What is BS 8626 about?
Organizations providing online authentication services need to ensure that access is only provided to relevant authorized users in an effective and efficient way. BS 8626 is a new British Standard on how to design and operate an online user identification system. BS 8626 applies where the user initiates the process of identification/authentication for an online service supplied by an RP.
BS 8626 also describes various categories of authentication methods, together with their inherent vulnerabilities.
Note: BS 8626 does not give recommendations for single sign-on systems; digital identity federation schemes; password application managers and password generation software, and attributes sharing between organizations in a contractual relationship. The de-identification of data relating to digital identity is beyond the scope of this standard, but guidance on this is given in BS ISO/IEC 20889. This standard does not cover security controls in networks, intelligent computers, operating systems, application software and supporting utilities or input devices.
Who is BS 8626 for?
BS 8626 on online user identification systems is useful for:
- Organizations seeking to introduce an online user identification system as part of the design for a new application service
- Organizations revising an operational deployment
BS 8626 covers customers in all sectors, particularly in financial services.
Why should you use BS 8626?
BS 8626 helps you to understand the categories of user identification systems. BS 8626 also provides details about the three types of user identification systems – knowledge-based, possession-based, and biometric-based. BS 8626 makes recommendations for selecting or enhancing your current user identification system.
In addition, BS 8626 highlights the inherent vulnerabilities of each category. BS 8626 provides recommended measures to mitigate the potential exploitation of these identified vulnerabilities.
BS 8626 also assists in the development of a risk mitigation strategy as part of developing a supporting performance management strategy and plan. BS 8626 provides recommendations and guidance for resolving cost challenges associated with running these systems.
Recommendations are given for establishing or revising an OUIS include:
- Business objectives and requirements
- Requirements for protecting the lifecycle management of digital identities associated with individuals
- Requirements for protecting data used specifically for the processes of identifying or authenticating individuals
- Requirements for protecting against attacks on specific types of user identification methods (including biometrics) and modes of operation
- The controls for managing the lifecycle of users’ digital identities for an OUIS