Version 1.0 | RFC 8485 Compliant | Last Updated: 2026-01-12
This document defines the Vector of Trust (VoT) components used by the LastID identity system. VoT provides a standardized way to express the trust level of identity assertions, enabling relying parties to make informed access control decisions.
The trust vector is expressed as a period-separated string (e.g., P2.Cf.Cg.Mb.Ac)
containing components for identity proofing (P), credential usage (C), credential management (M),
and assertion presentation (A).
Indicates how strongly identity attributes have been verified.
| Code | Name | Description | Example Credentials |
|---|---|---|---|
| P0 | No Proofing | Ephemeral or anonymous identity with no verification. Not used in LastID credentials. | Anonymous session tokens |
| P1 | Self-Asserted | User-provided information, consistent over time but not independently verified. | LastID.Base, LastID.Persona, low-trust P2P exchanges |
| P2 | Remote Proofed | Identity verified remotely through trusted mechanisms (email/phone verification, basic KYC). | LastID.VerifiedEmail, LastID.VerifiedPhone, LastID.VerifiedPersona (basic/enhanced), medium-trust P2P exchanges |
| P3 | Binding Relationship | Strong identity binding through organizational relationship, in-person verification, or biometric confirmation. | LastID.Employment, LastID.VerifiedPersona (premium), high-trust/biometric P2P exchanges |
Indicates how the primary credential (cryptographic key) is protected and used.
| Code | Name | Description | Security Level |
|---|---|---|---|
| Ce | Asymmetric Key | Cryptographic proof using asymmetric key stored in software or TEE. | Software, Trusted Execution Environment |
| Cf | Hardware Token | Key stored in sealed hardware (Secure Enclave, StrongBox, or similar). | Secure Element, Hardware-Backed Keystore |
| Cg | Biometric | Local biometric verification (Face ID, Touch ID, fingerprint). Additive to Ce or Cf. | Combined with hardware (Cf.Cg) or software (Ce.Cg) |
Note: C components can be combined. Cf.Cg indicates a hardware-backed key with biometric unlock.
Indicates how the credential lifecycle is managed.
| Code | Name | Description | Example Credentials |
|---|---|---|---|
| Ma | Self-Managed | User has full control over credential rotation and revocation. | LastID.Base, LastID.Persona, LastID.Trust |
| Mb | IDP-Managed | IDP provides remote issuance with backup recovery mechanisms. | LastID.VerifiedEmail, LastID.VerifiedPhone, LastID.VerifiedPersona, LastID.AgeProof |
| Mc | Enterprise-Managed | Organization controls credential with full re-proofing required for rotation. | LastID.Employment |
Indicates how the identity assertion is delivered to the relying party.
| Code | Name | Description | Use Case |
|---|---|---|---|
| Ab | Front-Channel | Signed assertion passed through user agent (browser redirect). | OAuth implicit flow, OIDC authorization response |
| Ac | Back-Channel | Signed assertion delivered via back-channel (token endpoint). | OID4VCI credential issuance, OAuth token exchange |
| Ad | Encrypted | Assertion encrypted to relying party's public key. Additive to Ab or Ac. | High-security scenarios requiring encryption |
Note: A components can be combined. Ac.Ad indicates back-channel with encryption.
P2.Ce.Mb.Ac
Remote-proofed identity (email verified), software key, IDP-managed, back-channel delivery.
P3.Cf.Cg.Mc.Ac
Binding relationship (employment), hardware key with biometric, enterprise-managed, back-channel.
P1.Cf.Ma.Ab
Self-asserted identity, hardware-backed key, self-managed, front-channel delivery.
Relying parties can request specific trust levels using the vtr (Vector of Trust Request)
parameter in OAuth authorization requests. The parameter is a JSON array of acceptable vectors.
vtr=["P2.Cf.Ac","P3.Ce"]
Accepts either (P2 with hardware key via back-channel) OR (P3 with any key type).
ID tokens and credentials from LastID include the following VoT claims:
| Claim | Description | Example |
|---|---|---|
vot |
Vector of Trust string | "P2.Cf.Mb.Ac" |
vtm |
Trust framework URL (this document) | "https://human.lastid.co/v1/trust-framework" |