This section of the roadmap provides an organized overview of identity management (IdM) activities and documents from ITU-T and other standards development organizations. The information is structured to highlight key activities, the resulting outputs, and various stages of development. The objective is to give users a comprehensive understanding of IdM work by presenting the requirements driving these efforts and by identifying the involved organizations, their relationships, and the status of their work.
Currently, this part of the roadmap includes the identity management initiatives of the FIDO Alliance, ISO/IEC JTC 1/SC 27, ISO/TC 307, ITU-T study groups, NIST, and W3C. Further additions from other organizations are expected as more data becomes available.
Summaries of ongoing IdM standards efforts are presented below, organized by the respective organizations and their overall work programs. This section also includes a dedicated segment on national IdM strategies. In general, the roadmap contains brief summaries and headings, with links to access more detailed information.
1. Key international and regional IdM standards development and deployment activities (including approved standards and work items under development)
Identity management work within ITU-T is focused across eight Study Groups: SG2, SG3, SG11, SG13, SG17,
SG20 and SG21, with SG17 designated as the lead Study Group on identity management.
-
The work done in SG17 primarily focuses on identity management architecture and mechanisms. The following work has been completed in Question 10/17:
-
ITU-T X.1095: Entity authentication service for pet animals using telebiometrics
- ITU-T X.1250: Baseline capabilities for enhanced global identity management and interoperability
-
ITU-T X.1251: A framework for user control of digital identity
-
ITU-T X.1252: Baseline identity management terms and definitions
-
ITU-T X.1253: Security guidelines for identity management systems
-
ITU-T X.1254: Entity authentication assurance framework
-
ITU-T X.1255: Framework for discovery of identity management information
-
ITU-T X.1256: Guidelines and framework for sharing network authentication results with service applications
-
ITU-T X.1257: Identity and access management taxonomy
-
ITU-T X.1258: Enhanced entity authentication based on aggregated attributes
-
ITU-T X.1261*: Policy framework including principles for digital identity infrastructure
*Dual numbering the D.1140 (SG3) as X.1261 (SG17) -
ITU-T X.1275: Guidelines on protection of personally identifiable information in the application of RFID technology
-
ITU-T X.1276: Authentication step-up protocol and metadata Version 1.0
-
ITU-T X.1277: Universal authentication framework
-
ITU-T X.1277.2: Universal authentication framework (UAF) protocol specification
-
ITU-T X.1278: Client to authenticator protocol/Universal 2-factor framework
-
ITU-T X.1278.2: Client to authenticator protocol
-
ITU-T X.1279: Framework of enhanced authentication using telebiometrics with anti-spoofing detection mechanisms
-
ITU-T X.1280: Framework for out-of-band server authentication using mobile devices
-
ITU-T X.1281: APIs for interoperability of identity management systems
-
ITU-T X.1283: Threat analysis and guidelines for securing password and password-less authentication solutions
-
ITU-T X.1284: Authentication framework based on one-time authentication key using distributed ledger technology
-
ITU-T X.1365: Security methodology for the use of identity-based cryptography in support of Internet of things (IoT) services over telecommunication networks
-
ITU-T X.1771: Requirements for data de-identification assurance
-
X.Suppl. 7: ITU-T X.1250 - Supplement on overview of identity management in the context of cybersecurity
-
X Suppl. 22: ITU-T X.1144 - Supplement on enhancements and new features in eXtensible Access Control Markup Language (XACML 3.0)
-
X Suppl. 35: ITU-T X.1254 – Supplement on use cases of entity authentication assurance (EAA) framework
-
X Suppl. 41: Supplement to ITU-T X.1254: e-KYC use cases in digital financial services
-
X Suppl. 42: Supplement to ITU-T X.1254: Implementation of secure authentication technologies for digital financial services
Work in progress includes:
-
TR.divs: Technical Report: Rationale and initial vision of a decentralized identity verification system (DIVS) based on verifiable data
-
TR.SIMRegBio: Technical Report: Guidelines for SIM Identity and Biometrics Registration
-
X.1250rev: Baseline capabilities for enhanced global identity management and interoperability
-
X.1254rev: Entity authentication assurance framework
-
X.accsadlt: Access security authentication based on DLT
-
X.bvm: Requirements for biometric variability management
-
X.oicc: OpenID Connect Core 1.0 - Errata Set 2
- X.oob-pacs: Framework for out-of-band physical access control systems using beacon-initiated mutual authentication
-
X.srdidm: Security requirements for decentralized identity management systems using distributed ledger technology
-
X.tas: Telebiometric authentication using speaker recognition
-
X.tis: Telebiometric authentication based on information splitting
-
X.vctp: Verifiable credential-based trust propagation framework in the decentralized identity
-
Published work includes:
-
ITU-T E.217: Maritime communications - Ship station identity
-
ITU-T M.3411: User identity and access management requirements for telecommunication management network
Work in progress includes:
-
TR.OTTnum: Current use of E.164 numbers as identifiers for OTTs
-
E.IoT-NNAI: Internet of Things naming numbering addressing and identifiers
- M.uiamr-ir: User identity and access management interface for telecommunications management network - Protocol neutral requirements
-
Published work includes:
Work in progress includes:
-
D.princip_bigdata: Policy framework and principles for data protection in the context of big data relating to international
telecommunication services
-
Study_bigdata: Technical Paper on economic and policy aspects of Big Data in international telecommunication services and networks
-
In SG11, identity management related work is undertaken by Question 2, Question 12, and Question 15 as follows: a) Q2/11: Identity management on telecommunication equipment (such as trustable interconnection between network entities) and service (such as calling party line identity); b) Q12/11: Identity management related to test of internet of things; c) Q15/11: Identity management on combating counterfeit and stolen telecommunication/ICT devices.
-
ITU-T Q.763: Signalling System No. 7 – ISDN User Part formats and codes Amendment 7: Extensions for the support for the calling line identification authentication
-
ITU-T Q.931: ISDN user-network interface layer 3 specification for basic call control Amendment 2: Extensions for the support for the calling line identification authentication.
-
ITU-T Q.1902.3: Bearer Independent Call Control protocol (Capability Set 2) and Signalling System No.7 ISDN User Part: Formats and codes Amendment 6: Extensions for the support for the calling line identification authentication
-
ITU-T Q.3062: Signalling procedures and protocols for enabling interconnection between trustable network entities in support of existing and emerging networks
-
ITU-T Q.3063: Signalling procedures of calling line identification authentication
-
ITU-T Q.5052: Addressing mobile devices with duplicate unique identifier
-
ITU-T Q.5054: Consumer centric framework for combating counterfeit and stolen information and communication technology mobile devices
-
Q Suppl. 76: Common approaches and interfaces for data exchange between the central equipment identity register and the equipment identity register
Work in progress includes:
-
Q.5055: Technical requirement, interfaces and generic functions of CEIR
-
Q.cpi: Signalling requirements for computing power identification in computing power network
-
Q.GIR: Technical requirement and implementation strategy for Global International Mobile Equipment Identity Registry
-
Q.SI-SAN: Signalling requirements for service identification in service aware network
-
Q.Sup.CFS-AFR: Guidelines on combating counterfeit and stolen mobile devices in African region
-
Q.Supplement.75-Rev: Use cases on the combat of counterfeit ICT and stolen mobile devices
-
In SG 13, identity management related work is undertaken by Question 22 (Networks beyond IMT2020: Emerging network technologies). The following work has been completed:
-
ITU-T Y.2720: NGN identity management framework
-
ITU-T Y.2721: NGN identity management requirements and use cases
-
ITU-T Y.2722: NGN identity management mechanisms
-
ITU-T Y.3081: Self-Controlled Identity based on Blockchain: Requirements and Framework
Work in progress includes:
- Y.3087 (ex Y.SCid-fra): Self-controlled identity based on blockchain - Functional requirements and architecture
-
Y.TRUST-TLA: Framework of Trust Level Assessment for Trustworthy Networking
- The Recommendations in SG15 use identifiers, but there is no dedicated Identity Management definition. See the following for how identities are used in the context of transport networks and associated security frameworks.
-
Identity management related work is undertaken by Questions 6. Published work includes:
-
ITU-T Y.4462: Requirements and functional architecture of Open IoT identity correlation service
-
ITU-T Y.4476: OID-based Resolution framework for transaction of distributed ledger assigned to IoT resources
-
ITU-T Y.4500.3: oneM2M - Security Solutions
-
ITU-T Y.4809: Unified IoT Identifiers for intelligent transport systems
-
ITU-T Y.4811: Reference framework of converged service for identification and authentication for IoT devices in a decentralized environment
-
ITU-T Y.4812: Interoperability of the identity of Internet of things devices across metaverse platforms
Work in progress includes:
-
Y.4814: Functional requirements and architecture of access control service of IoT platform enabled by zero trust in decentralized environments
-
Y.metaID: Framework and requirements for identity visualization in and across metaverse
-
YSTR.IoT-IMS: Requirements and capability framework for identification management service of IoT device
-
Y.uas-dc-fr: Framework of unified authentication service for data collaboration in IoT-based electric power infrastructure
-
Y.Supp-Imp-CSIADE: Supplement to ITU-T Y.4811 - Implementation of converged service for identification and authentication for IoT devices in decentralized environment
-
The following work has been completed:
-
ITU-T H.642.3: Information technology – Automatic identification and data capture technique - Identifier resolution protocol for multimedia information access triggered by tag-based identification
Work in progress includes:
-
The following work has been completed:
-
ITU-T X.1085 | ISO/IEC 17922 – Telebiometric authentication framework using biometric hardware security module has been published as an International Standard (IS) in 2017-09 as common text with ITU-T. It was confirmed in 2024-10.
-
ISO/IEC 24745 – Biometric information protection has been published as an International Standard (IS) on 2011-06. The revision has been renamed Information security, cybersecurity and privacy protection – biometric information protection, and it has been published as an International Standard (IS) in 2022-02.
-
ISO/IEC 24761 – Authentication context for biometrics has been published as an IS in 2009-05 with a technical corrigendum published in 2013-03. Its 2nd edition was published in 2019-10 .
-
ISO/IEC 27551 – Requirements for attribute-based unlinkable entity authentication has been published as an International Standard (IS) in 2021-09
-
ISO/IEC 27554 –Application of ISO 31000 for assessment of identity-related risk has been published as an International Standard (IS) on 2024-07-01
-
ISO/IEC TS 29003 – Identity proofing was published as a Technical Specification (TS) in 2018-03 and confirmed as Technical Specification (TS) in 2021.
-
ISO/IEC 29191 – Requirements for partially anonymous, partially unlinkable authentication was published as an International Standard (IS) in 2012-12 and confirmed in 2018-11.
Work in progress includes:
-
ISO/IEC 24760 – A Framework for identity management: Part 1 “Terminology and Concepts"
was published in 2011-12 and confirmed in 2017. An amendment resulted in a revision published in 2019-06, which is freely available at no cost via www.jtc1.org. A further amendment had been initiated at Committee Draft (CD) status in 2021-10 and was published in 2023-01. Part 2 Reference architecture and requirements was published as an International Standard (IS) in 2015-06. In 2020-10, a revision was initiated and meanwhile progressed to Final Draft International Standard (FDIS) status. Part 3 Practice was published as an International Standard (IS) in 2016-07. An amendment had been initiated at Committee Draft (CD) status in 2020-10 and was published in 2023-01. Part 4 Authenticators, Credentials and Authentication was initiated in 2020-09 and is currently at Working Draft (WD) status.
-
ISO/IEC 27553 – Security and privacy requirements for authentication using biometrics on mobile devices, is divided in two parts, Part 1: Local mode, and Part 2: Remote mode. Part 1 has been published as an International Standard (IS) in 2022-11. Work on Part 2 was initiated in 2022-09 and has been approved as Draft International Standard (DIS).
-
ISO/IEC 27566 – Age assurance systems is subdivided into three parts: Part 1: Framework has been progressed to Draft International Standard (DIS). Part 2 (formerly: Part 3) Technical approaches and guidance for implementation has been progressed to NWIP status. Part 3 (formerly: Part 2) Benchmarks for benchmarking analysis remains at Working Draft (WD) status.
-
ISO/IEC 29115 – Entity authentication assurance framework was published as an International Standard (IS) in 2013-04. After an approach towards its revision was cancelled, 29115 was confirmed in 2020-09. A revision remains at Working Draft (WD) status.
New work item proposals and preliminary work items (PWI):
- PWI 25863 – Exploration of digital wallets storing digital credentials
- PWI ISO/IEC 27566-2 – Age assurance systems – Part 2: Technical approaches and guidelines for implementation remains at PWI status
WG5 standing documents:
- Committee Document 501 Roadmap is available via the website of JTC 1/SC 27 via https://committee.iso.org/home/jtc1sc27 (under “Resources") and will be updated reflecting expert contributions and the progress at the WG meeting.
- Committee Document 502 Privacy References List is available via the website of JTC1/SC 27 via https://committee.iso.org/home/jtc1sc27 (under “Resources") and will be updated based on contributions received.
- Committee Document 504 Standards Privacy Assessment (SPA) is available via the website of JTC 1/SC 27 via https://committee.iso.org/home/jtc1sc27 (under “Resources") and will be updated based on contributions received
-
The most relevant ISO activity related to IdM is TC 307 - Blockchain and distributed ledger technologies, created in 2016 and whose scope is "Standardisation of blockchain technologies and distributed ledger technologies". TC 307 has ISO/TC 307/JWG 4 on Joint ISO/TC 307 - ISO/IEC JTC 1/SC 27 WG: Security, privacy and identity for blockchain and DLT. The following work has been completed:
-
ISO 22739:2024: Blockchain and distributed ledger technologies - Vocabulary
-
ISO TR 23644:2023: Blockchain and distributed ledger technologies (DLTs) - Overview of trust anchors for DLT-based identity management
Work in progress includes:
-
ISO/PWI 12833: Re-identification and privacy vulnerabilities and mitigation methods in blockchain and distrobuted ledger technologies is currently at PWI status
-
The World Wide Web Consortium (W3C) is an international community where Member organizations, a full-time staff, and the public work together to develop Web standards. W3C's mission is, in their words, to lead the Web to its full potential. W3C has several activities relevant to IdM:
-
Web authentication Working Group
This WG (end date: 15/09/2019) defined a client-side (i.e., in the browsers) API providing strong authentication functionality to Web applications, obviating the limitationsof password-based logins (weak security, vulnerable to phishing attacks, not usable).
The following work has been completed: An API for accessing public key credentials, Level 2 on 8 April 2021
-
Decentralized Identifiers (DID)
Working Group
This WG (end date: 15/04/2021) was proposed to enable identifiers that (from their charter) are: controlled by individuals, organizations and machines, not leased from an authority (e.g., DNS registrars); cryptographically verifiable and can authenticate their owners (e.g., DID-based website login) and dereferenceable i.e. they can be dereferenced to a document that provides information on how to start a secure and privacy preserving communication with the owner (e.g., a set of public keys and a set of service endpoints).
The WG focused on defining the DID URI scheme and recommending a data model and syntax(es) for the expression of decentralized identifier documents, including one or more core vocabularies.
The following work has been completed:
Decentralized Identifiers (DIDs) v1.0 -
Verifiable Claims
Working Group
The aim of this WG (end date: 30/09/2019) was to create a standard that makes it easy for users to assert their verifiable qualifications to a service provider (e.g., my loyalty card number is X, I have an account at Bank Y, I am over the age of 21, I am a citizen of the United States, I have a degree in Mathematics, etc.). Such a standard would allow expressing, exchanging and verifying claims on the Web more easily and securely, across different industry sectors, and independently from a particular claim provider.
The following work has been completed:
Verifiable Credentials Data Model 1.0 -
Data privacy vocabularies and controls Community Group (DPVCG)
The mission of this CG is to develop a taxonomy of privacy terms, which include terms from the new European General Data Protection Regulation (GDPR). The aim is to provide a machine-readable vocabulary to annotate and categorize instances of legally compliant personal data processing according to teh GDPR.
The taxonomy currently discussed in the group contains terms (classes and properties) related to the following concepts (corresponding to GDPR concepts): personal data categories, purposes, processing categories, technical and organizational measures, legal basis, consent and recipients, data controllers, data subjects.
Work in progress includes:
Data Protection Aspects of Online Shopping - A use case
-
Under the Systems and Emerging Technologies Security Research grouping, NIST has established a programme on personal identity verification of federal employees and contractors. The following technical publications have been developed:
-
NIST Special Publication 800-63-3, Digital identity guidelines
-
NIST Special Publication 800-63A, Digital identity guidelines: Enrollment and identity proofing
-
NIST Special Publication 800-63B, Digital identity guidelines: Authentication and lifecycle management
-
NIST Special Publication 800-63C, Digital identity guideliens: Federation and assertions
-
NIST Special Publication 800-73-4, Interfaces for personal identity verification (PIV) specifies the interface and data element of the PIV cards
-
NIST Special Publication 800-76-2, Biometric data specification for personal identitiy verification (PIV) specifies the technical acquisition and formatting requirements for biometric data of the PIV system
-
NIST Special Publication 800-78-4, Cryptographic algorithms and key sizes for personal identity verification (PIV) specifies the technical acquisition and formattin requirements for biometric data of the PIV system
-
NIST Special Publication 800-157, Guidelines for derived personal identity verification (PIV) credentials
-
NIST Special Publication 800-178, A comparison of attribute based access control (ABAC) standards for data service applications: Extensible access control markup language (XACML) and next generation access control (NGAC)
-
NIST Special Publication 1800-3, Attribute based access control (2nd draft)
-
NIST Special Publication 1800-12, Derived personal identity verification (PIV) credentials
-
NIST Special Publication 1800-17, Multifactor authentication for e-commerce: Risk-based, FIDO universal second factor implementations for purchasers
For the latest versions of the above NIST publications, please see:
http://csrc.nist.gov/publications/PubsSPc.html.
-
FIDO2 Specifications
Universal Authentication Framework (UAF) Specifications
FIDO2 and UAF common files
Universal 2nd factor (U2F) specifications
2. Gap analysis on IdM standard development activities
In the existing IdM standardisation efforts there appear to be two clear trends. One trend is the drive for federation and interoperability, mainly pushed by the Liberty Alliance and OASIS. The efforts in the standardisation of web services have matured quite well, primarily through the work of Liberty Alliance but also through the OASIS work. The development of federation standards for the general information system sector and the telecom sector is included in current and planned work of both ITU-T and ISO/IEC. The big issue associated with federation is interoperability and harmonisation of the different federation stands and solutions. The second trend is the drift from standards for organisation-centric identity management systems towards a more deliberate suite of standards trying to find a reasonable balance between end users' need for security and privacy and the organisation or business needs for security and information.
3. Approved IdM standards
Approved and published IdM standards are included in the database of standards included in Part 2 of this Roadmap. Recent developments in IdM standards are addressed in the IdM landscape wiki, which contains informal and evolving information as well as in Part 3 of this Roadmap under the programmes of work of the various standards bodies.
4. Best practices
5. Identity management in cloud computing
6. National identity management strategies
7. Other relevant IdM activities and papers
