BS 8626:2020 - Design and Operation of Online User Identification Systems

In the rapidly evolving digital landscape, ensuring secure and efficient user identification is paramount. The BS 8626:2020 standard provides a comprehensive code of practice for the design and operation of online user identification systems. Released on December 16, 2020, this standard is an essential resource for organizations aiming to enhance their digital security frameworks.

Overview

The BS 8626:2020 standard is a meticulously crafted document that spans 122 pages, offering in-depth guidance on the implementation of robust user identification systems. With the ISBN 978 0 539 01297 2, this standard is recognized as a critical tool for businesses and institutions that prioritize secure online interactions.

Key Features

• Comprehensive Guidelines: The standard provides detailed instructions on the design and operation of user identification systems, ensuring that they are both secure and user-friendly.
• Best Practices: It outlines best practices for implementing identification systems that protect user data and prevent unauthorized access.
• Security Protocols: The document includes recommendations for security protocols that safeguard sensitive information during user authentication processes.
• Compliance and Standards: Aligns with international standards to ensure that your systems meet global security requirements.

Why Choose BS 8626:2020?

In an era where cyber threats are increasingly sophisticated, the BS 8626:2020 standard serves as a vital resource for organizations looking to fortify their digital defenses. By adhering to this standard, businesses can:

• Enhance Security: Implementing the guidelines helps in creating a secure environment for online transactions and interactions.
• Boost User Confidence: Users are more likely to trust systems that adhere to recognized security standards, leading to increased engagement and satisfaction.
• Ensure Compliance: Stay ahead of regulatory requirements by aligning with a standard that is recognized globally.
• Reduce Risk: Minimize the risk of data breaches and unauthorized access by following the recommended practices.

Who Should Use This Standard?

The BS 8626:2020 standard is designed for a wide range of stakeholders, including:

• IT Professionals: Those responsible for the design and maintenance of user identification systems will find this standard invaluable.
• Security Experts: Professionals focused on cybersecurity can leverage the guidelines to enhance their security protocols.
• Compliance Officers: Ensure that your organization meets necessary compliance requirements with the help of this standard.
• Business Leaders: Executives and decision-makers can use this standard to guide strategic decisions regarding digital security.

Structure of the Standard

The BS 8626:2020 is structured to provide a logical flow of information, making it easy to navigate and implement. Key sections include:

• Introduction: An overview of the importance of secure user identification systems.
• Design Principles: Core principles that guide the development of effective identification systems.
• Operational Guidelines: Practical advice on the day-to-day operation of these systems.
• Security Measures: Detailed recommendations for protecting user data and ensuring system integrity.
• Compliance and Auditing: Guidance on maintaining compliance with relevant regulations and standards.

Conclusion

In conclusion, the BS 8626:2020 standard is an indispensable tool for any organization that values security and efficiency in its online user identification processes. By implementing the practices outlined in this standard, businesses can not only protect their users but also enhance their reputation as a secure and trustworthy entity in the digital world.

Invest in the BS 8626:2020 standard today and take a proactive step towards securing your digital future.

BS 8626:2020

This standard BS 8626:2020 Design and operation of online user identification systems. Code of practice is classified in these ICS categories:

• 35.030 IT Security
• 35.240.01 Application of information technology in general

This British Standard gives recommendations and supporting guidance for the design and operation of an online user identification system (OUIS) and the corresponding user digital identity management systems (IdMS). As authorized users, individuals can act in a personal capacity (e.g. consumer, customer or citizen) or on behalf of another individual (e.g. as a proxy) in a role in a digital identity provider (IdP) and/or relying party (RP), e.g. employee or authorized contractor. In particular, recommendations are given for:

1. establishing or revising an OUIS, including:

   1. business objectives and requirements for an OUIS;

   2. requirements for protecting the life cycle management of digital identities associated with individuals;

   3. requirements for protecting data used specifically for identifying or authenticating individuals;

   4. requirements for protecting against attacks on specific types of user knowledge‑based authentication methods, possession-based authentication methods and biometric recognition methods and modes of operation;

2. the controls for managing the life cycle of users’ digital identities for an OUIS, including:

   1. creation, proofing and issuance of a digital identity and the formation of the digital identity’s associated credential;

   2. identification together with credential usage (where applicable);

   3. activities to update credentials and associated data, and notification of these changes to the user;

   4. revocation, expiration, reinstatement, disqualification or user cancellation of a digital identity’s credential and purging or archiving of digital identities; and

3. evaluating the effectiveness of an OUIS, including the management of user identification errors, such as false positives and false negatives, and efficiency, including the user identification transaction timings and demand on resources.

This British Standard:

1. describes various knowledge-based authentication methods, possession-based authentication methods and biometric recognition methods, together with their inherent vulnerabilities;

2. provides recommended measures to mitigate the potential exploitation of these identified vulnerabilities; and

3. assists in the development of a risk mitigation strategy, though it does not cover risk identification, protection, detection, response and recovery, as part of developing a supporting performance management strategy and plan.

The standard is applicable where the user initiates the process of user identification for an online service supplied by an RP and the processes of user identification to access an IdP’s IdMS (if applicable).

This standard covers the management of digital identities by organizations, including IdPs, and individuals’ management of the credentials allocated to them by an IdP and/or RP. It concentrates on the OUIS component of access control mechanisms. However, reference is made to the permission management associated with roles and authorization functions of associated policy decision points in decision authorization systems.

This standard is applicable to online authentication transactions that are associated with either online or offline identity proofing processes, but its recommendations might also be useful for the design of offline authentication transactions, though their applicability in these contexts requires careful consideration.

The scope of the transaction commences with the authentication/recognition request from an authorization system or access control mechanism through to the return response by the authentication/recognition subsystem, as illustrated in Figure 1. The authentication/recognition subsystem includes capture of signals from an individual through an input device, e.g. keyboard or sensing apparatus (e.g. camera), through to a decision component, which determines whether the identification data presented are sufficient to authenticate or recognize an individual within predetermined user identification assurance parameters.

Figure 1 Generic model of user identification

This standard covers the situations where the authentication and/or recognition decision engine resides either on the user’s intelligent device or in a remote information system.

This standard covers “man-in-the-middle” (MITM) attacks on authentication methods and biometric recognition methods only. It does not cover MITM authentication attacks or similar substitution attacks on networks, computer operating systems, computer programs, applications, router and/or certificate repositories. The vulnerabilities and associated mitigation controls relating to these technologies are outside the scope of this standard.

This standard does not cover security controls in networks, computers, operating systems, application software and supporting utilities or input devices.

This standard is not applicable to device identification, though, in most digital interactions, the user needs to bind their digital identity or their credential to the device, so that the device can be trusted by the network and/or IdP or RP. The exclusion of device identification applies equally to a user’s device and the user’s application authentication of a remote information system (e.g. web server gated cryptography hosting the RP’s application or resource).

NOTE An example of the use of device identification is the binding of a user to their mobile phone’s international mobile equipment identifier (IMEI) or to the subscriber identity module (SIM) or international mobile subscriber identity (IMSI), to prevent an attacker replacing the SIM in a stolen mobile phone and impersonating the genuine user.

This standard does not give specific recommendations for:

• single sign-on systems;

• digital identity federation schemes;

• password application managers and password generation software; and

• attributes sharing between organizations in a contractual relationship.

The de-identification of data relating to a digital identity is outside the scope of this standard, but guidance on this is given in BS ISO/IEC 20889.