, and the level of assurance value will be absent or null.
Definitions for key terms used in this guidance can be found in Identification terminology.
This living guidance will evolve and expand over time to meet the needs of users.
Guidance for Entity Binding
Entity Binding is the process of confirming to a level of assurance, that an Entity is related to each piece of information collected about the Entity.
Authentication is the process of using an Authenticator and determining if it’s genuine. Authentication Assurance is about confirming to a level of assurance, that the Entity and their Authenticator remain connected to the account, record or Credential that contains the Entity’s Information.
Objective 1: Binding risk is understood
Applying a risk-based approach to binding assurance helps to identify the aspects of binding that drive the level of risk. Understanding this enables the development of a wide range of mitigation strategies.
BA1.01 Guidance — risk assessment
Any robust risk assessment process may be used to identify the binding risk posed. Guidance and tools have been developed to help with undertaking an identification risk assessment and to provide the optimum level of assurance as an output.
Objective 2: Entity can claim an instance of Entity Information
During an enrolment process, the Entity remains linked to the Entity Information they have provided, if it's carried out in a single session. If there is a break in the enrolment process or when the Entity returns to the service in the future, without an Authenticator, they need to be able to claim (connect) to their Entity Information.
Entity Information that has not been bound to an Entity or Authenticator is deemed to be orphaned. This often occurs where Entity Information has been received by a Relying Party outside an enrolment process. This Entity Information is unbound in the context of that Relying Party and therefore orphaned. The level of binding assurance is absent or null.
- A hospital providing the Registrar of Births, Deaths and Marriages information about the birth of a child.
- The Electoral Commission providing a Local Body information about eligible voters for an upcoming election.
In these examples the Registrar and the Local Body now hold Entity Information that an Entity has yet to claim.
An instance of Entity Information is often referred to as an ‘account’ or a ‘record’. When stored in a system, Entity Information may not be in one place. How and where Entity Information is stored is outside the scope of Identification Management.
BA2.01 Guidance — identify instance of Entity Information
Depending on the context, individual attributes within Entity Information can be similar or the same.
If the Relying Party does not collect enough information to identify the right instance, multiple instances of Entity Information can be found and there is an increased likelihood the incorrect instance might be used.
Additional information should be requested until it’s certain the correct instance has been identified, before beginning any binding processes.
BA2.02 Guidance — instances are known to be claimed
Not recording any information about an attempt to claim an instance of Entity Information, successful or not, can increase the likelihood that the Entity Information becomes vulnerable to being taken over by an Entity who is not the rightful claimant.
The recording or registering of Authenticators is the easiest way in which to do this.
If a subsequent claim occurs to Entity Information that has already been recorded as having been bound, this should raise concern.
An investigation should occur to determine the rightful claimant. Where the Entity Information has either been orphaned or unclaimed for any period, it should never be assumed that the first Entity to claim the instance is the correct one.
Objective 3: Entity is the subject of Entity Information
Failure to identify the correct Entity Information is an avenue for identity theft. Failure to carry out sufficient binding of an Entity to Entity Information is another. These controls cannot be replaced by relying on or increasing the level of information assurance.
BA3.01 Guidance — establish binding level
The Identification risk assessment process can be used to determine the level of binding assurance (BA) required, for linking or binding the Entity to their information.
Alternatively, use an analytical assessment considering the following:
- the key business drivers and outcomes
- risk of financial loss or liability
- risk to the privacy, standing, reputation or safety of people
- harm to agency programmes or the public interest
- any direct downstream effects, this could include other parties that will rely on the outcome (for example, a credential).
- Level 1 — Binding is very light, possibly aligned to self-asserted information, nil or negligible impact if another Entity uses the information.
- Level 2 — A distinct link is needed between the Entity and their information for some business decisions. There is some expectation by the Entity that their information is not being misused.
- Level 3 — The Entity and Entity Information need to be solidly bound to ensure that decisions made, and services provided are to the entitled Entity. Impacts from incorrect binding are severe. There is a strong expectation by the Entity that their information is not being misused.
- Level 4 — The Entity and Entity Information are absolutely bound. Services provided to a non-entitled Entity have severe impacts. There is a very high expectation by an Entity that their information is not being used by any other party.
To absolutely bind at level 4 does not always require physical presence. The channel in which the interaction is occurring, for example a phone call or online session, needs to be live with the Entity when the information is generated.
BA3.02 Guidance — binding process
The Entity Binding process is about connecting a specific piece of information to a specific Entity. Establishing that an Entity is associated with a wider set of Entity Information, for example an account or record, is the process of authentication, and the Authentication Assurance Standard and guidance need to be used.
Authentication Assurance Standard
Successful binding relies on the ability of the Entity to respond to challenges using one or more of the following factor types:
- Knowledge factors that are not publicly known, easily determined or predictable.
- Possession factors that contain enough features to assess as genuine.
- Biometric factors with appropriate measures to detect spoofing attempts.
The more critical the risk associated with incorrect Entity binding, the higher the level needed.
Initial Entity Binding is most often done using a Credential with an Authenticator established in another context, where the information being bound is the same in both contexts.
When using a Credential of equal or greater assurance level, both the Authenticator and the binding level of the Credential information need to be at the same level or higher than the level to be achieved.
Binding to a set of information in a Credential doesn’t automatically bind other information associated to that information, especially if it’s from another context. For example, using a passport to bind a name and date of birth does not bind any other related information.
- A passport could be used to bind at levels 1, 2 and 3 if the information in the passport is the same as the Entity Information to be bound, it has a declared level of Binding Assurance of at least 3, it’s physically presented, and the photograph is compared manually with the Entity.
- A RealMe Verified Account could be used to bind up to level 3 as the Authenticator attached to it is level 3, provided it also declares Binding Assurance at level 3.
An instance of a Credential where the Binding Assurance level is higher than the Information Assurance level has not been identified. Therefore, it’s not currently known if there are any related requirements needed for the level of Information Assurance when binding.
BA3.03 Guidance — quality of binding evidence
As with the evidence for information assurance, the quality of the evidence used to bind is also important. In many solutions it may be the same evidence used to establish the accuracy of information as is used to bind it, so the same quality assessment applies.
With the increase in digital Credentials there will be a shift away from manual identification of security features to systematic. Look for digital Credentials that are verifiable credentials (vc) as these are the digital solution to the physical security features in a document.
BA3.04 Guidance — level assumptions
If the Credential Provider has not indicated the level/s of assurance of their Credential, it can be dangerous to assume what these might be. Ideally, the Credentials should be treated as level 1. However, until declaration of levels of assurance becomes embedded, a pragmatic approach to accepting Credentials as having higher levels will need to be taken.
Estimation of levels of assurance, where not declared, will need to be done in conjunction with the Credential Provider and approved assessors or evaluators of the Identification standards.
BA3.05 Guidance — limit unsuccessful attempts
Allowing an Entity to continue to attempt to bind to a record can indicate an attempt to associate with another Entity’s information. This can be for the intention of undertaking fraud or just to cause nuisance.
Letting this continue unchecked increases the likelihood that an unauthorised Entity will eventually be successful.
The number of allowable attempts will be proportional to the risk of incorrect binding, which has been established and the other mitigation which are in place.
Objective 4: Entity uniqueness in a context
There is a substantial difference between ensuring that each instance of Entity Information in a context is unique and ensuring that each Entity participating in a context has only 1 instance of Entity Information.
A single Entity associating themselves with multiple instances of Entity Information can have negative outcomes in certain contexts. For example, passports, justice or certain entitlements.
BA4.01 Guidance — 1 and only 1
Currently the most effective way to ensure an Entity is only enrolled once in a context is to use a biometric characteristic where any new Entity entering the context is compared to all existing Entities in the context to reduce duplication.
As this is a costly exercise to do, the risk being mitigated and the benefits of doing so need to be considered.
Objective 5: Entity Binding integrity is maintained
Once an Entity has been bound to Entity Information, it will only last for the length of that interaction. When the Entity leaves, the connection to the Entity Information is broken. The essence of the binding can be held through the registering of an Authenticator at the equivalent level. However, if this Authenticator does not have a biometric component, there is a risk that over time it may come into the possession of another Entity. Possession by another Entity means that the binding between the Entity and Entity Information is also compromised.
To mitigate against misappropriated and misused Authenticators, retest at Entity Binding at regular intervals. Retesting also ensures that Entity Information not used on a regular basis is appropriately managed if the Entity it relates to is deceased or otherwise inactive.
This also provides an opportunity to increase the binding level if additional risk is present.
Changes to the risk profile for the service or transaction and increases in binding level, are also opportunities to proactively retest Entity Binding.
BA5.01 Guidance — retest binding
Retesting Entity Binding involves carrying out an event that does not rely solely on the Authenticator, unless it contains a biometric factor as part of the authentication process.
These events should involve direct contact with the Entity but do not necessarily have to take place face-to-face. For example, it could be by phone.
If the Entity has an Authenticator with a biometric element but it’s not the primary method of authentication this could be used to facilitate the process of retesting the Entity Binding.
- Every time a passport is physically presented, and the image is compared with the holder, the binding is being tested.
- An Entity Binding process done when a Credential (especially one without a biometric) is being reissued or renewed after expiry.
- Requiring an Entity to attend in-person every so often, where a binding process occurs, in order to continue to receive the benefit of a service.
BA5.02 Guidance — counter fraud
Counter fraud techniques are activities that contribute to binding assurance after the decision to bind and to complete the enrolment of the Entity.
For more information refer to Counter fraud techniques.
BA5.03 Guidance — investigation
It’s important to keep good records, regardless of the way in which binding assurance is carried out. The ability to investigate the processes, is a contributing element to building trust in those processes.
What and how much information is recorded about the processes undertaken will depend on the risk behind the need for enrolling the Entity plus any requirements under legislation, such as the Public Records Act 2005.
Public Records Act 2005 — New Zealand Legislation
Contact
Government Digital Delivery Agency (GDDA)
Email: idmstandards@gdda.govt.nz
Utility links and page information
Last updated