One crucial aspect highlighted in NIST SP 800 63A is the significance of minimizing the gathering of information (PII) when verifying ones identity. It stresses the need to only collect data required to confirm and authenticate the identity. This practice of minimizing data aims to safeguard users privacy by restricting the collection of information thereby lowering the chances of access or misuse of such data.
The rise in digital services across various sectors has made Enrollment and Identity Proofing increasingly vital, especially with growing cases of impersonation and fraud. NIST 800-63A provides guidelines for individuals to authenticate their identities and enroll in identity systems, offering criteria for risk mitigation in both remote and in-person scenarios.
NIST SP 800-63A, part of the “Digital Identity Guidelines,” outlines the requirements for enrollment and identity proofing. It emphasizes the need for varying levels of identity proofing (IALs) based on the risk associated with the service or application. Higher risk levels require more stringent proofing processes to ensure the identity being claimed is not fraudulent.
I’m curious though how challenging is it for companies to figure out the IAL for their needs? It seems like getting that risk evaluation accurate could be quite tricky.
When it comes to IALs I can picture the verification process becoming quite rigorous and possibly causing some resistance, from users… I suppose that’s the compromise, for security.
It serves as a reminder that there isn’t a one size fits all solution. The guidelines allow for customization of the verification process based on the circumstances. Pretty fascinating stuff!
NIST SP 800-63A includes the enrollment and identity proofing process requirement before users access the system. There are three different identity levels. Identity Assurance Level 1 does not require linking the applicants to a specific real-life identity. Identity Assurance Level 2 requires users to prove their identity remotely or in person. Identity Assurance Level 3 takes a step further than Level 2 and requires the user to identify using one of the biometric authentication processes.
In NIST SP 800-63A Identity assurance level requirements objective for identity proofing is to make sure that whoever says who they are they need to have some level of certitude. Having some level of certitude will include a presentation, validation, and verification of the persons identity. There is a process for proofing ones identity which goes resolution first, validation second, and verification third. There is also three categories which are identity assurance level 1, 2, and 3 each level tells what to do and what not to do. For example a level 1 identity assurance shall not validate and verify attributes.
Yes, NIST SP 800-63A breaks down identity assurance into stages and levels, clearly highlighting the nuanced differences, especially the limitations at level 1, in the identity proofing process. It’s a good point.
There are two specific use cases for deriving identity:
1. A claimant seeks to obtain a derived personal identity verification, bound to their identity record, for use only within the limits and authorizations of having a personal identity verification smartcard.
2. An applicant seeks to establish a credential with a credential service provider with which the individual does not have a pre-existing relationship.
There are two general categories of threats to the enrollment process: impersonation, and either compromise or malfeasance of the infrastructure provider.
Yannick Rugamba says
One crucial aspect highlighted in NIST SP 800 63A is the significance of minimizing the gathering of information (PII) when verifying ones identity. It stresses the need to only collect data required to confirm and authenticate the identity. This practice of minimizing data aims to safeguard users privacy by restricting the collection of information thereby lowering the chances of access or misuse of such data.
Eyup Aslanbay says
The rise in digital services across various sectors has made Enrollment and Identity Proofing increasingly vital, especially with growing cases of impersonation and fraud. NIST 800-63A provides guidelines for individuals to authenticate their identities and enroll in identity systems, offering criteria for risk mitigation in both remote and in-person scenarios.
Bo Wang says
NIST SP 800-63A, part of the “Digital Identity Guidelines,” outlines the requirements for enrollment and identity proofing. It emphasizes the need for varying levels of identity proofing (IALs) based on the risk associated with the service or application. Higher risk levels require more stringent proofing processes to ensure the identity being claimed is not fraudulent.
Yannick Rugamba says
I’m curious though how challenging is it for companies to figure out the IAL for their needs? It seems like getting that risk evaluation accurate could be quite tricky.
When it comes to IALs I can picture the verification process becoming quite rigorous and possibly causing some resistance, from users… I suppose that’s the compromise, for security.
It serves as a reminder that there isn’t a one size fits all solution. The guidelines allow for customization of the verification process based on the circumstances. Pretty fascinating stuff!
Celinemary Turner says
NIST SP 800-63A includes the enrollment and identity proofing process requirement before users access the system. There are three different identity levels. Identity Assurance Level 1 does not require linking the applicants to a specific real-life identity. Identity Assurance Level 2 requires users to prove their identity remotely or in person. Identity Assurance Level 3 takes a step further than Level 2 and requires the user to identify using one of the biometric authentication processes.
Jon Stillwagon says
In NIST SP 800-63A Identity assurance level requirements objective for identity proofing is to make sure that whoever says who they are they need to have some level of certitude. Having some level of certitude will include a presentation, validation, and verification of the persons identity. There is a process for proofing ones identity which goes resolution first, validation second, and verification third. There is also three categories which are identity assurance level 1, 2, and 3 each level tells what to do and what not to do. For example a level 1 identity assurance shall not validate and verify attributes.
Eyup Aslanbay says
Yes, NIST SP 800-63A breaks down identity assurance into stages and levels, clearly highlighting the nuanced differences, especially the limitations at level 1, in the identity proofing process. It’s a good point.
Ooreofeoluwa Koyejo says
There are two specific use cases for deriving identity:
1. A claimant seeks to obtain a derived personal identity verification, bound to their identity record, for use only within the limits and authorizations of having a personal identity verification smartcard.
2. An applicant seeks to establish a credential with a credential service provider with which the individual does not have a pre-existing relationship.
There are two general categories of threats to the enrollment process: impersonation, and either compromise or malfeasance of the infrastructure provider.