This document defines the tScheme criteria against which organisations must be successfully assessed in order to be eligible for a Grant of Approval for the provision of services to Government, individuals, system objects, corporate entities and other relying parties for the verification and registration of identity attributes.
The criteria given in this Approval Profile are related to Services that are established to enable an individual to register with an Identity Provider in order to gain the means of transacting electronically with relying parties. These relying parties, who will typically be either Trust Service Providers or some other kind of service providers, need to be able to trust that ultimately they are transacting with the individual from whom the electronic transaction appears to originate.
The Identity Service Provider links an electronic identity with a real-world identity. The registrant presents proof of their real-world identity (e.g. documentation such as Passport, Driving Licence or pre-existing electronic evidence) to the Identity Registration Service so that they can validate and verify the registrant’s claimed real-world identity. No specific constraint of scope is intended in this Profile on how these processes could be carried out. The verification process must, as a minimum, comply with the requirements laid down by one of the Recognised Verification Requirements, for example, the UK Government’s minimum requirements for the verification of the identity of individuals. As a result of a successful identity authentication, the registrant will be allocated an electronic identity, which might be the name of the registrant, a pseudonym or some other identifier (or combination thereof). They will then be issued with the means to authenticate themselves against this electronic identity; hereafter such means are termed a credential. In principle, the types of credential used by an Identity Provider could range widely and might involve an electronic or physical credential.
Examples of such credentials could include:
- a PIN and/or password (virtual credential);
- a one-time password generator or smartcard (physical credential);
- a biometric token (biometric credential).
Note that any further uses of the credential other than for credential authentication against the electronic identity are out of scope of this Profile. Finally, the Identity Registration Service must also provide, directly or indirectly, the means by which the lifecycle of the credential can be managed. For example, recovering or replacing lost PINs and passwords or smartcards.
This Profile is intended to support both organisations that act as Identity Providers and apply a defined set of requirements when validating and verifying identities of individuals already known to them, either as customers or employees etc, who then wish to provide these individuals with credentials that can be used to access online services from, amongst others, the UK government; and also commercial Identity Providers who are providing such credentials as a Service to a given community.