It should be noted that strong authentication without verified identity will only serve to ensure that the same entity is returning to services over time NOT that the entity in question is the right person or indeed a valid identity. It should be identity assurance i.e. the combination of identity verification and proofing and a credential issued in accordance with recognised standards linked to that identity that is used for authentication if the prevention of fraud is to be successful.
There is much evidence that standards for identity assurance, including strong authentication, should be outcome based rather than specific technical or technology requirements. The UK government national eID scheme GOV,UK Verify, the EU eIDAS Regulation, and the recent NIST 800.63 draft all place importance on outcome based requirements rather than detailed technical specifications where identity proofing or strong authentication means are concerned.
The key here is interoperability. The UK and the US governments are currently working together to ensure interoperability on an international basis alongside EU colleagues for the purpose of cross-border eID. There are also efforts within standards organisations such as Open ID Foundation to build profiles such as iGov for the purpose of interoperability and the federation of identity in the public and private sectors. The eIDAS Regulation and its standards may be one answer but it is interoperability standards that will enable identity, and with it strong authentication, to become truly ubiquitous.
No, not at this time.
Service design and the application of multiple levels of assurance may actually be more appropriate in many circumstances. What is really being suggested here in Chapter 2 is that authentication is actually part of a risk based assessment for a selected user action / transaction.
No concerns other than answer to Q4.
Yes, provided these are outcome based requirements and do not specify solutions or technologies.
Common and secure open standards are essential. Ensuring that they are outcome based is equally important and not necessarily apparent here.
Why ISO 2022 and not simply UTF-8 and where/if necessary base64 encoding?
No. QTSPs are one possible solution. We should not tie specifications to a single solution.
No comment other than to say that limitations of this kind may be restrictive in some applications. It should be for the user to consent to such configurations / use patterns if that suits a particular need.
Government based identity assurance and international standards