Method and system for interoperable identity and interoperable credentials
Abstract
Method, system, and programs for interoperable identity and interoperable credentials. In one example, an authentication request is received that originated from an online user in connection with an application having a first LOA. The authentication request includes an identity assertion and a digital identity is searched to identify a GUID associated with the digital identity matching the identity assertion. One or more credentials that are bound to the GUID at the first LOA or a higher LOA are provided. A selection of at least one credential is received. Information of the selected credential that includes a credential verification service capable of verifying the selected credential is received. Verification of the selected credential of the online user based on the GUID is requested. A verification response is received. The online user is authenticated at the first LOA when the verification response indicates that the selected credential is successfully verified.
Claims
exact text as granted — not AI-modifiedWe claim:
1 . A method comprising:
storing a plurality of credentials associated with a globally unique identifier (GUID) corresponding to a person, each of the plurality of credentials being stored with a respective level of assurance and being associated with a respective credential service agent; receiving a credential request from an application, the credential request including an identity assertion and a requested level of assurance; determining a set of credentials from the plurality of credentials, the set of credentials including credentials with a respective level of assurance that is equal to or higher than the requested level of assurance and having a GUID matching the identity assertion; and providing a user interface in response to the credential request that displays the set of credentials so that each credential in the set of credentials is selectable by the user, wherein the application uses the respective credential service agent to authenticate a user-selected credential from the set of credentials before allowing access to the application.
2 . The method of claim 1 , wherein the application lacks an associated credential.
3 . The method of claim 1 wherein the identity assertion is a universal name.
4 . The method of claim 3 wherein the universal name is a concatenation of a given name, a special character, and a chosen name.
5 . The method of claim 1 , further comprising:
determining none of the plurality of credentials with a GUID matching the identity assertion have a level of assurance equal to or higher than the requested level; activating an identity proofing process that has a level of assurance matching the requested level of assurance, wherein success of the identity proofing process results in a credential with the requested level of assurance; and providing the credential with the requested level of assurance as the set of credentials.
6 . The method of claim 5 , wherein the credential with the requested level of assurance is one of the plurality of credentials and the method further includes updating the respective level of assurance with the requested level of assurance responsive to the success of the identity proofing process.
7 . The method of claim 1 , wherein a credential verification service independent of the application performs the authentication process and provides an authentication response to the application.
8 . The method of claim 1 , wherein the application has an associated credential and the user-selected credential differs from the associated credential.
9 . The method of claim 1 , wherein the plurality of credentials include a password, a passphrase, a personal identification number (PIN), a finger print, a voice sample, a retinal scan, a smart card, a hard token, a USB device, and a public key certificate.
10 . A method implemented on a computing device having at least one processor, storage, and a communication platform capable of making a connection to a network for managing identity information of a person, the method comprising the steps of:
receiving information related to a first credential that is associated with a person, wherein the first credential is verifiable by a first credential verification service at a first level of assurance (LOA); receiving information related to a second credential that is associated with the person, wherein the second credential is verifiable by a second credential verification service at a second LOA, the second LOA being a higher LOA than the first LOA; associating a globally unique identifier (GUID) with the first credential and the second credential; storing the first LOA with the information related to the first credential, including information related to the first credential verification service; storing the second LOA with the information related to the second credential, including information related to the second credential verification service; receiving a request from an application for verifying credentials, the request specifying a requested LOA and resolving to the GUID; identifying the first credential and the second credential as associated with the GUID; and providing the second credential as a verification option responsive to determining that the second LOA meets or exceeds the requested LOA and the first LOA does not meet the requested LOA, wherein the application is enabled to initiate verification of the second credential through the second verification service.
11 . The method of claim 10 , wherein associating the GUID with the first credential occurs at an identity center or at a credential exchange.
12 . The method of claim 11 , wherein the identity of the person is unknown to the credential exchange.
13 . The method of claim 10 , wherein the identity of the person has been proved by an identity proofing (IDP) source at an IDP LOA that is equal to or higher than the first LOA.
14 . The method of claim 13 , wherein the IDP source includes at least one of:
an identity proofing service provider that is an approved member of a trust framework; government agency; a trusted healthcare organization; and a trusted application wherein users of the trusted application passed the identity proofing at the LOA.
15 . The method of claim 10 , further comprising:
obtaining a chosen name and a given name of the person; generating a universal name from a combination of the given name and the chosen name; and associating the universal name with the GUID.
16 . The method of claim 15 , further comprising:
receiving the universal name with the request; and using the universal name to resolve the request to the GUID.
17 . The method of claim 10 , further comprising:
receiving a selection of the second credential; obtaining verification information from the person; providing the verification information to the second credential verification service; receiving a verification response from the second credential verification service; and providing the verification response to the application.
18 . The method of claim 10 , wherein the application lacks an associated credential.
19 . The method of claim 10 , wherein the level of assurance represents a degree to which a relying party can be assured that the credential represents the person.
20 . A system comprising:
a processor; a memory storing a plurality of credentials, each of the plurality of credentials being associated with a globally unique identifier (GUID) corresponding to a person, and each of the plurality of credentials being stored with a respective level of assurance; and memory storing instructions that, when executed by the at least one processor, causes the system to perform operations including:
receive a credential request from an application, the credential request including an identity assertion and a requested level of assurance,
determine a set of credentials from the plurality of credentials, the set of credentials including credentials with a respective level of assurance that is equal to or higher than the requested level of assurance and having a GUID matching the identity assertion,
provide a user interface in response to the credential request that displays the set of credentials so that each credential in the set of credentials is selectable by the user, and
responsive to selection of a credential from the set of credentials, using the credential in an authentication process before allowing access to the application.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.