An Introduction to Assurance

Assurance Within InCommon

InCommon, operated by Internet2, is a consortium of members of the U.S. higher education community dedicated to creating and supporting a common trust framework for U.S. education and research. This includes an assurance program, an identity management federation, and certificate and multifactor authentication ("two-step verification") services.

Within the context of InCommon, "assurance" refers to an institution's practices around user management. InCommon assurance rules cover identity proofing (such as checking government-issued ID before accepting that people are who they say they are), password handling (including making sure that passwords are not sent or stored in the clear), and authentication (such as ensuring the resistance of an authentication method to session hijacking).

InCommon currently has two levels of assurance — Bronze and Silver — for which an institution acting as an identity provider (IdP) can qualify. These qualifications are based upon the NIST Level of Assurance (LoA) standards set out in Special Publication 800-63-2, with Bronze comparable to LoA 1 and Silver equivalent to LoA 2. Institutions can self-certify that they have met all of InCommon's Bronze requirements; however, to achieve Silver status, an institution must also be audited by an InCommon-approved evaluator.

Institutions can still "play" within InCommon as an IdP without having qualified for either Bronze or Silver. However, as identity assurance and attribute security continue to become vital issues for those offering services in the academic sector, the value of certification is only expected to grow. An increasing number of organizations are indicating that they will require certification to access sensitive resources, particularly federal organizations such as the National Institutes of Health.

Harvard's Participation in InCommon

In addition to several Harvard service providers (SPs) affiliating with InCommon, the Harvard identity provider (IdP) filed for Bronze certification in the fall of 2014, with nearly all requirements for Silver certification met as well. Learn more about Harvard's participation in InCommon at the following links:

InCommon Resources

To learn more about InCommon assurance guidelines and standards, see the following links:

Source: Marlena Erdos