1 of 25

Group	Main Output / Activity	Status	2024 Goals
DeepfakesDG	Topic area mind map�Determining Group Outputs	In-progress
ANCR	TPI Conformance Specification	Draft
ANCR	Preparing comments on the NIST full security framework	In-progress
UMA	Use-case: UK Pensions Dashboard	Draft
UMA	Education sessions for FAST HL7 WG
PEMC	Implementor Report	Draft
PEMC	Requirements	Gathering
RIUP	Information gathering for report
IAWG	Updates to SAC�All Member Ballot?�Discussing approach to non-NIST assessments	LC Approved

2 of 25

Kantara Work Group Summary

Please include 1-2 slides about your WG

Content should include: Title of WG/DG, Link to Charter or Wiki home, Completed Work, Work in Progress

These slides will be re-used to describe our WGs, e.g. at upcoming conferences, and should be presentable in 1-3 minutes. Please feel free to update throughout the year as you see fit!

Thanks!

3 of 25

Identity Assurance WG

4 of 25

Identity Assurance (IAWG)

The IAWG has three areas of focus

Manage the Kantara Identity Assurance Assessment scheme and assessment criteria
Engage standards bodies to share industry experience and alignment
Produce recommendations on industry practices for identity verification, authentication and federation as well as review and comment on numerous industry published guidelines (including but not limited to NIST SP-800.63)

IAWG participants include

Individuals and companies from all areas of industry, government and academia
ID Verification service providers
Authentication and Federation service providers
Identity system assessors and auditors

IAWG leadership for 2023:

Chair, Andrew Hughes, FaceTec

Vice-Chair, Denny Prvu, RBC

Secretary, Lynzie Adams, Kantara

5 of 25

Identity Assurance WG – 2023 in Summary ��https://kantara.atlassian.net/wiki/spaces/IAWG/overview

NIST 800-63 v4 Public Draft response
IAWG compiled, discussed, agreed on comments to NIST on v4 draft
Work ran from January through April 2023 and submitted successfully
NIST plans to issue a second call for public comments early 2024
Resolution of outstanding issues with service assessment criteria
Assessors and service providers find errors, unclear criteria and other issues as they work with our SAC
IAWG works through these issues as time allows
Work on outstanding issues ran from June to November 2023
Updated documents circulated and uploaded to the Kantara site

6 of 25

Identity Assurance WG – 2024 Plans��

Feedback to NIST 800-63 v4 Call for public review

NIST intends to publish a second public review - IAWG will prepare a response

Realignment of IAWG to meet Kantara business plan

Increase focus on assessment scheme development and management
Increase capacity to respond to high priority industry trends
Address needs of non-NIST identity assurance markets
Involvement with different industries to provide guidance as well as mappings so constituents use common language when working together in the industry

7 of 25

UMA

Updated 6 Apr 2023

8 of 25

User Managed Access (UMA-WG)

2023 Published Draft Report ‘UK Pension Dashboard Use-Case’

2024 Increase awareness of UMA in the International Health Community

UMA is an award-winning OAuth-based protocol set that helps individuals manage third-party access to their data, content, and service resources across different identity and resource ecosystems.

We meet Thursdays @ 1PM ET�Come join us!

https://tinyurl.com/uma2wg

9 of 25

User Managed Access WG – 2023 in Summary ��https://kantara.atlassian.net/wiki/spaces/uma/overview

UK Pensions Dashboard Use-Case Report
After planning a financial sector or open banking report, the group decided to focus on the real UMA implementation by the UK Pensions Dashboard. The report explains the purpose of the dashboard and UMA’s unique value to the initiative. The draft is available for review: https://kantara.atlassian.net/l/cp/vuHNuDSj

OAuth Compatibility & Single Profile Implementations
UMA is composed on two complementary specifications: UMA Grant and Federated Authorization. This summer we discussed how Federated Authorization could be used alone to deliver value to implementers. This is an ongoing project focused on improving UMAs useful in existing OAuth environments

10 of 25

RIUP

11 of 25

Resilient Identifiers for �Underserved Populations (RIUP-WG)

RIUP-WG was created in October 2022 combining the prior HIAWG and FIRE WGs

Charter developed, commenced early this year and was finalized in August.

FOCUS: facilitating online identities for underserved populations including homeless and others.

The ubiquity of smartphones in this population and the ability to leverage its features will help engage beneficiaries in many forms of ecommerce and multiple transactions required for healthcare, financial and other services required in years to come.

Co-Chairs are Jim Kragh and Tom Sullivan, MD, both long standing Kantara members and prior, NIST supported NSTIC/IDESG members as were Catherine Schulten (Vice Chair) and Noreen Whysel (Secretary).

RIUP will collaborate with other Kantara work-groups and outside entities, e.g. The Carin Alliance, looking for solutions to the problems affecting the Underserved.

Pragmatic solutions will prioritize the research on public sector existing programs that have addressed the need for trusted, digital identifier ecosystems, e.g. the San Diego 211 experience, the Washington State MDL and others we can explore to determine how to share the NIST 800-63-4 draft guidelines.

Currently we are recruiting new members and researching grants to facilitate reaching our goals.

12 of 25

PEMC

13 of 25

�Privacy Enhancing Mobile Credentials (PEMC - WG)

Work is progressing on the Early Implementors Report.

Hope to put it to a vote in Q2

WG Charter has been updated

14 of 25

Guidance from the draft Early Implementors Report

Providers

Providers must ensure their apps/wallets accurately present a verifier’s request to the holder and collect consent from the holder before the release of data to the verifier. Providers have discretion as to how the consent is presented so long as the requirements in the prior sentence hold (e.g. a one-time request for repeat visits, or a real-time consent at every presentation). Providers must allow holders to remove their mobile credential from the device.

Issuers

An Issuer (Organization) is responsible and accountable for collecting information about the Holder that it uses to create a credential for the Holder… The provisioning from the Issuer should convey the privacy obligations from the Issuer to the Provider. In general, an Issuer will seek to collect and maintain only as much information about the wallet/app capabilities as needed, and take reasonable steps to validate that any wallet/app into which it provisions a Holder’s data respect the Holder’s privacy.

Verifiers

A Verifier organization processes personal data in a particular operational circumstance – the type of business, regulatory requirements, etc. Before collecting personal information from a Holder, the Verifier must determine (i.e. identify and describe) all aspects of personal data processing. Based on the particular context of any given transaction and this prior determination, the Verifier must determine the contents and type of Notice(s) it will share with Holders.

15 of 25

ANCR

16 of 25

Advanced Notice and Consent WG�“Advancing human data control by recording notice transparency”

ISO 27560

Consent Record Information Structure

Liaison Comments

Federal Trade Commission ANPR

Commercial Surveillance and Data Security WG Comments

2 Factor Notice

Notice of Risk
Proof of Notice

ANCR WG in 2023

Building Community Through Collaboration

W3C Consent Community Group

ToIP Controller Credential

IEEE Digital Privacy Initiative Cybersecurity for Next Generation Connectivity

Other Kantara WGs UMA, PEMC, IAG, RIUP

and their Communities

NIST IAM Roadmap calls for transparency measures

17 of 25

Transparency Performance Indicators

TPI 1 - Timing of Notice:

This TPI captures when the Controller's legal entity and accountable Privacy Officer (digital identifiers) provide notice; Before, At the time of, or After personal data is captured. This captures if dynamic transparency is available systematically and when. It provides a way for an individual to assess if they can trust a service or not before.

TPI 2 - Required Data Elements

This TPI captures the extent to which the required data elements for processing are available. This elements are fields that must be provided in the Notice by the entity processing your data, including who is accountable and the privacy contact information (access point, UX) for control and access to personal information.

Notice of who is processing your data is required for all legal justifications for processing personal data in privacy law, as well as a fundamental security requirement, to identify the legal entity, in many cases all beneficial owners, and the accountable person(s).

TPI 3 - Transparency Accessibility

This TPI measures the performance of transparency accessibility by capturing the availability of the required information in TPI 2. For example, is the information presented in a pop-up notice, or is it required to click a link, e.g. to a standard transparency/privacy policy, is it the first screen or is it at a the bottom of a multi-screen display (with links not highlighted).

TPI 4 - Security Information Integrity

This TPI captures the (Secure Socket Layer/Transport Layer Security) SSL/TLS (e.g. 1.3) certificate or security keys (e.g. JOSE) to compare its meta-data against the required information in TPI 2. This is very much along the lines of Certificate Transparency but looking specifically at whether the policies cover the Notice, e.g. does the SSL certificate Organization Unit field and Jurisdiction fields match the captured legal entity information, does the policy and jurisdiction here relate to other beneficial entities. Importantly does this policy align with the policy expectations of the person.

18 of 25

Deepfake/AI Threats to �ID Proofing and Verification

19 of 25

DeepfakesIDV Discussion Group

The DeepfakesIDV group has one major objective

To become a source of reliable information about current and emerging threats from AI-related techniques to ID proofing and verification systems

The group approach is to

Collect, curate and discuss relevant documents and links
Develop simple descriptive material to explain how these systems work, the nature of attacks, possible countermeasures and trends and emerging capabilities
Prepare audience-specific reports, presentations, webinars based on the curated material

IAWG participants include

Individuals and companies from all areas of industry, government and academia
ID Verification service providers
Biometrics experts

DeepfakesIDV leadership for 2023:

Chair, Andrew Hughes, FaceTec

Vice-Chair, Denny Prvu, RBC

Vice-Chair, Jay Meier, FaceTec

Marketing lead, Maxine Most, Accuity

20 of 25

Deepfake Threats to IDPV group – 2023 in Summary ��https://kantara.atlassian.net/wiki/spaces/DGDF/overview

Activity in 2023
Developed a mind map to capture the context of the group’s work
Defined key topic areas and assigned a leader for each
Weekly meetings to explain topic area content to the group and discuss/debate
Meetings are lively and we are all learning rapidly

21 of 25

Deepfake Threats to IDPV group – 2024 Plans��

Planned Activities

Conclude the collect/curate phase
Develop outbound content from the curated material
Market, promote, engage, present, talk about, raise awareness…
Determine next phase of work �(i.e. more discussion? Create requirements documents? )

22 of 25

Diversity, Equity, Inclusion, and Accessibility (DEIA) Initiative

23 of 25

Our commitment to Diversity, Equity and Inclusion (DEI) stems from our vision of an equitable exchange.

At the heart of this is the idea of equity—the trust that everyone can access what they need. We only achieve this by understanding and accounting for diversity, because it is the diversity of our experiences and perspectives that defines identity.

The attributes and artifacts we use in solutions to establish identity are physical reflections of who we are, so until we design for inclusion, these solutions will continue to be incomplete.

24 of 25

Our Progress In 2022

May

Launched DEI Survey to collect Market Input

June - November

Evaluated survey results to synthesize key findings, thematic areas, and opportunities

Overall Highlights

75% of respondents are active members of Kantara Initiative
Vast majority of respondents (nearly 82%) are Identity Service Providers (IDSPs)
93% of respondents are actively investing in DEI with just 7% still to commence a DEI program

December (Now)

Standup of a DEI committee to guide action on in key areas:

Fostering greater consistency in the framing of DEI for identity providers and solutions
Creating a summarized report and outlook for industry in the coming months
Driving engagement as a community and helping to evolve our efforts.

25 of 25

Moving Forward in 2023

Establishment of a DEIA Board Subcommittee

(Target audience includes service providers, relying parties, standards policies, and policy makers, )

Developing artifacts to document consensus for digital identity taxonomy and terminology
Developing educational collateral to help raise the IQ across business functions
Developing ROI calculators and approaches for DEIA in digital identity
Expanding collaboration across external bodies and industry groups
Developing service provider maturity model and assessment framework

Lack of uniform measurement for identity outcomes, including return on investment (ROI) and equitability

Lack of common terminology across providers and relying parties

Lack of maturity model that highlights opportunity for improving equitable outcomes for digital identity

Lack of framework and criteria for assessing vendor ability to enable equitable digital identity outcomes

�

Gaps Identified