Standards—a set of specifications and procedures with respect to the operation, maintenance, and reliability of materials, products, methods, and services—are the backbone of the technical architecture of the ID system. They establish universally understood and consistent interchange protocols, testing regimes, quality measures, and good practices with regard to the capture, storage, transmission, and use of identity data, as well as the format and features of identity credentials and authentication protocols.
Standards are rigorously defined by organizations who set up, publish, monitor, and continuously update standards to address a range of issues related to ID systems. Standard-setting bodies including international organizations (e.g. the International Organization for Standardization or ISO, the International Telecommunication Union or ITU, the International Civil Aviation Organization or ICAO, the International Electrotechnical Commission or IEC, etc.), regional organizations such as the European Committee for Standardization (CEN), and national organizations such as the U.S. National Institution of Standards and Technology (NIST) or the Unique Identification Authority of India (UIDAI). In addition, a number of industry consortia and non-profit organizations—such as the Fast Identity Online (FIDO) Alliance, Open Identity Exchange (OIX), and GSMA’s Mobile Connect—are also involved in developing standards.
The choice of standards is essential at each stage of the identity lifecycle, and has implications for:
Technology and vendor neutrality (see Box 44)
The accuracy, quality, and consistency of data collection and the security of the system
The interoperability of the ID system and the mutual recognition of credentials with other systems or jurisdictions
The level of trust in identities and authentication protocols
System and information security standards and protocols
The procurement process
For example, by adopting open standards for an ID system, there is a better chance that it will be able to communicate with other information systems (even if they adopt different standards) and that the software and hardware (and/or an external service provider) could be changed with minimal additional costs and processes. For example, adoption of open standards for raw biometric images (e.g. WSQ or JPEG2000) would allow an ID authority to re-generate templates using a replacement ABIS instead of having to pay fees for images in a proprietary format to be converted into open formats. In some cases, products or services might be offered at a reduced upfront cost provided that the data and technology is proprietary, which could lead to problems in the future when change is required. The outcome of adopting open standards is a reduced long-term cost and greater flexibility, control and ownership.
In particular, this Guide focuses on standards across two categories of standards that are vital for ensuring technology and vendor neutrality, the quality of data collection, and interoperability and mutual recognition:
Technology standards, which govern the software and hardware components of the ID system and the systems and platforms that enable machine-to-machine communication for interoperability
Data standards, which govern the format or rules for structuring the data collected by the ID system
Each category of standards is described below, followed by guidance on existing international standards and their implications. For more detailed information, consult the ID4D Catalog of Technical Standards. Future versions of this Guide will also include more detailed standards for security, including cybersecurity.
Box 44. Vendor and technology neutrality
The Principles highlight the need for open standards to ensure vendor and technology neutrality. A technology neutral design is one that approaches the ID system in an output-oriented way instead of requiring specific technologies. A vendor neutral design ensures that a sufficient number of vendors are available to implement and improve the system to ensure competition.
Technology and vendor neutral designs limit dependence on specific technologies and vendors, allowing for competition, lower prices and improved system flexibility including for future upgrades or introduction of new features. Conversely, dependency on a particular technology or a particular vendor can result in vendor or technology “lock-in”, which can increase costs and reduce the flexibility of the system to meet a country’s needs as they develop.
Using open standards can help ensure that an ID system is interoperable, and technology neutral. However, if the standard is not widely adopted, this may be indicative of a problem and it may be difficult to ensure competition. In some instances, a closed solution may actually offer greater performance than an open standard. If such cases, practitioners should protect against vendor lock-in through good procurement practices and by selecting systems components that support open API standards and allow access to data in portable, open formats (e.g., using data standards). This approach will also enable components to be switched in and out of the ID system over time as vendors change or as new, more efficient solutions are developed. In addition, proprietary standards may be preferred for functions of an ID system that are self-contained and do not require interoperability (e.g., deduplication), assuming vendor lock-in is not a concern.
Source: Adapted from the ID Enabling Environment Assessment (IDEEA).