What is BS 8626:2020 about?
Organizations providing online authentication services need to ensure that access is only provided to relevant authorized users, and in an effective and efficient way. BS 8626:2020 is a brand-new British Standard on how to design and operate an online user identification system (OUIS).
Who is BS 8626:2020 for?
- Organizations seeking to introduce an online user identification system (OUIS) as part of the design for a new application service
- Organizations revising an operational deployment
The standard covers customers in all sectors, particularly in financial services.
Why should you use BS 8626:2020?
It gives recommendations and supporting guidance for the design and operation of an online user identification system (OUIS) and the corresponding user digital identity management systems.
In particular, recommendations are given for:
- Establishing or revising an OUIS, including:
- Business objectives and requirements
- Requirements for protecting the lifecycle management of digital identities associated with individuals
- Requirements for protecting data used specifically for the processes of identifying or authenticating individuals
- Requirements for protecting against attacks on specific types of user identification methods (including biometrics) and modes of operation
- The controls for managing the lifecycle of users’ digital identities for an OUIS, including:
- Creation, proofing and issuance of a digital identity and the formation of the digital identity’s associated credential
- Authentication or recognition transaction together with credential usage (where applicable)
- Activities to update credentials and associated data and notification of these changes to the user
- Revocation, expiry, reinstatement, disqualification or user cancellation of a digital identity’s credential and purging of or archiving of digital identities
- Evaluating the effectiveness of an OUIS, including the management of identification errors, such as false positives and false negatives, and efficiency, including the user transaction performance timings and demand on resources
BS 8626:2020:
- Describes various user authentication or identity recognition methods together with their inherent vulnerabilities
- Provides recommended measures to mitigate the potential exploitation of these identified vulnerabilities
- Assists in the development of a risk mitigation strategy as part of developing a supporting performance management strategy and plan
This standard applies where the user initiates the process of identification/authentication for an online service supplied by an RP.
NOTE: The standard does not give recommendations for single sign-on systems; digital identity federation schemes; password application managers and password generation software; and attributes sharing between organizations in a contractual relationship. The de-identification of data relating to a digital identity is beyond the scope of this standard, but guidance on this is given in BS ISO/IEC 20889. This standard does not cover security controls in networks, intelligent computers, operating systems, application software and supporting utilities or input devices.