This document specifically addresses the 3 different identity assurance levels.
Level1: There is no need to link the applicant to a specific real identity. Any attributes provided with the authentication process are self-declared or should be considered as such (including attributes asserted by the credential service provider or CSP to the RP).
Level2: Evidence supports the declared identity’s true existence and verifies that the applicant has been properly associated with this real identity. IAL2 introduced the identification of remote or actual existence. The CSP can declare to the RP that the attributes support pseudonymous identities with verified attributes.
Level3: Identity proof requires physical presence. The identification attributes must be verified by a CSP authorized and well-trained representative. Like IAL2, it is possible to declare that the CSP supports the RP’s attribute to support pseudonymous identities with verified attributes.
Hi, Zibai, I agree with your points. I think each level of risk or IAM level has its own requirements for evidence and verification so the end user can be validated and enroll in the identity system.
Identity resolution is a data management process through which an identity is searched and analyzed between disparate data sets and databases to find a match and/or resolve identities. And the goal of identity resolution is to uniquely distinguish an individual within a given population or context, it provides the credential service provider (CSP) an important starting point in the overall identity proofing process and the initial detection of potential fraud. Identity validation have three steps: collecting the appropriate identity evidence, confirming the evidence is genuine and authentic, and confirming the data contained on the identity evidence is valid, current, and related to a real-life subject.
Hi Xinyi,
Your explanation for Identity resolution is clear. Identity resolution is a process of collecting and matching identifiers across devices and touchpoints to establish a unified, Omnichannel view of individual consumers so that brands can provide personalized, environment-related information throughout the customer journey.
The section that caught my attention is the identity assurance level requirements and the steps involved in which an applicant undergoes an identity proofing and enrollment process. The sole purpose of identity proofing is to verify that the person is who they claim to be. Figure 4.1 outlines the basic flow for identity proofing and enrollment. First, the applicant’s core attributes and evidence are collected such as PII from the applicant and two forms of identity evidence, next evidence is validated through checking an authoritative source, and lastly evidence is verified where the CSP asks for the applicant’s photo and enrollment code sent to their validated phone. After these steps, the applicant will be successfully proofed.
Hi Priyanka, i agree with your point. The sole purpose of identity proofings is to verify that the person is who they claim to be. The process should be folloed, but if the organization altered the process, it has to make sure the core functionality is not lost.
Hi Priyanka
Thanks for your sharing. Usability becomes more secure during the registration and identification process. The focus of these documents is to meet the digital identity criteria and functional requirements at the same time, which are proposed by the organizations and users of the digital identity services used. The final conclusion is a good summary of the attributes required for a good registration and identification system.
Identity resolution is the process of attributing customer behavior and interaction with the business (across all touchpoints, platforms, or channels) to a single unified customer profile. Then, any team in the organization can use this profile to better serve each customer. This relatively simple explanation masks the complexity of unified customer interaction in the 21st century. At the turn of the century, the average home has 11 connected devices, including seven different screens. Also, Google found that 90% of Internet users complete a task through mobile devices. Who among us has not studied the products on our mobile phones, but later converted them on the desktop. While the number of touchpoints has increased, customer expectations have also increased.
Hi Haozhe, in today’s society, we are heavily dependent on our mobile devices and various forms of personal computers. Having a unified customer profile is a great asset in helping us save time and granting us access to multiple streams of devices, Some issues may occur from leveraging one profile as the main source of authentication. Oftentimes, another form of authentication such as tokens should be used as well to adequately protect the user.
Authentication technology is an effective solution to the process of verifying the identity of the operator in the computer network. All the information in the computer network world, including the user’s identity information, is represented by a set of specific data. The computer can only identify the user’s digital identity, and all the authorization to the user is also the authorization for the user’s digital identity. How to ensure that the operator of the digital identity operation is the legal owner of the digital identity, that is to say, to ensure that the physical identity of the operator and digital identity corresponding, identity authentication technology is to solve this problem, as the first pass to protect network assets, identity authentication has a decisive role. There are many authentication methods, which can be divided into: authentication based on shared key, authentication based on biological characteristics and authentication based on public key encryption algorithm.
Identity assurance level 1. A CSP that supports only IAL1 shall not validate and verify attributes. The CSP may request zero or more self-asserted attributes from the applicant to support their service offering. At the same time, an IAL2 or IAL 3 CSP should support RPs that only ewquires IAL1, if the user consents. IAL2 allows for remote or in-person identify proofing. IAL2 supports a wide range of acceptable identity proofing techniques in order to increase user adoption, decrease false negative. And detect to the best extent possible the presentation of fraudulent identities by a malicious applicant. These are the guide which is provided by the NIST guid.
This section outlines the process on how applicants can prove their identities and enroll in an identity system. The quality requirements are defined and included in the document as well as the threat mitigation strategies.
The process flow includes an applicant being able to be resolved to an individual with enough unique attributes so that you can ID them from a population. The next step is validation, where you can authenticate, validate and be sure that the information is accurate. Once the validation process is complete, you can verify the identity of the individual trying to enroll. The verification process is where you link the ID and real-life existence of a person to the one who has provided the evidence.
Each level of risk or IAM level has its own requirements for evidence and verification so the end user can be validated and enroll in the identity system. For example, IAM3 requires all uses to have two types of SUPERIOR evidence, OR one SUPERIOR and one STRONG evidence, OR two STRONG and one FAIR evidence. They must provide the evidence in person or supervised remotely. The evidence is validated and then verified with a strength of SUPERIOR. Once the individual meets all of the requirements to be validated they can enroll in the identity system.
There are several septs that provide proofing for digital identity, including resolution, validation, and verification. First, the companies can get the applicant’s PII and different forms of identity documents through Credential Service Providers (CSP). The applicant can fill in the personal information and submit the driver’s license on the company’s website. After this, the CSP will review the applicant’s information by checking the documents’ code and ID’s number. Once the applicant’s information and the documents are matched, the company will receive a confirmation by providing the enrollment code to the CSP. In order to assure the authentication, CSP helps many companies authenticate the applicant’s information and reduce some potential risks, such as a lawsuit of hiring unauthorized employees, and conduct risk management as the assessments of privacy and security.
I found the information on the CSP interesting as well including the types of documentation a CSP can use to verify identities. CSPs are specifically prohibited from using social security numbers to verify an identity unless there is no other alternative verification method.
The key takeaway from this document is that IAL1 is the least secure identification method for assurance levels. IAL2 seems like a good middle ground for making sure users are who they are, while also providing necessary information for CSPs to help verify. IAL2 requires at least one piece of strong evidence for validation, that verification has to be of “strong” strength, a code will be sent to an address of choice for enrollment, optional biometric authentication, and moderate baseline SP 800-53. Of course, this is only secure if the user only gives baseline information to the CSP to verify, as giving too much information could compromise your account.
The key takeaway from the guideline is the identity assurance levels, the assurance of the subscriber’s identity is either IAL1, IAL2, or IAL3.
In IAL1, the is no requirement for the applicant to be linked to a specific real-life identity. The attributes used are self-asserted or used as self-asserted and are working in conjunction with the subject’s activities. These attributes are neither validated nor verified, making it the weakest identification method.
In AL2, the subject has evidence to support the real-world existence of the identity, it also verifies that the applicant is appropriately associated with this identity. It forces there to be a form of a remote of physically present proof of identity.
In IAL3, it is the most secure form of authentication and only provides the specific attribute requested by the authenticator. For example, if an attribute needed is birthdate, the subscriber only needs to provide their birthday. It is the highest form of assurance so the user can maintain an IAL3 identity and use it for IAL2 and IAL1 transactions.
An interesting take away of this publication is that not all validation needs or is even desired to give full information on the entities engaging in an internet transaction. The examples given are use cases where anonymity or pseudonymity are required while there are others that require a reliable establishment of real-life subjects. Such real-life confirmations are required in financial transactions or in health care. However, transactions like census taking then only a simple zip code will suffice. This highlights the criticality of choosing the right Identity Assurance Level — IAL1 (no requirement for real-life identification), IAL2 (association with a real-world identity) and IAL3 (Physical confirmation of identity)
This paper went deeper into identity resolution validation and resolution. Section 4 of the paper describes what is needed for the 3 IAL (identify assurance levels). IAL1 requires no evidence and will not validate or verify attributes. IAL2 requires 1 piece of SUPERIOR evidence, or two pieces of STRONG evidence, or one piece of STRONG evidence plus two pieces of FAIR evidence. IAL3 requires two pieces of SUPERIOR evidence, or one piece of SUPERIOR and one piece of STRONG evidence if the issuing source of the STRONG evidence, during its identity proofing event, confirmed the claimed identity by collecting two or more forms of SUPERIOR or STRONG evidence and the CSP validates the evidence directly with the issuing source.
Some factors that rank Superior evidence are:
The issuing source of the evidence confirmed the claimed identity by following written procedures designed to enable it to have high confidence that the source knows the real-life identity of the subject. Such procedures are subject to recurring oversight by regulatory or publicly accountable institutions.
The issuing source visually identified the applicant and performed further checks to confirm the existence of that person.
The issuing process for the evidence ensured that it was delivered into the possession of the person to whom it relates.
Factors for Strong evidence are:
The issuing process for the evidence ensured that it was delivered into the possession of the subject to whom it relates.
The issued evidence contains at least one reference number that uniquely identifies the person to whom it relates.
The full name on the issued evidence must be the name that the person was officially known by at the time of issuance. Not permitted are pseudonyms, aliases, an initial for surname, or initials for all given names.
Fair evidence would be classified as:
The issuing source of the evidence confirmed the claimed identity through an identity proofing process.
The issuing process for the evidence means that it can reasonably be assumed to have been delivered into the possession of the person to whom it relates.
The issued evidence is unexpired.
Hi, Anthony. Good point on the proofing factor for strong evidence. The unique reference number can help people to identify the person is related to the true or not. In doing this, the organization will recognize the person’s official name, aliases, race, sex, and nationality. This can reduce the risk of hiring unauthorized employees.
I followed the theme from 800-63-3 into this reading paying particular attention to the privacy details that the Credential Service Provider (CSP) is required to complete to ensure personally identifying information risk is minimized. The CSP is not permitted to collect social security number unless needed to resolve identity confirmation. Other forms of identification are required. Section 4.2 requirement 7 and 10 require the CSP to risk assess privacy by evaluating the verification steps it takes to determine identity to ensure that a problem is not created for the applicant, that the request is not invasive or results in unauthorized access to information. The CSP also needs to include in the risk assessment a justification for any response it takes to identified privacy risks.
Thanks for mentioning this. The SSN not being permitted to be collected is a good thing they put in there. It should be given out as infrequently as possible to help prevent identity theft, even though they are there to prove the persons identity. Giving out an SSN should always be a last resort.
The key points that I took away from this reading are the three different identity assurance levels.
Identity Assurance Level 1 is normative, The CSP MAY request zero or more self-asserted attributes from the applicant to support their service offering. An IAL2 or IAL3 CSP SHOULD support RPs that only require IAL1, if the user consents.
Identity Assurance Level 2 is normative, IAL2 allows for remote or in-person identity proofing. IAL2 supports a wide range of acceptable identity proofing techniques in order to increase user adoption, decrease false negatives (legitimate applicants that cannot successfully complete identity proofing), and detect to the best extent possible the presentation of fraudulent identities by a malicious applicant.
Identity Assurance Level 3: IAL3 adds additional rigor to the steps required at IAL2, to include providing further evidence of superior strength, and is subject to additional and specific processes (including the use of biometrics) to further protect the identity and RP from impersonation, fraud, or other
significantly harmful damages. Biometrics are used to detect fraudulent enrollments, duplicate enrollments, and as a mechanism to re-establish binding to a credential. In addition, identity proofing at IAL3 is performed in-person
The key point I learned from the NIST SP 800-63A-Digital Identity Guide is that the main purpose of registration and identity proof availability is to promote a smooth, positive registration process and enrollment friction for users by minimizing user burden. Therefore, this means that organizations need to familiarize their users to understand their needs and promote a positive user experience throughout the process. The registration and identification process should be designed and implemented to make it easy for users to do the right thing, hard to do the wrong thing, and easy to recover when something wrong happens.
IAL2 stood out from this reading for me because it is directly related to operations I perform on a daily basis at work. The section goes through thoroughly detail about how authentication codes can be sent out, how long they are valid for and whether they are sent to postal address or telephone service. In the investing industry we deal with so much PII that verification becomes second nature when it has to be done for every client but the firm reassures that we keep our focus on it because like we mention often, it is usually a human error, not computer process that opens a vulnerability in the security.
Identity proofing is the process of verifying a digital identity and establish a connection to the real-life identity of the subject. To do this, identity evidence must be collected to determine the authenticity, validity, and accuracy of the digital identity to the real-life identity. Identity evidence can include information such as first name, last name, or date of birth. However, in order to be effective, the process should attempt to use the least amount of attributes as possible and should only use Social Security Number if absolute necessary. The publication states the validation process consists of three main steps: collecting the appropriate identity evidence, confirming the evidence is genuine and authentic, and confirming the data contained on the identity evidence is valid, current, and related to a real-life subject.
Identity resolution is a data management process through which an identity is searched and analyzed between disparate data sets and databases to find a match and/or resolve identities.Identity resolution enables an organization to analyze a particular individual’s or entity’s identity based on its available data records and attributes. The most appropriate identity evidence is a drivers license or a passport. These documents determine its authenticity, validity, and accuracy. Identity validation is made up of three process steps: collecting the appropriate identity evidence, confirming the evidence is genuine and authentic, and confirming the data contained on the identity evidence is valid.
Zibai Yang says
This document specifically addresses the 3 different identity assurance levels.
Level1: There is no need to link the applicant to a specific real identity. Any attributes provided with the authentication process are self-declared or should be considered as such (including attributes asserted by the credential service provider or CSP to the RP).
Level2: Evidence supports the declared identity’s true existence and verifies that the applicant has been properly associated with this real identity. IAL2 introduced the identification of remote or actual existence. The CSP can declare to the RP that the attributes support pseudonymous identities with verified attributes.
Level3: Identity proof requires physical presence. The identification attributes must be verified by a CSP authorized and well-trained representative. Like IAL2, it is possible to declare that the CSP supports the RP’s attribute to support pseudonymous identities with verified attributes.
Zhen Li says
Hi, Zibai, I agree with your points. I think each level of risk or IAM level has its own requirements for evidence and verification so the end user can be validated and enroll in the identity system.
Xinyi Zheng says
Identity resolution is a data management process through which an identity is searched and analyzed between disparate data sets and databases to find a match and/or resolve identities. And the goal of identity resolution is to uniquely distinguish an individual within a given population or context, it provides the credential service provider (CSP) an important starting point in the overall identity proofing process and the initial detection of potential fraud. Identity validation have three steps: collecting the appropriate identity evidence, confirming the evidence is genuine and authentic, and confirming the data contained on the identity evidence is valid, current, and related to a real-life subject.
Haozhe Lin says
Hi Xinyi,
Your explanation for Identity resolution is clear. Identity resolution is a process of collecting and matching identifiers across devices and touchpoints to establish a unified, Omnichannel view of individual consumers so that brands can provide personalized, environment-related information throughout the customer journey.
Priyanka Ranu says
The section that caught my attention is the identity assurance level requirements and the steps involved in which an applicant undergoes an identity proofing and enrollment process. The sole purpose of identity proofing is to verify that the person is who they claim to be. Figure 4.1 outlines the basic flow for identity proofing and enrollment. First, the applicant’s core attributes and evidence are collected such as PII from the applicant and two forms of identity evidence, next evidence is validated through checking an authoritative source, and lastly evidence is verified where the CSP asks for the applicant’s photo and enrollment code sent to their validated phone. After these steps, the applicant will be successfully proofed.
Ting-Yen Huang says
Hi Priyanka, i agree with your point. The sole purpose of identity proofings is to verify that the person is who they claim to be. The process should be folloed, but if the organization altered the process, it has to make sure the core functionality is not lost.
Wenyao Ma says
Hi Priyanka
Thanks for your sharing. Usability becomes more secure during the registration and identification process. The focus of these documents is to meet the digital identity criteria and functional requirements at the same time, which are proposed by the organizations and users of the digital identity services used. The final conclusion is a good summary of the attributes required for a good registration and identification system.
Haozhe Lin says
Identity resolution is the process of attributing customer behavior and interaction with the business (across all touchpoints, platforms, or channels) to a single unified customer profile. Then, any team in the organization can use this profile to better serve each customer. This relatively simple explanation masks the complexity of unified customer interaction in the 21st century. At the turn of the century, the average home has 11 connected devices, including seven different screens. Also, Google found that 90% of Internet users complete a task through mobile devices. Who among us has not studied the products on our mobile phones, but later converted them on the desktop. While the number of touchpoints has increased, customer expectations have also increased.
Mei X Wang says
Hi Haozhe, in today’s society, we are heavily dependent on our mobile devices and various forms of personal computers. Having a unified customer profile is a great asset in helping us save time and granting us access to multiple streams of devices, Some issues may occur from leveraging one profile as the main source of authentication. Oftentimes, another form of authentication such as tokens should be used as well to adequately protect the user.
Junhan Hao says
Authentication technology is an effective solution to the process of verifying the identity of the operator in the computer network. All the information in the computer network world, including the user’s identity information, is represented by a set of specific data. The computer can only identify the user’s digital identity, and all the authorization to the user is also the authorization for the user’s digital identity. How to ensure that the operator of the digital identity operation is the legal owner of the digital identity, that is to say, to ensure that the physical identity of the operator and digital identity corresponding, identity authentication technology is to solve this problem, as the first pass to protect network assets, identity authentication has a decisive role. There are many authentication methods, which can be divided into: authentication based on shared key, authentication based on biological characteristics and authentication based on public key encryption algorithm.
Ting-Yen Huang says
Identity assurance level 1. A CSP that supports only IAL1 shall not validate and verify attributes. The CSP may request zero or more self-asserted attributes from the applicant to support their service offering. At the same time, an IAL2 or IAL 3 CSP should support RPs that only ewquires IAL1, if the user consents. IAL2 allows for remote or in-person identify proofing. IAL2 supports a wide range of acceptable identity proofing techniques in order to increase user adoption, decrease false negative. And detect to the best extent possible the presentation of fraudulent identities by a malicious applicant. These are the guide which is provided by the NIST guid.
Jonathan Castelli says
This section outlines the process on how applicants can prove their identities and enroll in an identity system. The quality requirements are defined and included in the document as well as the threat mitigation strategies.
The process flow includes an applicant being able to be resolved to an individual with enough unique attributes so that you can ID them from a population. The next step is validation, where you can authenticate, validate and be sure that the information is accurate. Once the validation process is complete, you can verify the identity of the individual trying to enroll. The verification process is where you link the ID and real-life existence of a person to the one who has provided the evidence.
Each level of risk or IAM level has its own requirements for evidence and verification so the end user can be validated and enroll in the identity system. For example, IAM3 requires all uses to have two types of SUPERIOR evidence, OR one SUPERIOR and one STRONG evidence, OR two STRONG and one FAIR evidence. They must provide the evidence in person or supervised remotely. The evidence is validated and then verified with a strength of SUPERIOR. Once the individual meets all of the requirements to be validated they can enroll in the identity system.
Jonathan Castelli says
Correction to third paragraph:
Each level of risk or IAL*
Cami Chen says
There are several septs that provide proofing for digital identity, including resolution, validation, and verification. First, the companies can get the applicant’s PII and different forms of identity documents through Credential Service Providers (CSP). The applicant can fill in the personal information and submit the driver’s license on the company’s website. After this, the CSP will review the applicant’s information by checking the documents’ code and ID’s number. Once the applicant’s information and the documents are matched, the company will receive a confirmation by providing the enrollment code to the CSP. In order to assure the authentication, CSP helps many companies authenticate the applicant’s information and reduce some potential risks, such as a lawsuit of hiring unauthorized employees, and conduct risk management as the assessments of privacy and security.
Heather Ergler says
I found the information on the CSP interesting as well including the types of documentation a CSP can use to verify identities. CSPs are specifically prohibited from using social security numbers to verify an identity unless there is no other alternative verification method.
Krish Damany says
The key takeaway from this document is that IAL1 is the least secure identification method for assurance levels. IAL2 seems like a good middle ground for making sure users are who they are, while also providing necessary information for CSPs to help verify. IAL2 requires at least one piece of strong evidence for validation, that verification has to be of “strong” strength, a code will be sent to an address of choice for enrollment, optional biometric authentication, and moderate baseline SP 800-53. Of course, this is only secure if the user only gives baseline information to the CSP to verify, as giving too much information could compromise your account.
Mei X Wang says
The key takeaway from the guideline is the identity assurance levels, the assurance of the subscriber’s identity is either IAL1, IAL2, or IAL3.
In IAL1, the is no requirement for the applicant to be linked to a specific real-life identity. The attributes used are self-asserted or used as self-asserted and are working in conjunction with the subject’s activities. These attributes are neither validated nor verified, making it the weakest identification method.
In AL2, the subject has evidence to support the real-world existence of the identity, it also verifies that the applicant is appropriately associated with this identity. It forces there to be a form of a remote of physically present proof of identity.
In IAL3, it is the most secure form of authentication and only provides the specific attribute requested by the authenticator. For example, if an attribute needed is birthdate, the subscriber only needs to provide their birthday. It is the highest form of assurance so the user can maintain an IAL3 identity and use it for IAL2 and IAL1 transactions.
Vanessa Marin says
An interesting take away of this publication is that not all validation needs or is even desired to give full information on the entities engaging in an internet transaction. The examples given are use cases where anonymity or pseudonymity are required while there are others that require a reliable establishment of real-life subjects. Such real-life confirmations are required in financial transactions or in health care. However, transactions like census taking then only a simple zip code will suffice. This highlights the criticality of choosing the right Identity Assurance Level — IAL1 (no requirement for real-life identification), IAL2 (association with a real-world identity) and IAL3 (Physical confirmation of identity)
Anthony Messina says
This paper went deeper into identity resolution validation and resolution. Section 4 of the paper describes what is needed for the 3 IAL (identify assurance levels). IAL1 requires no evidence and will not validate or verify attributes. IAL2 requires 1 piece of SUPERIOR evidence, or two pieces of STRONG evidence, or one piece of STRONG evidence plus two pieces of FAIR evidence. IAL3 requires two pieces of SUPERIOR evidence, or one piece of SUPERIOR and one piece of STRONG evidence if the issuing source of the STRONG evidence, during its identity proofing event, confirmed the claimed identity by collecting two or more forms of SUPERIOR or STRONG evidence and the CSP validates the evidence directly with the issuing source.
Some factors that rank Superior evidence are:
The issuing source of the evidence confirmed the claimed identity by following written procedures designed to enable it to have high confidence that the source knows the real-life identity of the subject. Such procedures are subject to recurring oversight by regulatory or publicly accountable institutions.
The issuing source visually identified the applicant and performed further checks to confirm the existence of that person.
The issuing process for the evidence ensured that it was delivered into the possession of the person to whom it relates.
Factors for Strong evidence are:
The issuing process for the evidence ensured that it was delivered into the possession of the subject to whom it relates.
The issued evidence contains at least one reference number that uniquely identifies the person to whom it relates.
The full name on the issued evidence must be the name that the person was officially known by at the time of issuance. Not permitted are pseudonyms, aliases, an initial for surname, or initials for all given names.
Fair evidence would be classified as:
The issuing source of the evidence confirmed the claimed identity through an identity proofing process.
The issuing process for the evidence means that it can reasonably be assumed to have been delivered into the possession of the person to whom it relates.
The issued evidence is unexpired.
Cami Chen says
Hi, Anthony. Good point on the proofing factor for strong evidence. The unique reference number can help people to identify the person is related to the true or not. In doing this, the organization will recognize the person’s official name, aliases, race, sex, and nationality. This can reduce the risk of hiring unauthorized employees.
Heather Ergler says
I followed the theme from 800-63-3 into this reading paying particular attention to the privacy details that the Credential Service Provider (CSP) is required to complete to ensure personally identifying information risk is minimized. The CSP is not permitted to collect social security number unless needed to resolve identity confirmation. Other forms of identification are required. Section 4.2 requirement 7 and 10 require the CSP to risk assess privacy by evaluating the verification steps it takes to determine identity to ensure that a problem is not created for the applicant, that the request is not invasive or results in unauthorized access to information. The CSP also needs to include in the risk assessment a justification for any response it takes to identified privacy risks.
Jonathan Castelli says
Thanks for mentioning this. The SSN not being permitted to be collected is a good thing they put in there. It should be given out as infrequently as possible to help prevent identity theft, even though they are there to prove the persons identity. Giving out an SSN should always be a last resort.
Zhen Li says
The key points that I took away from this reading are the three different identity assurance levels.
Identity Assurance Level 1 is normative, The CSP MAY request zero or more self-asserted attributes from the applicant to support their service offering. An IAL2 or IAL3 CSP SHOULD support RPs that only require IAL1, if the user consents.
Identity Assurance Level 2 is normative, IAL2 allows for remote or in-person identity proofing. IAL2 supports a wide range of acceptable identity proofing techniques in order to increase user adoption, decrease false negatives (legitimate applicants that cannot successfully complete identity proofing), and detect to the best extent possible the presentation of fraudulent identities by a malicious applicant.
Identity Assurance Level 3: IAL3 adds additional rigor to the steps required at IAL2, to include providing further evidence of superior strength, and is subject to additional and specific processes (including the use of biometrics) to further protect the identity and RP from impersonation, fraud, or other
significantly harmful damages. Biometrics are used to detect fraudulent enrollments, duplicate enrollments, and as a mechanism to re-establish binding to a credential. In addition, identity proofing at IAL3 is performed in-person
Wenyao Ma says
The key point I learned from the NIST SP 800-63A-Digital Identity Guide is that the main purpose of registration and identity proof availability is to promote a smooth, positive registration process and enrollment friction for users by minimizing user burden. Therefore, this means that organizations need to familiarize their users to understand their needs and promote a positive user experience throughout the process. The registration and identification process should be designed and implemented to make it easy for users to do the right thing, hard to do the wrong thing, and easy to recover when something wrong happens.
Austin Mecca says
IAL2 stood out from this reading for me because it is directly related to operations I perform on a daily basis at work. The section goes through thoroughly detail about how authentication codes can be sent out, how long they are valid for and whether they are sent to postal address or telephone service. In the investing industry we deal with so much PII that verification becomes second nature when it has to be done for every client but the firm reassures that we keep our focus on it because like we mention often, it is usually a human error, not computer process that opens a vulnerability in the security.
Anthony Wong says
Identity proofing is the process of verifying a digital identity and establish a connection to the real-life identity of the subject. To do this, identity evidence must be collected to determine the authenticity, validity, and accuracy of the digital identity to the real-life identity. Identity evidence can include information such as first name, last name, or date of birth. However, in order to be effective, the process should attempt to use the least amount of attributes as possible and should only use Social Security Number if absolute necessary. The publication states the validation process consists of three main steps: collecting the appropriate identity evidence, confirming the evidence is genuine and authentic, and confirming the data contained on the identity evidence is valid, current, and related to a real-life subject.
Kyuande Johnson says
Identity resolution is a data management process through which an identity is searched and analyzed between disparate data sets and databases to find a match and/or resolve identities.Identity resolution enables an organization to analyze a particular individual’s or entity’s identity based on its available data records and attributes. The most appropriate identity evidence is a drivers license or a passport. These documents determine its authenticity, validity, and accuracy. Identity validation is made up of three process steps: collecting the appropriate identity evidence, confirming the evidence is genuine and authentic, and confirming the data contained on the identity evidence is valid.