Directive on Identity Management - Appendix A: Standard on Identity and Credential Assurance

Note to reader

The Standard on Identity and Credential Assurance took effect on July 1, 2019. It replaced the Standard on Identity and Credential Assurance that was in effect from February 1, 2013 to June 30, 2019.

Appendix A. Standard on Identity and Credential Assurance

A.1 Effective date

  • A.1.1This standard takes effect on July 1, 2019.
  • A.1.2This standard replaces the Standard on Identity and Credential Assurance, dated February 1, 2013.

A.2 Standards

  • A.2.1This standard provides details on the requirements set out in subsection 4.1.7 of the Directive on Identity Management.
  • A.2.2Standards are as follows:

    Identity assurance levels

    • A.2.2.1Level 4: very high confidence required that an individual is who they claim to be;
    • A.2.2.2Level 3: high confidence required that an individual is who they claim to be;
    • A.2.2.3Level 2: some confidence required that an individual is who they claim to be; and
    • A.2.2.4Level 1: little confidence required that an individual is who they claim to be.

    Credential assurance levels

    • A.2.2.5Level 4: very high confidence required that an individual has maintained control over a credential that has been entrusted to them and that the credential has not been compromised;
    • A.2.2.6Level 3: high confidence required that an individual has maintained control over a credential that has been entrusted to them and that the credential has not been compromised;
    • A.2.2.7Level 2: some confidence required that an individual has maintained control over a credential that has been entrusted to them and that the credential has not been compromised;
    • A.2.2.8Level 1: little confidence required that an individual has maintained control over a credential that has been entrusted to them and that the credential has not been compromised.
  • A.2.3The minimum requirements for establishing an identity assurance level are shown in Table 1.
    • A.2.3.1Ensure that the minimum requirements are met, or appropriately manage the related risks.
Table 1: minimum requirements for establishing an identity assurance level
RequirementLevel 1Level 2Level 3Level 4
Uniqueness
  • Define identity information
  • Define context
Evidence of identity
  • No restriction on what is provided as evidence
  • One instance of evidence of identity
  • Two instances of evidence of identity (at least one must be foundational evidence of identity)
  • Three instances of evidence of identity (at least one must be foundational evidence of identity)
Accuracy of identity information
  • Acceptance of self-assertion of identity information by an individual
  • Identity information acceptably matches assertion by an individual and evidence of identity, and
  • Confirmation that evidence of identity originates from an appropriate authority
  • Identity information acceptably matches assertion by an individual and all instances of evidence of identity, and
  • Confirmation of the foundational evidence of identity, using an authoritative source, and
  • Confirmation that supporting evidence of identity originates from an appropriate authority, using an authoritative source

Whenever any of the above cannot be applied:

  • inspection by trained examiner
Linkage of identity information to individual
  • No requirement
  • No requirement

At least one of the following:

  • knowledge-based confirmation
  • biological or behavioural characteristic confirmation
  • trusted referee confirmation
  • physical possession confirmation

At least three of the following:

  • knowledge-based confirmation
  • biological or behavioural characteristic confirmation
  • trusted referee confirmation
  • physical possession confirmation
  • A.2.4Assurance levels for trusted digital identities when participating in an approved trust framework are as follows:
    • A.2.4.1Level 4: very high confidence required in the electronic representation of a person, used exclusively by that same person;
    • A.2.4.2Level 3: high confidence required in the electronic representation of a person, used exclusively by that same person;
    • A.2.4.3Level 2: some confidence required in the electronic representation of a person, used exclusively by that same person; and
    • A.2.4.4Level 1: little confidence required in the electronic representation of a person, used exclusively by that same person.