The interesting aspect here was understanding that digital identity guidelines, enrollment and identity proofing involves verifying that the claimed identity is associated with the real person supplying the identity evidence. I learned that there are expected outcomes when a subject is identity proofed according to NIST guidelines and these include;
Resolving a claimed identity to a single, unique identity within the context of the population of users the CSP serves.
Validating that all supplied evidence is correct and genuine (e.g., not counterfeit or misappropriated).
Validating that the claimed identity exists in the real world.
I believe that the guidelines set by NIST to verify the identity of an individual is very efficient. It is very important that certain criterias are put in place for authenication.
After reading the NIST SP 800-63A – Digital Identity Guidelines: Enrollment & Identity proofing and its usability considerations, I learned that the main objective of usability for enrollment and identity proofing is to promote a smooth, positive enrollment process for users by minimizing user burden and enrollment friction. It therefore means that organizations need to familiarize themselves with their users to understand their needs and to promote a positive user experience throughout the process. The enrollment and identity proofing process should be designed and implemented so it is easy for users to do the right thing, difficult to do the wrong thing, and easy to recover when the wrong thing happens.
Reading what you garnered from the NIST 800-63A publication helped me become more secure in my understanding of the role usability plays in the overall success of the enrollment and identity proofing processes. There is a distinct focus in these documents on meeting both, the digital identity guidelines and functional requirements laid out by the organization and user’s of the digital identity services being employed. Ultimately, you summarized the required attributes of a good enrollment and identity proofing system in your final sentence quite well.
You are right in stating that the purpose of these guidelines is to do both; provide a smooth and effective enrollment process at the same time not burdening user with unnecessary overhead tasks. A right boundary needs to be set by every organization when designing an access management system to ensure, users are capable of meeting those requirements. A very basic example would be if the users are asked to maintain separate passwords for various applications, there is a very good chance that users might store it on a piece of paper and store it an unsafe place.
NIST SP 800 63A “Digital Identity Guidelines Enrollment and Identity Proofing” provides requirements for enrollment and identity proofing of applicants to access resources based on each identity assurance level. Figure 4-1 in this document outlines the flow of identity proofing and enrollment. The journey of proving identity and enrollment takes 3 steps, which are resolution, validation, and verification. Firstly, applicant’s PII information is collected by credential service provider and then this information is validated and verified to successfully complete proving process.
One key takeaway I received from this reading are the different types of threats that can be encountered with the CSP. These threats include falsified identity, fraudulent use of another’s identity, and repudiation of enrollment . This is why certain methods are implemented to help control this type of behavior from outside sources. For example, a method use to ensure the enrollment of an individual would stop the same individual from assuming repudiation as records exist that the individual previously enrolled.
NIST SP 800 63A describes requirements for enrollment and identity proofing which want to gain access to resources at each Identity Assurance Level (IAL). Identity Assurance Levels are categorized to 3 levels which are IAL1, IAL2, and IAL3. One key point that I pick is the process flow for identify proofing and enrolment. There are 3 main processes which are resolution, validation, and verification. For resolution process, CPS will gather the evidence of PII to be as core attributes. After that, CPS will validate for authenticity, validity, and accuracy od identity information. Lastly, CPS will verify the evidence between claimed identity and real-life existence of subject presenting evidence.
After reading through the NIST 800-63A publication which further elaborates on the standardized digital identity guidelines and requirements for the enrollment and identity verification of identities, I took an interest in the section related to threats faced during the enrollment process and their respective mitigation strategies. The section itself focuses on the 2 major categories that threaten the enrollment process, those being “compromise or malfeasance of the infrastructure provider”, or impersonation which is more heavily focused on in this publication. One thing to note is how this section makes reference to the NIST 800-53 publication, which we have previously touched on, when referencing infrastructure threats to the enrollment process due it being not as thoroughly explained in this publication. It is interesting to learn how the possibility of impersonation becomes increasingly more difficult the higher the level of assurance increases due to the increased effort and controls of the credential service provider to authenticate, verify and ensure non-repudiation upon enrollment.
Good point, Imran. May we also remember that the security categorization will generally be categorized based on the most sensitive or critical information received by, processed in, stored in, and/or generated by the system under review.
NIST 800-63-3A Digital Identity Guidelines Enrollment and Identity Proofing. This guide gives more details on how to implement the requirement for each level. For example level 1 could be: address, full name, DoB. Level 3 could be a physical presence as proof of identity with more pieces of evidence of superior strength.
It provides also the processes of resolution, validation, and verification required by each level of identification.
NIST 800 63A outlines Digital Identity Guidelines on enrollment and Identity proofing. The first thing that came to mind while reading this special publication is “what happens when a users credentials are shared or compromised without them knowing”. Enrolling a user is fairly simple and should not be a point of failure within an organization as an admin provides credentials for the user. Where the point of failure would be is if a malicious user gains access to credentials and then elevates theirself or another user to admin privileges. However, organizations can run periodic scan of accounts to make sure that there are no accounts that the admin doesn’t know or that could present a vulnerability?
NIST SP 800 63 a “Digital Identity Guidelines Enrollment and Identity Proofing” mainly explained the three levels of IAL and authentication steps. Among them, CSP plays an important role. The identity proofing process including Resolution, Validation and Verification. In addition, for IAL2 and IAL3, there is a clear Guidelines for CSP specification of authentication information storage. PII, including any biometric, image, scan, or other copy of identity evidence that the CSP will keep as authentication records, and the information cannot be used for any operation other than authentication. The collection of CSP authentication information must be associated with the physical identity.
NIST SP 800-63A deals with identity enrollment and validation. One important point that I found was how the amount of PII collected should be kept at a minimum to help reduce vulnerabilities and prevent unauthorized access or use. What also caught my attention was the mention that the collection of too many PII will lead to users feeling that the service is too invasive, thus dropping the application due to privacy concerns. I think that this is interesting when you consider biometrics, as it’s one of the most personal types of information, however users tend to use their fingerprint with no issue because it is an easy way to access an application or device. It raises the question of what is considered to be too invasive versus what is actually invasive but perceived as being user friendly.
NIST sp 800- 63A digital identity guidelines: enrollment and proofing deals with how to understand how much data is needed to link a person to the identity online for various systems. I think an interesting concept is using the least amount of data needed to link and individual to the their online presence for the purpose of the system. the document lays out three levels of identity assurance that is able to describe the user.
IAL1- There is no requirement to link the user to an identity
IAL2- There needs to be evidence to support the identity of the user and it needs to be verified.
IAL3- Physical presence is required for identity proofing. This can support the other 2 underlying levels of assurance if implemented.
Depending on what level your system is then this established what controls must be used to verify identity
Hi,Christopher James Lukens
You sum up is very well. I would add that these guidelines and regulations are closely related to CSP organizations. They play an important role in data authentication.
This document addresses how applicants can prove their identities and become enrolled as
valid subscribers within an identity system. It provides requirements by which applicants can
both identity proof and enroll at one of three different levels of risk mitigation in both remote
and physically present scenarios. It also sets requirements to achieve a given information assurance level (IAL). The three IALs reflect the options federal agencies may select from based on their risk profile and the potential harm caused by an attacker making a successful false claim of an identity. The strongest authentication is provided by IAL 3, where the CSP matches the details of the claimant while also requires the claimant to be physically present for authentication.
The key takeaway for me from the document is about threat mitigation strategies. In enrollment, there are mainly three kinds of threats, falsified identity proofing evidence, fraudulent use of another’s identity and enrollment repudiation. For the first two of the threats, there are two strategy for each of them. Two of them are verifying by comparing with the issuer or other authoritative source. One of them is verifying by finding presented evidence, while one of them is verifying by comparing with non government issued documentation. For enrollment repudiation, the one and only strategy is to save a subscriber’s biometric which is obviously belong to one person and no repudiation possible.
The interesting aspect here was understanding that digital identity guidelines, enrollment and identity proofing involves verifying that the claimed identity is associated with the real person supplying the identity evidence. I learned that there are expected outcomes when a subject is identity proofed according to NIST guidelines and these include;
Resolving a claimed identity to a single, unique identity within the context of the population of users the CSP serves.
Validating that all supplied evidence is correct and genuine (e.g., not counterfeit or misappropriated).
Validating that the claimed identity exists in the real world.
Hi Percy,
I believe that the guidelines set by NIST to verify the identity of an individual is very efficient. It is very important that certain criterias are put in place for authenication.
Best,
Natalie Dorely
After reading the NIST SP 800-63A – Digital Identity Guidelines: Enrollment & Identity proofing and its usability considerations, I learned that the main objective of usability for enrollment and identity proofing is to promote a smooth, positive enrollment process for users by minimizing user burden and enrollment friction. It therefore means that organizations need to familiarize themselves with their users to understand their needs and to promote a positive user experience throughout the process. The enrollment and identity proofing process should be designed and implemented so it is easy for users to do the right thing, difficult to do the wrong thing, and easy to recover when the wrong thing happens.
Reading what you garnered from the NIST 800-63A publication helped me become more secure in my understanding of the role usability plays in the overall success of the enrollment and identity proofing processes. There is a distinct focus in these documents on meeting both, the digital identity guidelines and functional requirements laid out by the organization and user’s of the digital identity services being employed. Ultimately, you summarized the required attributes of a good enrollment and identity proofing system in your final sentence quite well.
Hello Ugo,
You are right in stating that the purpose of these guidelines is to do both; provide a smooth and effective enrollment process at the same time not burdening user with unnecessary overhead tasks. A right boundary needs to be set by every organization when designing an access management system to ensure, users are capable of meeting those requirements. A very basic example would be if the users are asked to maintain separate passwords for various applications, there is a very good chance that users might store it on a piece of paper and store it an unsafe place.
NIST SP 800 63A “Digital Identity Guidelines Enrollment and Identity Proofing” provides requirements for enrollment and identity proofing of applicants to access resources based on each identity assurance level. Figure 4-1 in this document outlines the flow of identity proofing and enrollment. The journey of proving identity and enrollment takes 3 steps, which are resolution, validation, and verification. Firstly, applicant’s PII information is collected by credential service provider and then this information is validated and verified to successfully complete proving process.
One key takeaway I received from this reading are the different types of threats that can be encountered with the CSP. These threats include falsified identity, fraudulent use of another’s identity, and repudiation of enrollment . This is why certain methods are implemented to help control this type of behavior from outside sources. For example, a method use to ensure the enrollment of an individual would stop the same individual from assuming repudiation as records exist that the individual previously enrolled.
Hi Natalie,
With the method provided by the document, three main threats related to enrollment can be easily solved and the CSP will run much more safer.
NIST SP 800 63A describes requirements for enrollment and identity proofing which want to gain access to resources at each Identity Assurance Level (IAL). Identity Assurance Levels are categorized to 3 levels which are IAL1, IAL2, and IAL3. One key point that I pick is the process flow for identify proofing and enrolment. There are 3 main processes which are resolution, validation, and verification. For resolution process, CPS will gather the evidence of PII to be as core attributes. After that, CPS will validate for authenticity, validity, and accuracy od identity information. Lastly, CPS will verify the evidence between claimed identity and real-life existence of subject presenting evidence.
After reading through the NIST 800-63A publication which further elaborates on the standardized digital identity guidelines and requirements for the enrollment and identity verification of identities, I took an interest in the section related to threats faced during the enrollment process and their respective mitigation strategies. The section itself focuses on the 2 major categories that threaten the enrollment process, those being “compromise or malfeasance of the infrastructure provider”, or impersonation which is more heavily focused on in this publication. One thing to note is how this section makes reference to the NIST 800-53 publication, which we have previously touched on, when referencing infrastructure threats to the enrollment process due it being not as thoroughly explained in this publication. It is interesting to learn how the possibility of impersonation becomes increasingly more difficult the higher the level of assurance increases due to the increased effort and controls of the credential service provider to authenticate, verify and ensure non-repudiation upon enrollment.
Good point, Imran. May we also remember that the security categorization will generally be categorized based on the most sensitive or critical information received by, processed in, stored in, and/or generated by the system under review.
NIST 800-63-3A Digital Identity Guidelines Enrollment and Identity Proofing. This guide gives more details on how to implement the requirement for each level. For example level 1 could be: address, full name, DoB. Level 3 could be a physical presence as proof of identity with more pieces of evidence of superior strength.
It provides also the processes of resolution, validation, and verification required by each level of identification.
NIST 800 63A outlines Digital Identity Guidelines on enrollment and Identity proofing. The first thing that came to mind while reading this special publication is “what happens when a users credentials are shared or compromised without them knowing”. Enrolling a user is fairly simple and should not be a point of failure within an organization as an admin provides credentials for the user. Where the point of failure would be is if a malicious user gains access to credentials and then elevates theirself or another user to admin privileges. However, organizations can run periodic scan of accounts to make sure that there are no accounts that the admin doesn’t know or that could present a vulnerability?
NIST SP 800 63 a “Digital Identity Guidelines Enrollment and Identity Proofing” mainly explained the three levels of IAL and authentication steps. Among them, CSP plays an important role. The identity proofing process including Resolution, Validation and Verification. In addition, for IAL2 and IAL3, there is a clear Guidelines for CSP specification of authentication information storage. PII, including any biometric, image, scan, or other copy of identity evidence that the CSP will keep as authentication records, and the information cannot be used for any operation other than authentication. The collection of CSP authentication information must be associated with the physical identity.
NIST SP 800-63A deals with identity enrollment and validation. One important point that I found was how the amount of PII collected should be kept at a minimum to help reduce vulnerabilities and prevent unauthorized access or use. What also caught my attention was the mention that the collection of too many PII will lead to users feeling that the service is too invasive, thus dropping the application due to privacy concerns. I think that this is interesting when you consider biometrics, as it’s one of the most personal types of information, however users tend to use their fingerprint with no issue because it is an easy way to access an application or device. It raises the question of what is considered to be too invasive versus what is actually invasive but perceived as being user friendly.
NIST sp 800- 63A digital identity guidelines: enrollment and proofing deals with how to understand how much data is needed to link a person to the identity online for various systems. I think an interesting concept is using the least amount of data needed to link and individual to the their online presence for the purpose of the system. the document lays out three levels of identity assurance that is able to describe the user.
IAL1- There is no requirement to link the user to an identity
IAL2- There needs to be evidence to support the identity of the user and it needs to be verified.
IAL3- Physical presence is required for identity proofing. This can support the other 2 underlying levels of assurance if implemented.
Depending on what level your system is then this established what controls must be used to verify identity
Hi,Christopher James Lukens
You sum up is very well. I would add that these guidelines and regulations are closely related to CSP organizations. They play an important role in data authentication.
This document addresses how applicants can prove their identities and become enrolled as
valid subscribers within an identity system. It provides requirements by which applicants can
both identity proof and enroll at one of three different levels of risk mitigation in both remote
and physically present scenarios. It also sets requirements to achieve a given information assurance level (IAL). The three IALs reflect the options federal agencies may select from based on their risk profile and the potential harm caused by an attacker making a successful false claim of an identity. The strongest authentication is provided by IAL 3, where the CSP matches the details of the claimant while also requires the claimant to be physically present for authentication.
The key takeaway for me from the document is about threat mitigation strategies. In enrollment, there are mainly three kinds of threats, falsified identity proofing evidence, fraudulent use of another’s identity and enrollment repudiation. For the first two of the threats, there are two strategy for each of them. Two of them are verifying by comparing with the issuer or other authoritative source. One of them is verifying by finding presented evidence, while one of them is verifying by comparing with non government issued documentation. For enrollment repudiation, the one and only strategy is to save a subscriber’s biometric which is obviously belong to one person and no repudiation possible.