This reading provided an overview of the outcomes of Identity Proofing, which include resolving an identity to a single, unique identity within a given population, validate that evidence collected is correct and genuine, validate that the claimed identity exists in the real world, and verify that the claimed identity is associated with a real person supplying evidence. Three key elements of resolution, validation, and verification were introduced, and the three different levels of Identity Assurance were explained with a description of what levels of resolution, validation, and verification would be associated with each. One of the key standouts to me was the level of detail described in the Usability Considerations section. There was a lot of detail and forethought put into the considerations of users as they go through all stages of the Enrollment and Identity Proofing process.
In this document the different levels of assurance for identity proofing are discussed. These levels range from 1-3, level 1 being that there is not requirement to determine if the subject’s real-life identity, level 2 the subject’s identity must be identities and associated with an real identity but can be either remote or physically-present identity proofing, and level 3 which requires physical presence and must be verified by an authorized CSP. A CSP has quality requirements of the identifying information they collect that include: unacceptable, fair, strong, and superior.
A recurring theme discussed in this guidance includes the importance of collecting only the minimum amount of Personal Identifiable Information (PII) needed to properly authenticate an individual based on the level of authentication required. There is a fine line between collecting the required information in order to authenticate someone especially considering some of the regulations in place such as the Know Your Customer (KYC) requirements as a result of the Patriot Act. Section 8 covers the Data Privacy requirements and considerations when determining the type of documentation or evidence needed for identity proofing and expands on the privacy requirement noted in the General Requirements section, specifically noting the “collection of PII SHALL be limited to the minimum necessary to validate the existence of the claimed identity and associate the claimed identity with the applicant providing identity evidence for appropriate identity resolution, validation, and verification”. In addition, the guidance also discusses the requirements for collecting information used for purposes other that identity proofing. One case in which this could happen is in order to comply with regulations. If data is going to be used in this manner, it is imperative that appropriate disclosures must be provided to the applicant. If the need for collecting additional information is not appropriately disclosed and the information adequately safeguarded, the organization can lose the applicant’s trust, which can be hard to recover. By employing data minimization techniques, the amount of PII vulnerable to a breach is reduced and encourages trust encourages trust in the identity proofing process.
Based on the reading, it is important to understand the privacy considerations of identity enrollment and proofing. A major part of this is minimizing the collection of data so that only information necessary for proofing is requested and stored. As information privacy concerns have grown over the last decade, if an individual perceives that unnecessary data is being collected, it can diminish users’ trust in the system being used. Additionally, in the case of a breach, the less user data that is compromised, the smaller the impact to both the end user and to the organization (in terms of exposure to legal damages). Finally, collection of social security numbers is only permissible if strictly necessary to perform identity resolution. If there are any other avenues available to the organization, they must avoid collecting SSN data.
Another fact of data privacy is ensuring users are provided notice of the collection of their data, and that collection and retention of their data is only performed with their consent. Similar to above, these steps minimize legal risk to the organization and confirm that the users are aware of and comfortable with the nature of the data that is being collected.
The proofing requirements specify the acceptability, validation, and verification of the identity evidence that the subscriber will provide to support its identity claim. There are three types of identity assurance levels (IALs) for a subscriber’s identity. IAL1 has not required any link of the applicant to support who you are. Only self-asserted is needed. IAL2 has required evidence supports for either remote or physically present identity proofing. The credential service provider (CSP) can verify the attributes of relying parties (RPs). Identifying attributes must be verified by an authorized and trained credential service provider (CSP) representative. Also, the identity must be physically present.
This document builds off of NIST SP 800 63-3 and described Identity Proofing further. The key objective of Identity proofing is to ensure that the individual who is using the system is who they say they are. But to do this, PII may need to be used. IAL 1 does not require PII and requires no evidence or validation. IAL 2 does include PII and may be done in person or remotely. IAL 2 may even include biometric information. IAL 3 is similar to IAL 2 but requires 2 pieces of superior evidence. It is also acceptable to have one piece of superior evidence and a piece of strong evidence, or 2 pieces of strong evidence and one piece of fair evidence. It also requires a Verification strength of superior. Biometric is also required in IAL 3, as opposed to optional in IAL 2. This document also outlines some of the requirements for collecting evidence. For example, it outlines the requirements for in-person vs remote proofing.
I think the different quality of verification needed for each level is interesting. In my experience, for most financial applications, you need to provide some PII and then a photo of your license or passport. When I wanted to get my Real ID from the DMV, I needed to supply my social security card, birth certificate, and current ID.
With identity proofing during enrollment, you’re trying to ensure the applicant is who they claim to be to a stated level of certitude. This seems to me like one of the most crucial aspects of access control, because if you give an account to someone who is not who they claim to be, they can take advantage of that and circumvent other controls. For instance, when people get their identities stolen, bad actors will often open up bank accounts and take out loans because the attackers can now pass the IAL2 proofing if they have your SSN or other personal information. I found the concept of collecting the minimum amount of PII necessary to be interesting. It’s something that is always mentioned, but I did not think that would be a focus in collecting evidence for identity verification.
An interesting takeaway from this reading is the identity proofing and enrollment process. This is a three-part process that includes resolution, validation, and verification. The CSP first collects PII of the applicant; this is then validated by checking an authorized source to ensure that information supplied matches their records and finally the CSP matches photo provided by the applicant to documents such as licenses, passport, etc. Once all of the above are authenticated by the CSP, the applicant is considered to have been successfully proofed.
I think you have summarized the 3 step process very well. You are correct authentication of the PII by the CSP would result in successful proofing and enrollment.
This guideline has requirements to validate that the applicant is who they say they are. There are 3 Identity Assurance Levels (IAL) that describes this as identity proofing. Based on the risk level (from low to high) IAL1 (is not required to link applicant to a certain real-life identity); IAL2 (physical presence for identity proofing is introduced), and IAL3 (physical presence is mandatory).
Hi Christopher. Thank you for bringing up the point of the overall purpose of the NIST SP 800 63A – Digital Identity Guidelines Enrollment and Identity Proofing. I would like to add that the guideline also provides a method of assurance in a subscriber’s identity by using one of three IALs (IAL1, IAL2, and IAL3). As you may have read, IAL3 is the most secure level in proofing and identifying attacks since it must be verified by an authorized CSP professional within the organization.
NIST SP 800-63a listed a number of requirements that apply to any CSP (Credential Service Providers) at IAL2 or IAL3 (Identity Assurance Level). Those requirements include the information acquisition, the use, and misuse of the data, in ultimate data retention and deletion.
This document provides requirements for enrollment and identity proofing of applicants that wish to gain access to resources at each Identity Assurance Level (IAL). There are three assurance level from lowest IAL1 – no requirement to link the applicant to a specific real-life identity to highest IAL3 – physical presence is required for identity proofing and must be verified by an authorized. This document also details the responsibilities of Credential Service Providers (CSPs) with respect to establishing and maintaining enrollment records. There are two general categories of threats to the enrollment process: impersonation attacks and threats to the transport mechanisms for identity proofing, authenticator binding, and credential issuance. However, enrollment threats can be deterred by making impersonation more difficult to accomplish or by increasing the likelihood of detection.
The key takeaway was learning about the proofing process and how there are 3 parts. Resolution, when the CSP collects PII from the applicant, this includes address, DOB, name, email, phone number and 2 forms of governement issued ID, Drivers License, Passport, Identification Card. Validation is the next step by checking an authoritative source and makes sure the information matches the records. Checks image of the license and passport, make sure there are no alterations or discrepancies. Last step is verification, CSP will ask the applicant for a photo to match the license and passport, sends enrollment code to the validated phone number.
An important takeaway that interested me from NIST SP 800 63A – Digital Identity Guidelines Enrollment and Identity Proofing, was that assurance in a subscriber’s identity is described using one of three IALs. The three levels are described as:
IAL1- There is no requirement to link the applicant to a specific real-life identity. Any attribute is self-asserted.
IAL2 – Evidence supports the real-world existence of the claimed identity and verifies that the applicant is appropriately associated with this real-world identity.
IAL3 – Physical presence is required for identity proofing and identifying attributes must be verified by an authorized and trained CSP professional.
According to the guidelines, IAL3 is the most secure level in proofing and identifying attributes since it must be verified by an authorized CSP professional.
Identity proofing can be very risky to the human user if this information is being stored on a database that could be exploited. This is the process that connects the information with the real human being behind the web browser. Depending on what the system is trying to accomplish, going through this verification process can be unnecessary. For example, social media sites don’t need to verify that you are actually who you say you are, just that you are a human. When it comes to financial transactions and healthcare information, then it becomes much more important to verify that you are who you say you are. A “real-life” example of this is when you go to the doctor’s office and they ask you to confirm your full name and date of birth. Although you are physically present and the doctor might have known you for years, it is still necessary to ask those questions to confirm your identity.
PII should be gathered with care. Working for a government entity, we have to spend a lot time redacting our PII for open record requests. The question remains, how much information should be collected what is required, why is it required and how long must you maintain PII. The longer it is kept, the longer the information is at risk. PII policies may be helpful to answer some of these questions.
The portion on the process flow of identity proofing and enrollment particularly stood out to me. The process flow is a three step process. Step 1 is resolution where core attribute and evidence is collected. Step 2 is validation where the evidence is validated for accuracy. Lastly step there is the verification step where the evidence is verified. One thing to note here is that the process can e delivered by multiple service provider and a single organization is not expected to fulfill each step of the process.
This reading provided an overview of the outcomes of Identity Proofing, which include resolving an identity to a single, unique identity within a given population, validate that evidence collected is correct and genuine, validate that the claimed identity exists in the real world, and verify that the claimed identity is associated with a real person supplying evidence. Three key elements of resolution, validation, and verification were introduced, and the three different levels of Identity Assurance were explained with a description of what levels of resolution, validation, and verification would be associated with each. One of the key standouts to me was the level of detail described in the Usability Considerations section. There was a lot of detail and forethought put into the considerations of users as they go through all stages of the Enrollment and Identity Proofing process.
In this document the different levels of assurance for identity proofing are discussed. These levels range from 1-3, level 1 being that there is not requirement to determine if the subject’s real-life identity, level 2 the subject’s identity must be identities and associated with an real identity but can be either remote or physically-present identity proofing, and level 3 which requires physical presence and must be verified by an authorized CSP. A CSP has quality requirements of the identifying information they collect that include: unacceptable, fair, strong, and superior.
A recurring theme discussed in this guidance includes the importance of collecting only the minimum amount of Personal Identifiable Information (PII) needed to properly authenticate an individual based on the level of authentication required. There is a fine line between collecting the required information in order to authenticate someone especially considering some of the regulations in place such as the Know Your Customer (KYC) requirements as a result of the Patriot Act. Section 8 covers the Data Privacy requirements and considerations when determining the type of documentation or evidence needed for identity proofing and expands on the privacy requirement noted in the General Requirements section, specifically noting the “collection of PII SHALL be limited to the minimum necessary to validate the existence of the claimed identity and associate the claimed identity with the applicant providing identity evidence for appropriate identity resolution, validation, and verification”. In addition, the guidance also discusses the requirements for collecting information used for purposes other that identity proofing. One case in which this could happen is in order to comply with regulations. If data is going to be used in this manner, it is imperative that appropriate disclosures must be provided to the applicant. If the need for collecting additional information is not appropriately disclosed and the information adequately safeguarded, the organization can lose the applicant’s trust, which can be hard to recover. By employing data minimization techniques, the amount of PII vulnerable to a breach is reduced and encourages trust encourages trust in the identity proofing process.
Based on the reading, it is important to understand the privacy considerations of identity enrollment and proofing. A major part of this is minimizing the collection of data so that only information necessary for proofing is requested and stored. As information privacy concerns have grown over the last decade, if an individual perceives that unnecessary data is being collected, it can diminish users’ trust in the system being used. Additionally, in the case of a breach, the less user data that is compromised, the smaller the impact to both the end user and to the organization (in terms of exposure to legal damages). Finally, collection of social security numbers is only permissible if strictly necessary to perform identity resolution. If there are any other avenues available to the organization, they must avoid collecting SSN data.
Another fact of data privacy is ensuring users are provided notice of the collection of their data, and that collection and retention of their data is only performed with their consent. Similar to above, these steps minimize legal risk to the organization and confirm that the users are aware of and comfortable with the nature of the data that is being collected.
The proofing requirements specify the acceptability, validation, and verification of the identity evidence that the subscriber will provide to support its identity claim. There are three types of identity assurance levels (IALs) for a subscriber’s identity. IAL1 has not required any link of the applicant to support who you are. Only self-asserted is needed. IAL2 has required evidence supports for either remote or physically present identity proofing. The credential service provider (CSP) can verify the attributes of relying parties (RPs). Identifying attributes must be verified by an authorized and trained credential service provider (CSP) representative. Also, the identity must be physically present.
This document builds off of NIST SP 800 63-3 and described Identity Proofing further. The key objective of Identity proofing is to ensure that the individual who is using the system is who they say they are. But to do this, PII may need to be used. IAL 1 does not require PII and requires no evidence or validation. IAL 2 does include PII and may be done in person or remotely. IAL 2 may even include biometric information. IAL 3 is similar to IAL 2 but requires 2 pieces of superior evidence. It is also acceptable to have one piece of superior evidence and a piece of strong evidence, or 2 pieces of strong evidence and one piece of fair evidence. It also requires a Verification strength of superior. Biometric is also required in IAL 3, as opposed to optional in IAL 2. This document also outlines some of the requirements for collecting evidence. For example, it outlines the requirements for in-person vs remote proofing.
I think the different quality of verification needed for each level is interesting. In my experience, for most financial applications, you need to provide some PII and then a photo of your license or passport. When I wanted to get my Real ID from the DMV, I needed to supply my social security card, birth certificate, and current ID.
With identity proofing during enrollment, you’re trying to ensure the applicant is who they claim to be to a stated level of certitude. This seems to me like one of the most crucial aspects of access control, because if you give an account to someone who is not who they claim to be, they can take advantage of that and circumvent other controls. For instance, when people get their identities stolen, bad actors will often open up bank accounts and take out loans because the attackers can now pass the IAL2 proofing if they have your SSN or other personal information. I found the concept of collecting the minimum amount of PII necessary to be interesting. It’s something that is always mentioned, but I did not think that would be a focus in collecting evidence for identity verification.
An interesting takeaway from this reading is the identity proofing and enrollment process. This is a three-part process that includes resolution, validation, and verification. The CSP first collects PII of the applicant; this is then validated by checking an authorized source to ensure that information supplied matches their records and finally the CSP matches photo provided by the applicant to documents such as licenses, passport, etc. Once all of the above are authenticated by the CSP, the applicant is considered to have been successfully proofed.
Lakshmi,
I think you have summarized the 3 step process very well. You are correct authentication of the PII by the CSP would result in successful proofing and enrollment.
This guideline has requirements to validate that the applicant is who they say they are. There are 3 Identity Assurance Levels (IAL) that describes this as identity proofing. Based on the risk level (from low to high) IAL1 (is not required to link applicant to a certain real-life identity); IAL2 (physical presence for identity proofing is introduced), and IAL3 (physical presence is mandatory).
Hi Christopher. Thank you for bringing up the point of the overall purpose of the NIST SP 800 63A – Digital Identity Guidelines Enrollment and Identity Proofing. I would like to add that the guideline also provides a method of assurance in a subscriber’s identity by using one of three IALs (IAL1, IAL2, and IAL3). As you may have read, IAL3 is the most secure level in proofing and identifying attacks since it must be verified by an authorized CSP professional within the organization.
NIST SP 800-63a listed a number of requirements that apply to any CSP (Credential Service Providers) at IAL2 or IAL3 (Identity Assurance Level). Those requirements include the information acquisition, the use, and misuse of the data, in ultimate data retention and deletion.
This document provides requirements for enrollment and identity proofing of applicants that wish to gain access to resources at each Identity Assurance Level (IAL). There are three assurance level from lowest IAL1 – no requirement to link the applicant to a specific real-life identity to highest IAL3 – physical presence is required for identity proofing and must be verified by an authorized. This document also details the responsibilities of Credential Service Providers (CSPs) with respect to establishing and maintaining enrollment records. There are two general categories of threats to the enrollment process: impersonation attacks and threats to the transport mechanisms for identity proofing, authenticator binding, and credential issuance. However, enrollment threats can be deterred by making impersonation more difficult to accomplish or by increasing the likelihood of detection.
The key takeaway was learning about the proofing process and how there are 3 parts. Resolution, when the CSP collects PII from the applicant, this includes address, DOB, name, email, phone number and 2 forms of governement issued ID, Drivers License, Passport, Identification Card. Validation is the next step by checking an authoritative source and makes sure the information matches the records. Checks image of the license and passport, make sure there are no alterations or discrepancies. Last step is verification, CSP will ask the applicant for a photo to match the license and passport, sends enrollment code to the validated phone number.
An important takeaway that interested me from NIST SP 800 63A – Digital Identity Guidelines Enrollment and Identity Proofing, was that assurance in a subscriber’s identity is described using one of three IALs. The three levels are described as:
IAL1- There is no requirement to link the applicant to a specific real-life identity. Any attribute is self-asserted.
IAL2 – Evidence supports the real-world existence of the claimed identity and verifies that the applicant is appropriately associated with this real-world identity.
IAL3 – Physical presence is required for identity proofing and identifying attributes must be verified by an authorized and trained CSP professional.
According to the guidelines, IAL3 is the most secure level in proofing and identifying attributes since it must be verified by an authorized CSP professional.
Identity proofing can be very risky to the human user if this information is being stored on a database that could be exploited. This is the process that connects the information with the real human being behind the web browser. Depending on what the system is trying to accomplish, going through this verification process can be unnecessary. For example, social media sites don’t need to verify that you are actually who you say you are, just that you are a human. When it comes to financial transactions and healthcare information, then it becomes much more important to verify that you are who you say you are. A “real-life” example of this is when you go to the doctor’s office and they ask you to confirm your full name and date of birth. Although you are physically present and the doctor might have known you for years, it is still necessary to ask those questions to confirm your identity.
PII should be gathered with care. Working for a government entity, we have to spend a lot time redacting our PII for open record requests. The question remains, how much information should be collected what is required, why is it required and how long must you maintain PII. The longer it is kept, the longer the information is at risk. PII policies may be helpful to answer some of these questions.
The portion on the process flow of identity proofing and enrollment particularly stood out to me. The process flow is a three step process. Step 1 is resolution where core attribute and evidence is collected. Step 2 is validation where the evidence is validated for accuracy. Lastly step there is the verification step where the evidence is verified. One thing to note here is that the process can e delivered by multiple service provider and a single organization is not expected to fulfill each step of the process.