Digital identity guidelines specify the technical requirements for federal agencies to implement the digital identity service, as it focuses on the digital authentication process of enrollment and verification of identity proofing for digital authorization. In which, the applicant proves the evidence to a credential service provider(CSP). Clearly defined as the technical requirement based on the three identity assurance levels IAL1, IAL2, and IAL3. If the applicant wants to get access to resources at Identity Assurance Level then he needs to provide proof of identity for enrollment, also known as the document of responsibility credential Service. It provides and maintains enrollment records and binds authenticators to records of enrollment.
Digital identity shows the pattern of the applicant proofing, the identity, and the enrollment process, where an individual’s identity, evidence, and attributes are collected. The applicant goes through the identity proofing process such as Resolution (PII –name, address, email, DOB), Validation (validate the license, passport, QR Code), Verification (Match applicant Photo with documentation, OTP, match documentation). Once all the steps are completed the applicant has been successfully proofed. This is one of the tough and the best method for the identity proofing process, however, the digital identity risk factor is expected in the traditional process as compared with the digitalization growth and challenges.
NIST SP 800 63A is a guide to registration and identification requirements for applicants for Identity Assurance Level (IAL) resource access, and is designed to describe in detail the acceptability and verification of proof of identity. This document provides registration and identification requirements for applicants wishing to gain access to each Identity Assurance Level (IAL) resource. These requirements detail the acceptability, verification and validation of the proof of identity that will be provided by subscribers to support their identity claims. This document also details the responsibilities of Credential Service Providers (CSPs) in establishing and maintaining registration records and binding authenticators to registration records. IAL is divided into three different levels:
IAL 1: No need to map purported identities to real people, ensuring users have purported identities. Like Facebook, you don’t need to provide identification to complete user registration.
IAL 2: Users need to prove their identity and need to collect biometric information, such as facial scans or fingerprints. Such as government accounts associated with social security numbers, etc.
IAL 3: The most stringent identity verification, which requires you to complete the identity verification in person on site. For example, to go to the DMV for the test and driver’s license, you must go to the site in person to handle it.
The NIST SP 800 – 63A emphasis on the different identity assurance level used to support the access control authentication. It provides requirements for enrollment and identity proofing of applicants that wish to gain access to resources at each Identity Assurance Level (IAL) and acceptability, validation, and verification of identity evidence that will be presented by a subscriber to support their claim of identity. This reading document also details the responsibilities of Credential Service Providers (CSPs) with respect to establishing and maintaining enrollment records and binding authenticators (either CSP-issued or subscriber-provided) to the enrollment record.
The purpose is to verify the identity of the person enrolling to the system by collecting attributes uniquely known such as the person’s PII.
Identifying attributes must be verified by an authorized and trained CSP representative who ensures the elements collected for resolution,, validation and verification are a match as explained in the NIST SP 800 – 63-3A guideline.
In this reading we looked at the amount of Personal Identifiable Information (PII) needed to properly authenticate an individual based on the level of authentication required. What I took away from this is that data minimization techniques should be employed; that is, minimizing the collection of data so that only information necessary for proofing is requested and stored. By doing so, the amount of PII vulnerable to a breach is reduced so that in the event that user data is compromised, it would have a smaller impact to both the end user and to the organization. Additionally, it encourages trust in the identity proofing process.
NIST SP 800 63A speaks about identity assurance level requirements, identity resolution, validation and verification and about privacy considerations. The one key point I enjoyed learning about was 4.1 process flow. The basic flow for identity proofing and enrollment. Starts with a road map of sorts that begin with an applicant and go into resolution with core attributes and evidence collected. An individual uniquely distinguished among a given population or context. Leads into step 2 of validation which authenticates, validates accuracy of identifying information determined for a real life subject. Lastly goes into step 3 which is verification. With evidence verified, the linkage between claimed identity and real life existence of subject presenting evidence is confirmed and established. With the end journey going to the subscriber.
Identity resolution will verify identity information by comparing different data. The three steps of identity verification include collecting identity evidence, confirming the reliability of the identity evidence, and confirming that the data in the identity evidence is valid.
Enrollment and Identity Proofing is increasingly gaining in importance as we see digital transformation of organizations and business models across the board resulting in an explosion of digital services. With this explosion, we’re also starting to see more impersonation and fraud in the consumption of those digital services. NIST 800-63A addresses how applicants can prove their identities and become enrolled as valid subscribers within an identity system. It provides requirements by which applicants can identity proof and enroll at one of three different levels of risk mitigation in both remote and physically-present scenarios.
It’s interesting to see how companies have implemented identity verification. Some social media apps require real time photography before the account is created to prevent bots from infiltrating the social space. Especially as remote becomes more possible to interact socially with organizations, identity proofing is likely going to become more hardened in the future.
NIST SP 800 63A discusses how users can prove their identities and become enrolled as valid subjects within an identity system. It provides requirements for processes by which applicants can provide and enroll in a system at different levels of risk mitigation.
I found section 7.1 (page 25-27) interesting as it details threat mitigation strategies to deter enrollment threats, e.g. falsified identity evidence, the fraudulent use of another identity, and enrollment repudiation. The mitigation strategies cover different validation and verification strategies to confirm the integrity of the evidence as it relates to the claimant. These strategies ensure the integrity of the process in addition to providing nonrepudiation. The mitigation strategies build on one another and help establish a chain of trust. For example, the CSP can validate a claimants utility account information on a bill with the provider, and then use this to help confirm the integrity of a government issued ID with a matching address.
Section 7 of this document, which outlines threats and security considerations, is informative regarding enrollment and identity proofing. Although there are two main threats to the enrollment process (impersonation and compromise) the section focuses on impersonation threats. The two main ways that impersonation threats can be mitigated are either making impersonation more difficult or increasing the likelihood of detection. The table below this section shows the different impersonation threats and the mitigation strategies for each. My takeaway after reading through the table is that the use of biometrics is a great way to make impersonation more difficult. Associating someone’s digital identity with a unique identifier is very challenging to replicate (such as a fingerprint or retina scan). It can also help to ensure non-repudiation.
This document talks about identity proofing of any individuals. It describes the common pattern in which a collection of a single identity information within a given population is needed to identify, verify and authenticate if those information are correct. The sole objective of identity proofing is to ensure the applicant is “is who they claim to be to a stated level of certitude”. There are 3 steps to check if the information is correct such as resolution, validation and verification.
The Resolution phase is to collect PII information from the applicant such as name, address, date of birth and phone number
The Validation phase determines if the information collected in the resolution phase matches. They can check image of passport, driver’s license, QR codes
The Verification phase asks the applicant a photo to match to the license and passport.
I like how detailed the process is to verify individuals information and make sure the minimum security requirements are applied.
NIST SP 800-63A provides a list of requirements for enrollment/identity proofing of those who wish to gain access to resources at each IAL in regards to acceptability, validation, & verification. The diagram under section 4.1 does a good job of summarizing the process flow. It utilizes a diagram of the applicant on a racetrack where they go through three phases – resolution, validation, & verification. During resolution, attributes/evidence on the applicant is collected, which will result in the applicant being individually identified. Next, the evidence is validated, meaning the authenticity, validity, & accuracy of information is determined/related to the application. Finally, during verification, the evidence is verified meaning there is a linkage between the claimed identity of the applicant & real-life existence in regards to evidence being confirmed & established.
I also found the diagram in 4.1 helpful for understanding the process flow. Having the three phases conceptualized in this manner lays out a clear cut process and helps establish what the phases are and what happens during each. Also as pointed out in section 4.1 it is worth noting that this process can be delivered by multiple service providers and while it is possible that a single organization will fulfill these steps, it is not expected.
NIST 800 63A is a document to provide requirements for enrollment and identify proofing of applicants to gain access to resource at each IAL. These requirement detail the acceptability, verification, and validation of the proof of identify. The document also provides details of the responsibilities of Credential Service Providers (CSP) that an entity that issue digital credentials to subjects, registered authenticators.
Identity proofing’s sole objective is to ensure the applicant is who they claim to be to a stated
level of certitude. This includes presentation, validation, and verification of the minimum
attributes necessary to accomplish identity proofing. There may be many different sets that
suffice as the minimum, so CSPs should choose this set to balance privacy and the user’s
usability needs, as well as the likely attributes needed in future uses of the digital identity
The only purpose for identity proofing is to affirm that a person or end user is assuredly who they claim to be. It was interesting to learn about the different types of Identity Assurance Levels. “Assurance in a subscriber’s identity is described using one of three IALs”. In today’s world which is very dependent upon technology, it is not necessarily a hard task for this data to be compromised. This reading gave us a lot of insight on ways to prevent that from happening with due diligence.
I found section 7, threats and security considerations, particularly interesting in the reading. The section focuses on impersonation threats and I think it’s important that organizations ensure that controls around these threats are operating as they should. Perhaps an attacker attempts a brute force attack and locks out a target account after several unsuccessful logins. In this scenario, an organization needs to be able to detect these kinds of attacks so it’s important to ensure the controls, such as help desk challenge questions, are actually validating a users true identity.
This document details NIST standards and guidelines for the enrollment and identity verifying steps of setting up digital authentication. I found the section on identity assurance level requirements to be interesting. The identity proofing process includes:
Resolution – CSP collects PII and identity evidence
Validation – the CSP ensures the validity of the information/documents themselves
Verification – the CSP verifies that the information/documents “match” the person/identity that they are verifying
This section then goes on to review specific requirements for each identity assurance level.
NIST publication explains that once the enrollment is successful/identity proofed, claimed identity resolves to a single, unique identity within the users of CSP servers, all supplied evidence validates, identity validates the existence in the real world, and verifies that the real person supplies the identity evidence. Assurance levels require different evidence, such as IAL1-no requirement, IAL2-remote or physical identity proofing, and IAL-3 required physical presence. Typical minimum identity proof requires full name, DOB, and home address. The average process flow starts with the applicant proofing their identity via providing evidence. Once it is validated, verification is processed, and the applicant becomes a subscriber of the CSP. Steps of these processes include:
– resolution
-validation
-verification
Mohammed Syed says
Digital identity guidelines specify the technical requirements for federal agencies to implement the digital identity service, as it focuses on the digital authentication process of enrollment and verification of identity proofing for digital authorization. In which, the applicant proves the evidence to a credential service provider(CSP). Clearly defined as the technical requirement based on the three identity assurance levels IAL1, IAL2, and IAL3. If the applicant wants to get access to resources at Identity Assurance Level then he needs to provide proof of identity for enrollment, also known as the document of responsibility credential Service. It provides and maintains enrollment records and binds authenticators to records of enrollment.
Digital identity shows the pattern of the applicant proofing, the identity, and the enrollment process, where an individual’s identity, evidence, and attributes are collected. The applicant goes through the identity proofing process such as Resolution (PII –name, address, email, DOB), Validation (validate the license, passport, QR Code), Verification (Match applicant Photo with documentation, OTP, match documentation). Once all the steps are completed the applicant has been successfully proofed. This is one of the tough and the best method for the identity proofing process, however, the digital identity risk factor is expected in the traditional process as compared with the digitalization growth and challenges.
Yangyuan Lin says
NIST SP 800 63A is a guide to registration and identification requirements for applicants for Identity Assurance Level (IAL) resource access, and is designed to describe in detail the acceptability and verification of proof of identity. This document provides registration and identification requirements for applicants wishing to gain access to each Identity Assurance Level (IAL) resource. These requirements detail the acceptability, verification and validation of the proof of identity that will be provided by subscribers to support their identity claims. This document also details the responsibilities of Credential Service Providers (CSPs) in establishing and maintaining registration records and binding authenticators to registration records. IAL is divided into three different levels:
IAL 1: No need to map purported identities to real people, ensuring users have purported identities. Like Facebook, you don’t need to provide identification to complete user registration.
IAL 2: Users need to prove their identity and need to collect biometric information, such as facial scans or fingerprints. Such as government accounts associated with social security numbers, etc.
IAL 3: The most stringent identity verification, which requires you to complete the identity verification in person on site. For example, to go to the DMV for the test and driver’s license, you must go to the site in person to handle it.
Oluwaseun Soyomokun says
The NIST SP 800 – 63A emphasis on the different identity assurance level used to support the access control authentication. It provides requirements for enrollment and identity proofing of applicants that wish to gain access to resources at each Identity Assurance Level (IAL) and acceptability, validation, and verification of identity evidence that will be presented by a subscriber to support their claim of identity. This reading document also details the responsibilities of Credential Service Providers (CSPs) with respect to establishing and maintaining enrollment records and binding authenticators (either CSP-issued or subscriber-provided) to the enrollment record.
The purpose is to verify the identity of the person enrolling to the system by collecting attributes uniquely known such as the person’s PII.
Identifying attributes must be verified by an authorized and trained CSP representative who ensures the elements collected for resolution,, validation and verification are a match as explained in the NIST SP 800 – 63-3A guideline.
Elizabeth Gutierrez says
In this reading we looked at the amount of Personal Identifiable Information (PII) needed to properly authenticate an individual based on the level of authentication required. What I took away from this is that data minimization techniques should be employed; that is, minimizing the collection of data so that only information necessary for proofing is requested and stored. By doing so, the amount of PII vulnerable to a breach is reduced so that in the event that user data is compromised, it would have a smaller impact to both the end user and to the organization. Additionally, it encourages trust in the identity proofing process.
Corey Arana says
NIST SP 800 63A speaks about identity assurance level requirements, identity resolution, validation and verification and about privacy considerations. The one key point I enjoyed learning about was 4.1 process flow. The basic flow for identity proofing and enrollment. Starts with a road map of sorts that begin with an applicant and go into resolution with core attributes and evidence collected. An individual uniquely distinguished among a given population or context. Leads into step 2 of validation which authenticates, validates accuracy of identifying information determined for a real life subject. Lastly goes into step 3 which is verification. With evidence verified, the linkage between claimed identity and real life existence of subject presenting evidence is confirmed and established. With the end journey going to the subscriber.
Yangyuan Lin says
Hi Corey,
Identity resolution will verify identity information by comparing different data. The three steps of identity verification include collecting identity evidence, confirming the reliability of the identity evidence, and confirming that the data in the identity evidence is valid.
Shubham Patil says
Enrollment and Identity Proofing is increasingly gaining in importance as we see digital transformation of organizations and business models across the board resulting in an explosion of digital services. With this explosion, we’re also starting to see more impersonation and fraud in the consumption of those digital services. NIST 800-63A addresses how applicants can prove their identities and become enrolled as valid subscribers within an identity system. It provides requirements by which applicants can identity proof and enroll at one of three different levels of risk mitigation in both remote and physically-present scenarios.
Michael Duffy says
It’s interesting to see how companies have implemented identity verification. Some social media apps require real time photography before the account is created to prevent bots from infiltrating the social space. Especially as remote becomes more possible to interact socially with organizations, identity proofing is likely going to become more hardened in the future.
Matthew Bryan says
NIST SP 800 63A discusses how users can prove their identities and become enrolled as valid subjects within an identity system. It provides requirements for processes by which applicants can provide and enroll in a system at different levels of risk mitigation.
I found section 7.1 (page 25-27) interesting as it details threat mitigation strategies to deter enrollment threats, e.g. falsified identity evidence, the fraudulent use of another identity, and enrollment repudiation. The mitigation strategies cover different validation and verification strategies to confirm the integrity of the evidence as it relates to the claimant. These strategies ensure the integrity of the process in addition to providing nonrepudiation. The mitigation strategies build on one another and help establish a chain of trust. For example, the CSP can validate a claimants utility account information on a bill with the provider, and then use this to help confirm the integrity of a government issued ID with a matching address.
Ryan Trapp says
Section 7 of this document, which outlines threats and security considerations, is informative regarding enrollment and identity proofing. Although there are two main threats to the enrollment process (impersonation and compromise) the section focuses on impersonation threats. The two main ways that impersonation threats can be mitigated are either making impersonation more difficult or increasing the likelihood of detection. The table below this section shows the different impersonation threats and the mitigation strategies for each. My takeaway after reading through the table is that the use of biometrics is a great way to make impersonation more difficult. Associating someone’s digital identity with a unique identifier is very challenging to replicate (such as a fingerprint or retina scan). It can also help to ensure non-repudiation.
Jason Burwell says
Hello Ryan,
I agree biometrics does make impersonation more difficult as it requires a part of someone
Ornella Rhyne says
This document talks about identity proofing of any individuals. It describes the common pattern in which a collection of a single identity information within a given population is needed to identify, verify and authenticate if those information are correct. The sole objective of identity proofing is to ensure the applicant is “is who they claim to be to a stated level of certitude”. There are 3 steps to check if the information is correct such as resolution, validation and verification.
The Resolution phase is to collect PII information from the applicant such as name, address, date of birth and phone number
The Validation phase determines if the information collected in the resolution phase matches. They can check image of passport, driver’s license, QR codes
The Verification phase asks the applicant a photo to match to the license and passport.
I like how detailed the process is to verify individuals information and make sure the minimum security requirements are applied.
Alexander William Knoll says
NIST SP 800-63A provides a list of requirements for enrollment/identity proofing of those who wish to gain access to resources at each IAL in regards to acceptability, validation, & verification. The diagram under section 4.1 does a good job of summarizing the process flow. It utilizes a diagram of the applicant on a racetrack where they go through three phases – resolution, validation, & verification. During resolution, attributes/evidence on the applicant is collected, which will result in the applicant being individually identified. Next, the evidence is validated, meaning the authenticity, validity, & accuracy of information is determined/related to the application. Finally, during verification, the evidence is verified meaning there is a linkage between the claimed identity of the applicant & real-life existence in regards to evidence being confirmed & established.
Ryan Trapp says
Hi Alexander,
I also found the diagram in 4.1 helpful for understanding the process flow. Having the three phases conceptualized in this manner lays out a clear cut process and helps establish what the phases are and what happens during each. Also as pointed out in section 4.1 it is worth noting that this process can be delivered by multiple service providers and while it is possible that a single organization will fulfill these steps, it is not expected.
Hang Nu Song Nguyen says
NIST 800 63A is a document to provide requirements for enrollment and identify proofing of applicants to gain access to resource at each IAL. These requirement detail the acceptability, verification, and validation of the proof of identify. The document also provides details of the responsibilities of Credential Service Providers (CSP) that an entity that issue digital credentials to subjects, registered authenticators.
Jason Burwell says
Key section in this reading, 4
It explains exactly what Identity Proofing is
Identity proofing’s sole objective is to ensure the applicant is who they claim to be to a stated
level of certitude. This includes presentation, validation, and verification of the minimum
attributes necessary to accomplish identity proofing. There may be many different sets that
suffice as the minimum, so CSPs should choose this set to balance privacy and the user’s
usability needs, as well as the likely attributes needed in future uses of the digital identity
Joshua Moses says
The only purpose for identity proofing is to affirm that a person or end user is assuredly who they claim to be. It was interesting to learn about the different types of Identity Assurance Levels. “Assurance in a subscriber’s identity is described using one of three IALs”. In today’s world which is very dependent upon technology, it is not necessarily a hard task for this data to be compromised. This reading gave us a lot of insight on ways to prevent that from happening with due diligence.
Bryan Garrahan says
I found section 7, threats and security considerations, particularly interesting in the reading. The section focuses on impersonation threats and I think it’s important that organizations ensure that controls around these threats are operating as they should. Perhaps an attacker attempts a brute force attack and locks out a target account after several unsuccessful logins. In this scenario, an organization needs to be able to detect these kinds of attacks so it’s important to ensure the controls, such as help desk challenge questions, are actually validating a users true identity.
Amelia Safirstein says
This document details NIST standards and guidelines for the enrollment and identity verifying steps of setting up digital authentication. I found the section on identity assurance level requirements to be interesting. The identity proofing process includes:
Resolution – CSP collects PII and identity evidence
Validation – the CSP ensures the validity of the information/documents themselves
Verification – the CSP verifies that the information/documents “match” the person/identity that they are verifying
This section then goes on to review specific requirements for each identity assurance level.
Miray Bolukbasi says
NIST publication explains that once the enrollment is successful/identity proofed, claimed identity resolves to a single, unique identity within the users of CSP servers, all supplied evidence validates, identity validates the existence in the real world, and verifies that the real person supplies the identity evidence. Assurance levels require different evidence, such as IAL1-no requirement, IAL2-remote or physical identity proofing, and IAL-3 required physical presence. Typical minimum identity proof requires full name, DOB, and home address. The average process flow starts with the applicant proofing their identity via providing evidence. Once it is validated, verification is processed, and the applicant becomes a subscriber of the CSP. Steps of these processes include:
– resolution
-validation
-verification