Method and system for interoperable identity and interoperable credentials
Abstract
Method, system, and programs for interoperable identity and interoperable credentials. In one example, an authentication request is received. The authentication request originated from an online user in connection with an application having a first LOA. The authentication request includes the online user's input. A digital identity is searched based on the online user's input. A GUID associated with the digital identity is obtained when the digital identity is found. One or more credentials that are bound to the GUID at the first LOA or a higher LOA are provided. A selection of at least one credential is received. Information of the selected credential that includes a credential verification service capable of verifying the selected credential is received. Verification of the selected credential of the online user based on the GUID is requested. A verification response is received. The online user is authenticated at the first LOA when the verification response indicates that the selected credential is successfully verified.
Claims
exact text as granted — not AI-modifiedWe claim:
1 . A method implemented on a computing device having at least one processor, storage, and a communication platform capable of making a connection to a network for managing identity information of a person, the method comprising the steps of:
receiving the person's name after the identity of the person has been proved at an identity proofing (IDP) level of assurance (LOA); receiving information related to a credential that is associated with the person, wherein the credential can be verified by a credential verification service at a LOA that is of the same or lower level than the IDP LOA; obtaining a chosen name of the person, wherein a combination of the person's name and the chosen name uniquely identifies the person; creating a digital identity based, at least in part, on the person's name and the chosen name; generating a globally unique identifier (GUID) that associates with the digital identity and binds to the person; binding the GUID with the credential; storing a record of the person that includes at least the IDP LOA and information related to the credential and the credential verification service; and transmitting information to the credential verification service that the person is to be authenticated based on a real-time user input associated with the credential.
2 . The method of claim 1 , wherein binding the GUID with the credential occurs at an identity center or at a credential exchange.
3 . The method of claim 2 , wherein the identity of the person is unknown to the credential exchange.
4 . The method of claim 1 , wherein the identity of the person has been proved by an IDP source.
5 . The method of claim 4 , wherein the IDP source includes at least one of:
an identity proofing service provider that is an approved member of a trust framework; a government agency; a trusted healthcare organization; and a trusted application wherein users of the trusted application passed the identity proofing at the IDP LOA.
6 . A method implemented on a computing device having at least one processor, storage, and a communication platform capable of making a connection to a network for authenticating an online user, the method comprising the steps of:
receiving an authentication request originated from the online user in connection with an application having a first level of assurance (LOA), wherein the authentication request includes the online user's input; searching a digital identity based on the online user's input; obtaining a globally unique identifier (GUID) associated with the digital identity when the digital identity is found; providing one or more credentials that are bound to the GUID at the first LOA or a higher LOA; receiving a selection of at least one credential from the one or more credentials; retrieving information of the selected at least one credential that includes a credential verification service capable of verifying the selected at least one credential; requesting verification of the selected at least one credential of the online user based on the GUID; receiving a verification response; and authenticating the online user at the first LOA when the verification response indicates that the selected at least one credential is successfully verified.
7 . The method of claim 6 , further comprising denying authentication of the online user when the digital identity is not found.
8 . The method of claim 6 , wherein the step of requesting verification of the selected at least one credential of the online user based on the GUID comprises:
soliciting information associated with the selected at least one credential from the online user; and sending a verification request to the credential verification service with the GUID and the received information associated with the selected at least one credential.
9 . The method of claim 6 , wherein the step of requesting verification of the selected at least one credential of the online user based on the GUID includes sending a verification request to the credential verification service with the GUID.
10 . The method of claim 6 , wherein the first LOA is 2 or 3.
11 . The method of claim 6 further comprising the steps of:
providing, upon the successful authentication, the one or more credentials;
receiving a choice of at least one of the one or more credentials; and
disabling the chosen at least one credential.
12 . The method of claim 6 further comprising the steps of:
receiving, upon the successful authentication, information about a credential with an associated LOA that is the same or lower than the first LOA, as well as a credential verification service capable of verifying the credential; and
binding the GUID with the credential and the associated LOA.
13 . The method of claim 12 further comprising the step of:
storing the received information; or
sending the received information to a credential exchange.
14 . The method of claim 6 , wherein an authenticated session is created upon the successful authentication of the online user.
15 . The method of claim 14 , further comprising sharing the authenticated session with another application.
16 . The method of claim 14 , wherein the authenticated session expires at a predetermined period of time.
17 . The method of claim 16 , wherein the predetermined period of time is configurable.
18 . A method implemented on a computing device having at least one processor, storage, and a communication platform capable of making a connection to a network for authenticating an online user, the method comprising the steps of:
storing one or more credentials associated with a globally unique identifier (GUID) corresponding to a person; receiving the GUID and a first level of assurance (LOA) associated with an application; determining at least one of the one or more credentials, wherein each of the determined at least one credential is at the first LOA or a higher LOA; and providing the determined at least one credential so that the online user who claims to be the person can be authenticated based on a credential selected from the at least one credential.
19 . The method of claim 18 further comprising receiving information about one of the one or more credentials associated with the GUID at a LOA from an identify center.
20 . The method of claim 19 , wherein the information further includes a credential verification service capable of verifying the credential.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.