A credential service provider is an organization that issues digital certificates or digital security badges to authorized subscribers. A CSP forms a part of an existing authentication infrastructure, most commonly identified as an independent entity within a Federated credential management system. The organization that offers CSP services is referred to as CSP. All users involved in the authentication process need a CSP for the process to be successful.
An organization that offers CSP services has an established relationship with a certificate authority. Credential Service Provider decides what type of verification will occur and establishes how these verification processes will work. The certificate authority authenticates organizations’ electronic credentials. Information provided by the user is then verified by this entity, and the result is an electronic credential. The authenticity of the credential depends on the information provided by the user. Information from organizations that are not authorized to access the secured data is not passed through this entity before being stored in the database of a CSP.
Every organization has an identity. This identity is what identifies an organization, and it is used in several ways. Most notably, the identity is what authenticates a credential service provider so that the credential can be used to issue security tokens. The electronic credential also contains information that ensures that the identity belongs to the authorized individual. This is done by ensuring that the right person authenticates the document.
Many credential providers specialize in different areas. Some are involved in particular industries. Financial services, for example, need CSPs that have expertise in specific regulations set out by regulatory bodies such as the U.S. Office of Personnel Management. Medical professionals also need services that are specific to their industry. Chemical manufacturing requires special certification from a credentialing organization that is distinct from the ones provided by other service providers.
One area that most organizations use CSPs in is identity proofing. Identity proofing is the process of authenticating individuals by verifying their identity based on various factors. The most common factor that is used to validate an individual’s identity is their date of birth. The U.S. Office of Personnel Management (OPM) requires all potential employees to submit proof of identity through one of the approved credentialing organizations.
Higher levels of authentication require that the CSP establish higher levels of identity verification. These may include verifying an individual’s Social Security Number (SSN) or their date of birth. Additional factors used to establish higher levels of identity verification include; government-issued driver’s license, passport, or debit card. Another option for higher levels of identity verification is verification of employment history. A certified CSP will require individuals to submit verification of employment with the employer, which typically includes; a copy of their most recent pay stub and authorization from the prospective employer to obtain a copy of this documentation. It is also required that the CSP perform an accurate search of an individual’s public records to verify current employment and education information.
As noted previously, a CSP establishes trust by requiring individuals to sign up as members of a Trusted Enterprise. A Trusted Enterprise is made up of multiple members. At higher levels of authentication, a Trusted Enterprise may require members to undergo further identity verification. If a business requires a Trusted Enterprise, they can opt to use an electronic credential service provider that maintains, authenticates, and submits their own, in-house created ECTR’s (electronic certificates of registration).
Electronic credential service providers help organizations eliminate the need for paper-based verification of members’ identities and signatures. This eliminates the need for organizations to retain printed copies of their digital signatures. By reducing the need for employees to physically maintain records, organizations will have increased operational efficiency and payroll accuracy. As most companies are beginning to experience a high volume of member signups, organizations can expect continued growth in the future as more ECTR’s are implemented.