--- url: 'https://www.corbado.com/glossary/trust-framework' title: 'Trust Framework' description: 'A digital identity trust framework sets rules, roles, and standards to secure ecosystems. Learn how passkeys boost assurance and user experience.' lang: 'en' keywords: 'Trust Framework' --- # Trust Framework ## What is a Trust Framework? For a digital ecosystem to scale beyond a single company, all participants need a shared understanding of the rules of engagement. A **digital identity trust framework** provides this essential **governance framework**, outlining the technical, operational, and legal requirements that allow different entities to trust one another's [digital identity](https://www.corbado.com/blog/digital-identity-guide) [assertions](https://www.corbado.com/glossary/assertion). It is the constitution for a **digital identity trust network**, transforming abstract trust into a concrete, auditable, and enforceable set of principles. This structure is not merely a technical specification. While developers and product managers often focus on protocols like OAuth or WebAuthn, these are just tools. The real power of a **trust framework** lies in its creation of a comprehensive socio-technical and legal construct. The framework provides the legal and operational layers that make those technical protocols trustworthy in a federated context. It addresses critical questions that technology alone cannot answer: Who is liable if something goes wrong? What are the legal rights of the user? What is the process for resolving disputes? The emphasis in frameworks like the EU's [eIDAS](https://www.corbado.com/glossary/eidas) on legal effect and the [Pan](https://www.corbado.com/glossary/pan)-Canadian Trust Framework's focus on conformance criteria and assessment highlight this reality. The rules of law, accountability, and redress are what elevate a collection of APIs into a true ecosystem of trust. For any business, this means that adopting a technology like passkeys is not just a technical upgrade; it is a strategic move that helps them align with the stringent security and operational requirements of these emerging, legally-backed ecosystems. > **Key Takeaways:** > > - A **Trust Framework** is a set of agreed-upon rules, standards, and certifications that > govern how digital identities and credentials are issued, managed, and accepted across > organizations. > > - It acts as a **governance framework** that defines the roles (like > [issuers](https://www.corbado.com/glossary/issuer) and verifiers), technical standards, and security > requirements for all participants in a **digital identity trust network**. > > - The core benefit of a **trust framework** is enabling interoperability, so a digital > credential issued by one entity can be confidently accepted and trusted by another. > > - Real-world examples like the EU's [eIDAS](https://www.corbado.com/glossary/eidas) regulation demonstrate how a > **trust framework** can provide legal certainty and enable secure cross-border digital > services. --- ## Participants and Roles A **trust framework** establishes a clear vocabulary by defining the key actors within the ecosystem and their specific responsibilities. This ensures that every participant understands their role and obligations. - **Issuers (or Credential Service Providers - CSPs):** These are the organizations accredited by the framework to perform [identity proofing](https://www.corbado.com/blog/digital-identity-guide) and issue [digital credentials](https://www.corbado.com/blog/digital-credentials-api). A core function of a **trust framework** is to set strict criteria for who can become a trusted [issuer](https://www.corbado.com/glossary/issuer). For example, a framework might stipulate that only a national motor vehicle agency can issue a digital driver's license, or only a licensed financial institution can issue a digital credential verifying a user's bank account for Know Your Customer (KYC) purposes. - **Holders:** These are the end-users—individuals or organizations—who possess and control their [digital credentials](https://www.corbado.com/blog/digital-credentials-api). Modern frameworks emphasize user-centricity, meaning the holder stores their credentials in a secure application (often a [digital wallet](https://www.corbado.com/blog/digital-wallet-assurance)) and has the final say on when and with whom their data is shared. This principle of user control is central to frameworks like the EU [Digital Identity](https://www.corbado.com/blog/digital-identity-guide) [Wallet](https://www.corbado.com/blog/digital-wallet-assurance). - **Verifiers (or Relying Parties - RPs):** These are the online services, businesses, or [government](https://www.corbado.com/passkeys-for-public-sector) agencies that need to verify a user's identity or specific attributes (like age or qualifications). They are called "relying parties" because they rely on the integrity of the credentials issued by trusted [Issuers](https://www.corbado.com/glossary/issuer), according to the rules of the framework. A bank acting as a Verifier can trust a [digital ID](https://www.corbado.com/blog/digital-identity-guide) presented by a user because it knows the [government](https://www.corbado.com/passkeys-for-public-sector) agency that issued it followed the framework's rigorous proofing standards. - **Governance Authority (or Trust Framework Authority):** This is the central body, often a [government](https://www.corbado.com/passkeys-for-public-sector) department or an industry-led consortium, that manages the **trust framework** itself. Its responsibilities are crucial for the health of the ecosystem and include developing and updating the rules, accrediting and auditing participants, maintaining a public register of trusted providers, and overseeing dispute resolution processes. ## The Rulebook The heart of any **trust framework** is its comprehensive rulebook, which is a collection of documents specifying the policies, standards, and agreements that all participants must adhere to. This rulebook ensures consistency, security, and interoperability across the network. - **Technical Standards:** The framework mandates specific technologies and protocols to ensure all systems can communicate seamlessly and securely. This is critical for interoperability. These standards often include: - **Data Formats for Credentials:** Specifying how identity information should be structured, such as using the W3C [Verifiable Credentials](https://www.corbado.com/glossary/microcredentials) (VC) data model. - **Communication Protocols:** Defining how identity information is exchanged, often leveraging standards like OpenID Connect for [Verifiable Credentials](https://www.corbado.com/glossary/microcredentials) (OID4VC). - **Authentication Standards:** Requiring the use of strong, [phishing](https://www.corbado.com/glossary/phishing)-resistant authentication methods, with **WebAuthn** (the standard behind passkeys) being a prime example for high-security interactions. - **Operational Policies:** These rules govern the day-to-day operations and security posture of all participants. They ensure that trust is maintained through consistent, high-quality practices. Common operational policies include: - **Security Management:** Requiring participants to achieve and maintain recognized security certifications, such as [ISO 27001](https://www.corbado.com/blog/cybersecurity-frameworks), to prove they have robust information security management systems in place. - **Fraud and Risk Management:** Mandating strong processes for detecting, managing, and reporting fraudulent activity, including identity theft and the use of synthetic identities. - **Incident Response and Business Continuity:** Requiring participants to have documented plans for handling security breaches, managing user complaints, and ensuring service availability. - **Legal and Commercial Agreements:** These are the binding contracts and policies that define the legal foundation of the ecosystem. They address crucial aspects of liability and data protection. - **Liability Framework:** Clearly defining who is responsible in the event of a breach or financial loss. - **Data Protection and Privacy:** Enforcing compliance with data protection regulations like GDPR, including principles of data minimization (only sharing what is necessary) and user consent. - **Dispute Resolution:** Establishing a formal process for handling complaints and resolving disputes between participants or between a user and a participant. ## Measuring Confidence A **trust framework** does not treat all identities or all login attempts as equal. It establishes a sophisticated, risk-based model to quantify the level of confidence in an identity [assertion](https://www.corbado.com/glossary/assertion). This is achieved through **Identity Assurance Levels (IAL)** and **Authenticator Assurance Levels (AAL)**, concepts standardized in guidelines like the U.S. National Institute of Standards and Technology (NIST) Special Publication 800-63-3. This allows services to match the required strength of verification to the sensitivity of the transaction—a simple login to a forum requires less assurance than authorizing a large financial transfer. ### Identity Assurance Levels (IAL) [IAL](https://www.corbado.com/glossary/ial) refers to the strength of the [identity proofing](https://www.corbado.com/blog/digital-identity-guide) process—the steps taken to verify that a [digital identity](https://www.corbado.com/blog/digital-identity-guide) corresponds to a real person. The higher the [IAL](https://www.corbado.com/glossary/ial), the more confidence a [relying party](https://www.corbado.com/glossary/relying-party) can have that the user is who they claim to be. - **IAL1 (Low Assurance):** This is the lowest level of assurance. The identity is self-asserted by the user without any verification. Creating an email account or a social media profile with just a name and email address is a typical example of IAL1. There is no link to a real-world identity. - **IAL2 (High Assurance):** This level provides high confidence in the user's real-world identity. It requires the user to prove control of multiple pieces of identity evidence, which are then verified against trusted sources. This can be done remotely (e.g., by scanning a driver's license and a utility bill and performing a "liveness check" with a selfie) or in person. It confirms both that the identity is real and that it is linked to the person making the claim. - **IAL3 (Very High Assurance):** This is the highest level of assurance and is reserved for the most sensitive applications. It requires in-person or supervised remote identity proofing by an authorized and trained representative. IAL3 typically involves the verification of physical documents and the collection of biometric data (like fingerprints) to create a very strong binding between the digital identity and the physical person. ## Authenticator Assurance Levels (AAL) [AAL](https://www.corbado.com/faq/authenticator-assurance-levels-aal-digital-identity) defines the strength of the authentication mechanism used during a login or transaction. It measures how effectively the system can resist attacks on the [authenticator](https://www.corbado.com/glossary/authenticator) itself. - **AAL1 (Some Assurance):** This level requires only single-factor authentication. A password or a PIN is a classic example. It proves that the user controls that one factor, but it is vulnerable to [phishing](https://www.corbado.com/glossary/phishing), guessing, and theft through database breaches. - **AAL2 (High Assurance):** This level requires multi-factor authentication (MFA) using at least two different types of factors (e.g., something you know like a password, plus something you have like a code from an [authenticator](https://www.corbado.com/glossary/authenticator) app). Crucially, the communication between the user and the service must be secured using approved cryptography to resist attacks like [session hijacking](https://www.corbado.com/blog/3ds-authentication-failed) and man-in-the-middle attacks. - **AAL3 (Very High Assurance):** This is the most secure level. It builds upon [AAL2](https://www.corbado.com/blog/nist-passkeys) by requiring the use of a hardware-based [authenticator](https://www.corbado.com/glossary/authenticator) (a "hard" authenticator) where the cryptographic key is protected within a secure hardware element. Furthermore, it mandates a cryptographic protocol that is resistant to verifier impersonation, which means it must be [phishing](https://www.corbado.com/glossary/phishing)-resistant. This prevents an attacker from tricking the user into authenticating to a fake website. ### The Passkey Advantage The move towards high-assurance digital identity has historically been hindered by a fundamental conflict: stronger security often meant a worse user experience. Complex passwords, cumbersome hardware tokens, and confusing multi-step login flows created friction, leading to low user adoption and high support costs. Passkeys, built on the **WebAuthn** standard, represent a breakthrough because they resolve this conflict, offering a direct technological solution to the challenge of achieving high assurance (AAL2/[AAL3](https://www.corbado.com/blog/nist-passkeys)) with a superior user experience. This makes them a critical enabler for the widespread adoption of **trust frameworks**. This alignment is not accidental; it is by design. High-value services, such as those in [banking](https://www.corbado.com/passkeys-for-banking), [healthcare](https://www.corbado.com/passkeys-for-healthcare), and government, will increasingly operate within **trust frameworks** that mandate [AAL2](https://www.corbado.com/blog/nist-passkeys) or [AAL3](https://www.corbado.com/blog/nist-passkeys) for secure access. Passkeys are inherently multi-factor, combining proof of possession of a cryptographic private key stored on a device (the "something you have" factor) with a [user verification](https://www.corbado.com/blog/webauthn-user-verification) step like a biometric scan or a device PIN (the "something you are" or "something you know" factor). This built-in multi-factor structure allows passkeys to directly satisfy the stringent requirements of modern **identity assurance frameworks**. According to [NIST](https://www.corbado.com/blog/nist-passkeys) guidelines, this capability is formally recognized: - **Synced Passkeys**, which are stored in a user's cloud keychain (like [Google Password Manager](https://www.corbado.com/blog/how-to-use-google-password-manager) or [iCloud Keychain](https://www.corbado.com/glossary/icloud-keychain)) and are available across their devices, are recognized as **AAL2-compliant**. They provide strong phishing resistance and MFA in a highly convenient form. - **Device-bound Passkeys**, which are stored in a single, dedicated piece of hardware like a [YubiKey](https://www.corbado.com/glossary/yubikey) or a computer's TPM, are **AAL3-compliant**. They meet the "hard authenticator" requirement, as the private key can never leave the device, providing the highest level of protection against verifier impersonation and other advanced attacks. For developers and product managers building for the future, this is a pivotal realization. Passkeys are not merely a "better password." They are a fundamental evolution in authentication technology that perfectly aligns with the security and compliance trajectory of modern digital identity. Implementing passkeys is the most direct and user-friendly path to building applications that are ready for the high-assurance world of **trust frameworks**. ## Trust Frameworks: Global Case Studies To understand how these concepts translate from theory to practice, it is useful to examine several major global initiatives. These real-world examples demonstrate that while the core principles of establishing trust are similar, the governance models, legal underpinnings, and primary objectives of each **trust framework** can vary significantly based on regional context and goals. ### The eIDAS Regulation (EU) The [eIDAS](https://www.corbado.com/glossary/eidas) (electronic Identification, Authentication and Trust Services) Regulation is a landmark piece of legislation in the European Union. It is not just a set of guidelines but a legally binding regulation that creates a single, harmonized market for secure electronic interactions across all EU member states. The cornerstone of eIDAS is the principle of **mutual recognition**. This means that an electronic ID (eID) scheme that has been formally "notified" by one EU country must be legally recognized and accepted for accessing public services in all other member states. Similarly, a "[qualified electronic signature](https://www.corbado.com/glossary/qualified-electronic-signature)" created under eIDAS has the same legal effect as a handwritten signature throughout the entire EU. This provides an unprecedented level of legal certainty and is a powerful enabler for cross-border business, particularly in regulated sectors like finance (for [KYC](https://www.corbado.com/blog/iso-18013-7-mdl-bank-kyc-onboarding)/[AML compliance](https://www.corbado.com/blog/digital-identity-verification)) and for accessing government services. ### The Pan-Canadian Trust Framework (PCTF): In contrast to the EU's top-down regulatory approach, the [Pan](https://www.corbado.com/glossary/pan)-Canadian Trust Framework (PCTF) is a collaborative, non-binding model developed by a partnership between public and private sectors, led by the [Digital ID](https://www.corbado.com/blog/digital-identity-guide) and Authentication Council of Canada (DIACC). The PCTF is not a new standard in itself but rather a **governance framework** that applies and relates existing standards, policies, and best practices to create a common approach for digital identity interoperability in Canada. Its primary function is to define a set of auditable rules and conformance criteria. Organizations can have their services assessed against these criteria and, if successful, become certified participants in the [Canadian digital identity](https://www.corbado.com/blog/passkeys-canada-overview) ecosystem. This approach builds trust through transparency, shared processes, and a common understanding of roles and responsibilities, facilitating collaboration between federal/provincial [governments](https://www.corbado.com/passkeys-for-public-sector) and private industries like [banking](https://www.corbado.com/passkeys-for-banking) and [telecommunications](https://www.corbado.com/blog/telstra-passkeys). ### The UK DIATF and U.S. NSTIC: - **UK Digital Identity and Attributes Trust Framework (DIATF):** This is a UK government initiative designed to create a competitive and secure market for digital identity services. The DIATF sets out detailed rules and standards that providers must follow to become certified. A key feature is the creation of a public register of certified providers and a government-backed "trust mark" that will be displayed by compliant services. This is intended to make it easy for users and businesses to identify trustworthy digital identity providers, thereby stimulating adoption and innovation in the UK economy. - **U.S. National Strategy for Trusted Identities in Cyberspace (NSTIC):** Announced in 2011, the NSTIC was a foundational White House initiative that articulated a vision for an "Identity Ecosystem." While not a formal framework itself, it laid the philosophical groundwork for many subsequent identity projects in the U.S. It promoted four guiding principles: digital identity systems should be privacy-enhancing, secure and resilient, interoperable, and cost-effective and easy to use. The NSTIC catalyzed the formation of the private-sector-led Identity Ecosystem Steering Group (IDESG) and numerous pilot projects, fostering a market-driven approach to digital identity in the United States. ### Comparative Analysis of Major Digital Identity Trust Frameworks The following table provides a high-level comparison of these influential trust frameworks. This allows for a quick understanding of their different approaches to governance, legal status, and primary objectives, offering valuable context for businesses operating in or across these regions. | **Framework** | **Governance Model** | **Legal Status** | **Key Features** | **Primary Use Case** | | ----------------- | --------------------------------------------- | ---------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------ | ----------------------------------------------------------------------------------------------------------------- | | **eIDAS (EU)** | Government Regulation (EU Commission) | Legally Binding in all EU member states | Mutual recognition of eIDs, legally equivalent e-signatures, trust services (seals, timestamps). | Cross-border public and private sector transactions (e.g., opening a bank account in another EU country). | | **PCTF (Canada)** | Public-Private Partnership (DIACC) | Voluntary Conformance & Certification | Common set of definitions, processes, and conformance criteria. Technology-agnostic. | Enabling interoperability between federal/provincial governments and the private sector (e.g., banking, telecom). | | **DIATF (UK)** | Government-led Framework | Voluntary Certification (moving towards statutory backing) | Rules for certification, public register of trusted providers, government-issued trust mark. | Creating a competitive market of trusted digital identity providers for the UK economy. | | **NSTIC (U.S.)** | Government Vision / Public-Private Initiative | Foundational Strategy (not a binding framework) | Guiding principles (privacy, security, interoperability). Fostered pilot projects and the Identity Ecosystem Steering Group (IDESG). | Catalyzing the development of a market-driven identity ecosystem in the United States. | ## The Strategic Advantage: Business and Developer Implications Participating in or aligning with a **digital identity trust framework** is not merely a technical or compliance exercise; it is a strategic imperative that unlocks significant business value. For product managers, it is a pathway to reducing risk and improving user experience. For developers, it provides a clear roadmap for building secure, interoperable, and [future-proof](https://www.corbado.com/faq/are-passkeys-the-future) systems. ### For Product Managers: Reducing Fraud and Friction - **Enhanced Security and Fraud Prevention:** By integrating with a **trust framework**, a service can rely on high-quality, verified identity credentials from accredited [issuers](https://www.corbado.com/glossary/issuer). This dramatically reduces the risk of fraudulent account openings and transactions. For regulated industries, this is particularly valuable for meeting stringent Know Your Customer (KYC) and Anti-Money Laundering (AML) requirements, as the framework provides an auditable trail of high-assurance [identity verification](https://www.corbado.com/blog/digital-identity-guide). - **Streamlined User Onboarding:** One of the most significant benefits is the ability to enable reusable digital identities. When a user can present a pre-verified credential from a trusted [issuer](https://www.corbado.com/glossary/issuer) (like their bank or government), they no longer need to manually upload documents, enter personal data, and wait for verification for every new service they sign up for. This drastically reduces onboarding friction, which is a major cause of customer abandonment, leading to higher [conversion rates](https://www.corbado.com/blog/logins-impact-checkout-conversion) and a better overall user experience. - **Increased Trust and Conversion:** In a digital world rife with scams and data breaches, trust is a valuable currency. Services that participate in a recognized **trust framework** and display an official trust mark can signal a higher level of security and privacy to their users. This builds immediate confidence, encouraging users to engage with the service and share their information, ultimately leading to higher conversion and retention. ### For Developers: Simplifying Compliance and Interoperability - **Future-Proofing with Standards:** **Trust frameworks** are forward-looking and mandate the use of modern, secure, and open standards like **WebAuthn**. By building applications with these standards from the outset, developers ensure their systems are not only secure today but also compatible with the future of digital identity, avoiding the need for costly re-architecting down the line. - **Simplified Compliance:** Navigating the complex web of security requirements, privacy laws, and industry regulations can be a massive burden for development teams. A trust framework provides a clear, auditable checklist of requirements. Adhering to the framework serves as a clear demonstration of due diligence to regulators, partners, and enterprise customers, simplifying compliance and security audits. - **The Role of Passkeys-as-a-Solution:** While the benefits are clear, correctly implementing all the complex cryptographic requirements of **WebAuthn**, ensuring a seamless user experience across every browser and device, and keeping up with the evolving standard is a significant engineering challenge. A Passkeys-as-a-Solution platform like Corbado abstracts this complexity away. It provides developers with a simple API that delivers a fully compliant, high-assurance authentication layer. This allows development teams to bypass the steep learning curve and implementation risks, enabling them to satisfy the [AAL2](https://www.corbado.com/blog/nist-passkeys) and [AAL3](https://www.corbado.com/blog/nist-passkeys) requirements of a **trust framework** out of the box and focus their resources on building their core product features. ## Trust Framework FAQs ### What is the difference between a trust framework and a technology standard like WebAuthn? A trust framework is the high-level governance framework—the complete set of rules, legal agreements, and operational policies that govern an entire identity ecosystem. A technology standard like WebAuthn is a specific tool or protocol that can be used to meet the technical rules of the framework, such as fulfilling a requirement for phishing-resistant multi-factor authentication. ### Are trust frameworks legally binding? This depends on the specific framework. The EU's eIDAS is a legal regulation and is binding for public services across all member states, giving it the force of law. Other models, like the [Pan](https://www.corbado.com/glossary/pan)-Canadian Trust Framework, are based on voluntary conformance, where participants agree to be audited and certified to demonstrate their trustworthiness. ### How do passkeys fit into an identity assurance framework? Passkeys are a perfect technological match for modern identity assurance frameworks. Their design, which combines device possession with a [user verification](https://www.corbado.com/blog/webauthn-user-verification) step (biometric/PIN), allows them to natively meet high Authenticator Assurance Levels (AALs) like AAL2 and AAL3, as defined by standards like [NIST](https://www.corbado.com/blog/nist-passkeys) SP 800-63-3, providing strong, phishing-resistant authentication. ### What is a digital identity trust network? A digital identity trust network refers to the entire ecosystem of participants—including issuers, verifiers, and holders—that operate under the common set of rules defined by a trust framework. The framework provides the essential governance that allows the network to function securely and enables different services to trust each other's identity credentials. ### Who governs a digital identity trust framework? Governance is typically handled by a designated Trust Framework Authority. This entity can be a government body (like a department for digital services), an independent regulator, or an industry-led consortium. Its primary role is to set the rules, update the framework, and accredit participants to ensure the integrity of the ecosystem.