These guidelines provide technical requirements for federal agencies implementing digital identity services and are not intended to constrain the development or use of standards outside of this purpose. This guideline focuses on the enrollment and verification of an identity for use in digital authentication. Central to this is a process known as identity proofing in which an applicant provides evidence to a credential service provider (CSP) reliably identifying themselves, thereby allowing the CSP to assert that identification at a useful identity assurance level. This document defines the technical requirements for each of the three identity assurance levels.
In this document the different levels of assurance for identity proofing are discussed. These levels range from 1-3, level 1 being that there is not requirement to determine if the subject’s real-life identity, level 2 the subject’s identity must be identities and associated with an real identity but can be either remote or physically-present identity proofing, and level 3 which requires physical presence and must be verified by an authorized CSP. A CSP has quality requirements of the identifying information they collect that include: unacceptable, fair, strong, and superior.
“Digital Identity Guide Registration and Identification” may be a process or guide on how to perform digital identity registration and identification. Digital identity registration is when a user registers with a trusted authority (such as a Certificate Authority, CA) to obtain a unique digital identity. This identity usually includes a public key certificate and other relevant information used to prove a user’s identity in a network environment.
Proof of identity is a key link in the digital identity registration process, which requires users to provide a series of authentication information to prove their identity. This information may include personally identifiable information, contact details, biometric information (such as fingerprints, iris scans, etc.), etc. Depending on the authentication information, the degree of rigor and security of identification will vary.
“The Digital Identity Guidelines Enrollment and Identity Proofing establishes the basic principles of digital identity management and identity authentication, including privacy protection, flexibility, cost-effectiveness and security. The goal is to provide a comprehensive and flexible guidance framework to help organizations establish and implement digital identity enrollment and identity proofing practices that meet their specific needs and circumstances. At the same time, the guidelines provide a reference framework for evaluating and improving existing identity management systems. The guidelines outline a variety of authentication methods, including passwords, multi-factor authentication (MFA), biometrics, tokens, and others. The selection and implementation of these methods should be weighed against specific security requirements, user needs and cost-effectiveness.
An important takeaway that interested me from NIST SP 800 63A – Digital Identity Guidelines Enrollment and Identity Proofing, was that assurance in a subscriber’s identity is described using one of three IALs. The three levels are described as:
IAL1- There is no requirement to link the applicant to a specific real-life identity. Any attribute is self-asserted.
IAL2 – Evidence supports the real-world existence of the claimed identity and verifies that the applicant is appropriately associated with this real-world identity.
IAL3 – Physical presence is required for identity proofing and identifying attributes must be verified by an authorized and trained CSP professional.
According to the guidelines, IAL3 is the most secure level in proofing and identifying attributes since it must be verified by an authorized CSP professional.
Through this article, I found that the key point is the importance of collecting only the minimum amount of Personal Identifiable Information (PII) needed to properly authenticate an individual based on the level of authentication required. There is a fine line between collecting the required information in order to authenticate someone especially considering some of the regulations in place such as the Know Your Customer (KYC) requirements as a result of the Patriot Act. Section 8 covers the Data Privacy requirements and considerations when determining the type of documentation or evidence needed for identity proofing and expands on the privacy requirement noted in the General Requirements section, specifically noting the “collection of PII SHALL be limited to the minimum necessary to validate the existence of the claimed identity and associate the claimed identity with the applicant providing identity evidence for appropriate identity resolution, validation, and verification”. In addition, the guidance also discusses the requirements for collecting information used for purposes other that identity proofing. One case in which this could happen is in order to comply with regulations. If data is going to be used in this manner, it is imperative that appropriate disclosures must be provided to the applicant. If the need for collecting additional information is not appropriately disclosed and the information adequately safeguarded, the organization can lose the applicant’s trust, which can be hard to recover. By employing data minimization techniques, the amount of PII vulnerable to a breach is reduced and encourages trust encourages trust in the identity proofing process.
Collection of social security numbers is only permissible if strictly necessary to perform identity resolution. If there are any other avenues available to the organization, they must avoid collecting SSN data.Another fact of data privacy is ensuring users are provided notice of the collection of their data, and that collection and retention of their data is only performed with their consent. Similar to above, these steps minimize legal risk to the organization and confirm that the users are aware of and comfortable with the nature of the data that is being collected.
These guidelines provide technical requirements for federal agencies implementing digital identity services, focusing on the enrollment and verification of identities for use in digital authentication. Central to this is the process of identity proofing, where applicants must provide reliable evidence of their identity to a credential service provider (CSP), enabling the CSP to confidently assert that identification at an appropriate assurance level. This document defines the technical requirements for each of the three identity assurance levels.
The guidelines also establish the fundamental principles of digital identity management and authentication, prioritizing privacy protection, flexibility, cost-effectivenesss, and security. Their objective is to offer a comprehensive and adaptable framework to assist organizations in establishing and implementing digital identity enrollment and proofing practices tailored to their unique needs and circumstances. Additionally, the guidelines provide a reference for evaluating and enhancing existing identity management systems.
The document outlines various authentication methods, including passwords, multi-factor authentication (MFA), biometrics, tokens, and others. The selection and implementation of these methods should be balanced against specific security requirements, user needs, and cost-effectiveness. By adhering to these guidelines, federal agencies and organizations can ensure secure, cost-effective, and user-friendly digital identity management practices, enabling trusted transactions and interactions in today’s digital landscape.
There are three IALs defined in NIST SP 800-63A – IAL1, IAL2, and IAL3 – with increasingly stringent requirements.
IAL1: There is no need to map claimed identities to actual people or ensure that users have the asserted identities. IAL1 is the least stringent level and does not require solid proof of identity – digital services do not need to map the person creating the account to a real-life identity. The identity attributes are asserted by the user, not verified, so they do not need to submit evidence.
IAL2: Requires users to submit evidence that they own the identity they claim. IAL2 requires proof of identity and can be done remotely or in person. The person requesting access to the asset must provide evidence that they are the owner of the identity they claim to have. Biometric information, such as facial scans or fingerprints, can be collected.
IAL3: IAL3 is the most stringent level of NIST 800-63-3 identity verification. Requires physical presence, either in person or under remote supervision, and requires a biometric comparison of the applicant to the most substantial identification evidence.
The CSP collects PII and two forms of identity evidence from the applicant, validates the information with authoritative sources, verifies the applicant’s identity with photos, and confirms their possession of a validated phone number to successfully complete the proofing process.
The guidelines aim to ensure the collection of the minimum necessary personal identity information (PII) and specify the identity validation and verification requirements that CSPs should adhere to, including collecting different levels of identity evidence and the methods for validating and verifying this evidence.
NIST SP 800-63A provides guidelines for enrollment and identity proofing in digital identity management. It is emphasis on the use of reliable and verifiable identity proofing processes. This ensures that individuals are accurately and securely verified before being granted access to systems or services, reducing the risk of identity theft and fraud. Additionally, the guidelines recommend the use of strong authentication mechanisms, such as multifactor authentication, to enhance the security of digital identities. This helps protect against unauthorized access and enhances the overall security posture of organizations implementing these guidelines.
The main conclusion of this document is that IAL1 is the relatively least secure identification method of all assurance levels. In contrast, IAL2 is more balanced and reliable, both in terms of verifying the true identity of the user and providing the necessary information to support the CSP. IAL2 requires at least one strong means of authentication, which not only requires a “strong” level of reliability, but also involves options such as CAPTCHA to a user-specified address, biometric authentication, etc., and follows the standards of the medium baseline SP 800-53. These require not only a “strong” level of reliability, but also options such as CAPTCHA to a user-specified address, biometric authentication, etc., and follow the standards of the medium baseline SP 800-53. However, in order to safeguard accounts, users need to be careful about the information they provide when using IAL2, as over-sharing of personal data may increase the risk to the account. Therefore, the IAL2 offers a reasonable alternative when balancing the need for identification and information security.
After reading the article ,there are three types of identity assurance levels (IALs) for a subscriber’s identity.These are the following:
IAL1 has not required any link of the applicant to support who you are. Only self-asserted is needed. IAL2 has required evidence supports for either remote or physically present identity proofing. The credential service provider (CSP) can verify the attributes of relying parties (RPs). Identifying attributes must be verified by an authorized and trained credential service provider (CSP) representative. Also, the identity must be physically present.
From reading this article, I noticed that the key point of the guide is the level of identity assurance, which guarantees subscriber identity to AL1 (without real life authentication), IAL2 (associated with real world identity), and IAL3 (physical confirmation of identity).
In IAL1, applicants are not required to be associated with a specific real-world identity. The attributes used are self-asserted and are used in conjunction with the activities of the subject. These attributes are neither validated nor validated, so are the weakest method of identification.
In AL2, the subject has evidence to support the existence of the identity in the real world, and it also verifies that the applicant is properly associated with the identity. It forces the existence of a form of identification that physically exists remotely.
In IAL3, it is the most secure form of authentication and only provides the specific attributes requested by the authenticator. This is the highest form of assurance
The registration process involves capturing and storing the identifying information of an individual or entity. This typically includes basic personal details, contact information, and authentication credentials (e.g., password, pin).
Proof of identity is the process of verifying the authenticity of an individual’s claimed identity. It involves verifying the identity information provided during the registration process according to a reliable and trusted source.
An takeaway from this reading is the identity proofing and enrollment process. This is a three-part process that includes resolution, validation, and verification. The CSP first collects PII of the applicant; this is then validated by checking an authorized source to ensure that information supplied matches their records and finally the CSP matches photo provided by the applicant to documents such as licenses, passport, etc. Once all of the above are authenticated by the CSP, the applicant is considered to have been successfully proofed.
Based on the reading, it is important to understand the privacy considerations of identity enrollment and proofing. A major part of this is minimizing the collection of data so that only information necessary for proofing is requested and stored. As information privacy concerns have grown over the last decade, if an individual perceives that unnecessary data is being collected, it can diminish users’ trust in the system being used. Additionally, in the case of a breach, the less user data that is compromised, the smaller the impact to both the end user and to the organization (in terms of exposure to legal damages). Finally, collection of social security numbers is only permissible if strictly necessary to perform identity resolution. If there are any other avenues available to the organization, they must avoid collecting SSN data.
Another fact of data privacy is ensuring users are provided notice of the collection of their data, and that collection and retention of their data is only performed with their consent. Similar to above, these steps minimize legal risk to the organization and confirm that the users are aware of and comfortable with the nature of the data that is being collected.
1. Identity verification is slightly different for users interacting with online sites, such as online banking sites. When a user first tries to create an account, the bank will take additional steps to verify the user’s identity. This typically requires the user to provide information known to the user and the bank, such as an account number and personal information about the user, such as an identification number or social security number.
2. During the initial registration process, the bank will also ask the user to provide additional information such as the user’s favourite colour, the middle name of their oldest sibling or the model of their first car. Later, if the user needs to change their password or wants to transfer money, the bank can ask the user these questions as a method of identification.
I’m adding to that,Therefore, today’s information systems or system operating organisations have been presented with the fact that the more secure the authentication method, the more complex the registration process. And many financial institutions now routinely use more advanced authentication techniques, such as two-factor authentication, or employ physical characteristics. They collect information from customers and then use databases to verify the accuracy of that information.
The levels of authentication range from 1 to 3. Level 1 indicates the true identity of the subject, level 2 requires subject identity to be verified remotely or physically, and level 3 requires physical presence and must be verified by an authorized Authentication Service Provider (CSP). The CSP has quality requirements for the identification information collected, including: unacceptable, fair, strong and unacceptable, fair, strong and superior.
This document describes the common pattern in which an applicant undergoes an identity proofing and enrollment process whereby their identity evidence and attributes are collected,
Identity proofing’s sole objective is to ensure the applicant is who they claim to be to a stated level of certitude. This includes presentation, validation, and verification of the minimum attributes necessary to accomplish identity proofing. There may be many different sets that suffice as the minimum, so CSPs should choose this set to balance privacy and the user’s usability needs, as well as the likely attributes needed in future uses of the digital identity. For example, such attributes — to the extent they are the minimum necessary — could include:
1. Full name
2. Date of birth
3. Home Address
This document also provides requirements for CSPs collecting additional information used for
purposes other than identity proofing.
The goal of identity validation is to collect the most appropriate identity evidence (e.g., a passport or driver’s license) from the applicant and determine its authenticity, validity, and accuracy. Identity validation is made up of three process steps: collecting the appropriate identity evidence, confirming the evidence is genuine and authentic, and confirming the data contained on the identity evidence is valid, current, and related to a real-life subject.
This article explores the different levels of identity assurance. These levels are divided into one to three levels, each with its own unique requirements. At the first level, there is no need to confirm the true identity of the subject. The second level requires that the subject’s identity be linked to a real identity, either remotely or through physical proof of identity. The third level is more stringent, requiring that the subject must physically exist and that its identity must be verified by an authorized CSP (Authentication Service Provider). In addition, the CSP also has clear quality requirements for the identification information collected, including four levels of unacceptable, average, strong and excellent. These requirements ensure the rigor and reliability of the identification process.
NIST SP 800-63A “Digital Identity Guidelines: Enrollment and Identity Proofing” is a set of guidelines published by the National Institute of Standards and Technology (NIST) in the United States. It focuses on the process of user enrollment and identity proofing in digital identity management and authentication systems and provides best practices and guidance for organizations and individuals.
NIST SP 800-63A covers the following topics:
1. User Enrollment: The guideline provides best practices for the user enrollment process, including collecting user information, verifying user identity, and creating user accounts. It offers recommendations on designing enrollment flows, collecting necessary information, verifying user identities, and creating trusted user accounts.
2. Identity Proofing: The guideline provides detailed information on various methods and technologies for identity proofing. It includes traditional single-factor authentication methods such as usernames and passwords, as well as more robust multi-factor authentication methods such as SMS verification codes, biometrics, and hardware tokens. The guideline also provides recommendations for users to select appropriate authentication methods that meet security and user experience requirements.
3. Identity Proofing Security: The guideline emphasizes the security aspects of the identity proofing process. It provides best practices to prevent fraud and identity impersonation, including risk assessment of user information, use of secure authentication protocols and technologies, and recommendations to address identity proofing attacks.
NIST SP 800-63A aims to help organizations and individuals establish secure, reliable, and user-friendly digital identity authentication and management systems. It offers best practices and guidance for user enrollment and identity proofing in order to ensure the security, accuracy, and trustworthiness of digital identities. These guidelines can assist organizations and industries in developing and implementing identity proofing strategies and technologies, and help mitigate the risks of fraud and identity impersonation.
NIST SP 800-63A is a supplement to the digital Identity guidance issued by the National Institute of Standards and Technology (NIST), focusing on the “Enrollment” and “Identity Proofing” segments. The document provides organizations with detailed guidance on how to securely and efficiently conduct user registration and authentication proof to ensure the accuracy and reliability of digital identity systems.
NIST SP 800-63A provides organizations with detailed guidance on how to securely and efficiently conduct user registration and proof of identity. These guidelines are essential to building a secure and reliable digital identity system that helps protect user identity information and resources from unauthorized access and disclosure. These guidelines also help organizations comply with relevant laws, regulations and best practices to ensure compliance and privacy protection.
I found the key point which is about SAOP. It is critical to involve your agency’s SAOP in the earliest stages of digital authentication system development to assess and mitigate privacy risks and advise the agency on compliance requirements, such as whether or not the PII collection to conduct identity proofing triggers the Privacy Act of 1974 [Privacy Act] or the E-Government Act of 2002 [E-Gov] requirement to conduct a Privacy Impact Assessment. For example, with respect to identity proofing, it is likely that the Privacy Act requirements will be triggered and require coverage by either a new or existing Privacy Act system of records due to the collection and maintenance of PII or other attributes necessary to conduct identity proofing. The SAOP can similarly assist the agency in determining whether a PIA is required. In addition, due to the many components of digital authentication, it is important for the SAOP to have an awareness and understanding of each individual component. For example, other privacy artifacts may be applicable to an agency offering or using proofing services such as Data Use Agreements, Computer Matching Agreements, etc. The SAOP can assist the agency in determining what additional requirements apply. Moreover, a thorough understanding of the individual components of digital authentication will enable the SAOP to thoroughly assess and mitigate privacy risks either through compliance processes or by other means.
In this chapter, I learned that the assurance of subscriber identity is described using one of three IALs:
IAL1: There is no need to link the applicant to a specific real-world identity.
IAL2: Evidence supports the real-world existence of the claimed identity and verifies that the applicant is appropriately associated with that real-world identity. CSPs that support IAL2 can also support IAL1 transactions if the user agrees.
IAL3: Proof of identity requires physical presence. Identifying attributes must be verified by an authorized and trained CSP representative.
IAL3-enabled CSPs can support both IAL1 and IAL2 identity attributes if the user agrees to do so
These guidelines provide technical requirements for federal agencies implementing digital identity services and are not intended to constrain the development or use of standards outside of this purpose. This guideline focuses on the enrollment and verification of an identity for use in digital authentication. Central to this is a process known as identity proofing in which an applicant provides evidence to a credential service provider (CSP) reliably identifying themselves, thereby allowing the CSP to assert that identification at a useful identity assurance level. This document defines the technical requirements for each of the three identity assurance levels.
In this document the different levels of assurance for identity proofing are discussed. These levels range from 1-3, level 1 being that there is not requirement to determine if the subject’s real-life identity, level 2 the subject’s identity must be identities and associated with an real identity but can be either remote or physically-present identity proofing, and level 3 which requires physical presence and must be verified by an authorized CSP. A CSP has quality requirements of the identifying information they collect that include: unacceptable, fair, strong, and superior.
“Digital Identity Guide Registration and Identification” may be a process or guide on how to perform digital identity registration and identification. Digital identity registration is when a user registers with a trusted authority (such as a Certificate Authority, CA) to obtain a unique digital identity. This identity usually includes a public key certificate and other relevant information used to prove a user’s identity in a network environment.
Proof of identity is a key link in the digital identity registration process, which requires users to provide a series of authentication information to prove their identity. This information may include personally identifiable information, contact details, biometric information (such as fingerprints, iris scans, etc.), etc. Depending on the authentication information, the degree of rigor and security of identification will vary.
“The Digital Identity Guidelines Enrollment and Identity Proofing establishes the basic principles of digital identity management and identity authentication, including privacy protection, flexibility, cost-effectiveness and security. The goal is to provide a comprehensive and flexible guidance framework to help organizations establish and implement digital identity enrollment and identity proofing practices that meet their specific needs and circumstances. At the same time, the guidelines provide a reference framework for evaluating and improving existing identity management systems. The guidelines outline a variety of authentication methods, including passwords, multi-factor authentication (MFA), biometrics, tokens, and others. The selection and implementation of these methods should be weighed against specific security requirements, user needs and cost-effectiveness.
An important takeaway that interested me from NIST SP 800 63A – Digital Identity Guidelines Enrollment and Identity Proofing, was that assurance in a subscriber’s identity is described using one of three IALs. The three levels are described as:
IAL1- There is no requirement to link the applicant to a specific real-life identity. Any attribute is self-asserted.
IAL2 – Evidence supports the real-world existence of the claimed identity and verifies that the applicant is appropriately associated with this real-world identity.
IAL3 – Physical presence is required for identity proofing and identifying attributes must be verified by an authorized and trained CSP professional.
According to the guidelines, IAL3 is the most secure level in proofing and identifying attributes since it must be verified by an authorized CSP professional.
Through this article, I found that the key point is the importance of collecting only the minimum amount of Personal Identifiable Information (PII) needed to properly authenticate an individual based on the level of authentication required. There is a fine line between collecting the required information in order to authenticate someone especially considering some of the regulations in place such as the Know Your Customer (KYC) requirements as a result of the Patriot Act. Section 8 covers the Data Privacy requirements and considerations when determining the type of documentation or evidence needed for identity proofing and expands on the privacy requirement noted in the General Requirements section, specifically noting the “collection of PII SHALL be limited to the minimum necessary to validate the existence of the claimed identity and associate the claimed identity with the applicant providing identity evidence for appropriate identity resolution, validation, and verification”. In addition, the guidance also discusses the requirements for collecting information used for purposes other that identity proofing. One case in which this could happen is in order to comply with regulations. If data is going to be used in this manner, it is imperative that appropriate disclosures must be provided to the applicant. If the need for collecting additional information is not appropriately disclosed and the information adequately safeguarded, the organization can lose the applicant’s trust, which can be hard to recover. By employing data minimization techniques, the amount of PII vulnerable to a breach is reduced and encourages trust encourages trust in the identity proofing process.
Collection of social security numbers is only permissible if strictly necessary to perform identity resolution. If there are any other avenues available to the organization, they must avoid collecting SSN data.Another fact of data privacy is ensuring users are provided notice of the collection of their data, and that collection and retention of their data is only performed with their consent. Similar to above, these steps minimize legal risk to the organization and confirm that the users are aware of and comfortable with the nature of the data that is being collected.
These guidelines provide technical requirements for federal agencies implementing digital identity services, focusing on the enrollment and verification of identities for use in digital authentication. Central to this is the process of identity proofing, where applicants must provide reliable evidence of their identity to a credential service provider (CSP), enabling the CSP to confidently assert that identification at an appropriate assurance level. This document defines the technical requirements for each of the three identity assurance levels.
The guidelines also establish the fundamental principles of digital identity management and authentication, prioritizing privacy protection, flexibility, cost-effectivenesss, and security. Their objective is to offer a comprehensive and adaptable framework to assist organizations in establishing and implementing digital identity enrollment and proofing practices tailored to their unique needs and circumstances. Additionally, the guidelines provide a reference for evaluating and enhancing existing identity management systems.
The document outlines various authentication methods, including passwords, multi-factor authentication (MFA), biometrics, tokens, and others. The selection and implementation of these methods should be balanced against specific security requirements, user needs, and cost-effectiveness. By adhering to these guidelines, federal agencies and organizations can ensure secure, cost-effective, and user-friendly digital identity management practices, enabling trusted transactions and interactions in today’s digital landscape.
There are three IALs defined in NIST SP 800-63A – IAL1, IAL2, and IAL3 – with increasingly stringent requirements.
IAL1: There is no need to map claimed identities to actual people or ensure that users have the asserted identities. IAL1 is the least stringent level and does not require solid proof of identity – digital services do not need to map the person creating the account to a real-life identity. The identity attributes are asserted by the user, not verified, so they do not need to submit evidence.
IAL2: Requires users to submit evidence that they own the identity they claim. IAL2 requires proof of identity and can be done remotely or in person. The person requesting access to the asset must provide evidence that they are the owner of the identity they claim to have. Biometric information, such as facial scans or fingerprints, can be collected.
IAL3: IAL3 is the most stringent level of NIST 800-63-3 identity verification. Requires physical presence, either in person or under remote supervision, and requires a biometric comparison of the applicant to the most substantial identification evidence.
The CSP collects PII and two forms of identity evidence from the applicant, validates the information with authoritative sources, verifies the applicant’s identity with photos, and confirms their possession of a validated phone number to successfully complete the proofing process.
The guidelines aim to ensure the collection of the minimum necessary personal identity information (PII) and specify the identity validation and verification requirements that CSPs should adhere to, including collecting different levels of identity evidence and the methods for validating and verifying this evidence.
NIST SP 800-63A provides guidelines for enrollment and identity proofing in digital identity management. It is emphasis on the use of reliable and verifiable identity proofing processes. This ensures that individuals are accurately and securely verified before being granted access to systems or services, reducing the risk of identity theft and fraud. Additionally, the guidelines recommend the use of strong authentication mechanisms, such as multifactor authentication, to enhance the security of digital identities. This helps protect against unauthorized access and enhances the overall security posture of organizations implementing these guidelines.
The main conclusion of this document is that IAL1 is the relatively least secure identification method of all assurance levels. In contrast, IAL2 is more balanced and reliable, both in terms of verifying the true identity of the user and providing the necessary information to support the CSP. IAL2 requires at least one strong means of authentication, which not only requires a “strong” level of reliability, but also involves options such as CAPTCHA to a user-specified address, biometric authentication, etc., and follows the standards of the medium baseline SP 800-53. These require not only a “strong” level of reliability, but also options such as CAPTCHA to a user-specified address, biometric authentication, etc., and follow the standards of the medium baseline SP 800-53. However, in order to safeguard accounts, users need to be careful about the information they provide when using IAL2, as over-sharing of personal data may increase the risk to the account. Therefore, the IAL2 offers a reasonable alternative when balancing the need for identification and information security.
After reading the article ,there are three types of identity assurance levels (IALs) for a subscriber’s identity.These are the following:
IAL1 has not required any link of the applicant to support who you are. Only self-asserted is needed. IAL2 has required evidence supports for either remote or physically present identity proofing. The credential service provider (CSP) can verify the attributes of relying parties (RPs). Identifying attributes must be verified by an authorized and trained credential service provider (CSP) representative. Also, the identity must be physically present.
From reading this article, I noticed that the key point of the guide is the level of identity assurance, which guarantees subscriber identity to AL1 (without real life authentication), IAL2 (associated with real world identity), and IAL3 (physical confirmation of identity).
In IAL1, applicants are not required to be associated with a specific real-world identity. The attributes used are self-asserted and are used in conjunction with the activities of the subject. These attributes are neither validated nor validated, so are the weakest method of identification.
In AL2, the subject has evidence to support the existence of the identity in the real world, and it also verifies that the applicant is properly associated with the identity. It forces the existence of a form of identification that physically exists remotely.
In IAL3, it is the most secure form of authentication and only provides the specific attributes requested by the authenticator. This is the highest form of assurance
The registration process involves capturing and storing the identifying information of an individual or entity. This typically includes basic personal details, contact information, and authentication credentials (e.g., password, pin).
Proof of identity is the process of verifying the authenticity of an individual’s claimed identity. It involves verifying the identity information provided during the registration process according to a reliable and trusted source.
An takeaway from this reading is the identity proofing and enrollment process. This is a three-part process that includes resolution, validation, and verification. The CSP first collects PII of the applicant; this is then validated by checking an authorized source to ensure that information supplied matches their records and finally the CSP matches photo provided by the applicant to documents such as licenses, passport, etc. Once all of the above are authenticated by the CSP, the applicant is considered to have been successfully proofed.
Based on the reading, it is important to understand the privacy considerations of identity enrollment and proofing. A major part of this is minimizing the collection of data so that only information necessary for proofing is requested and stored. As information privacy concerns have grown over the last decade, if an individual perceives that unnecessary data is being collected, it can diminish users’ trust in the system being used. Additionally, in the case of a breach, the less user data that is compromised, the smaller the impact to both the end user and to the organization (in terms of exposure to legal damages). Finally, collection of social security numbers is only permissible if strictly necessary to perform identity resolution. If there are any other avenues available to the organization, they must avoid collecting SSN data.
Another fact of data privacy is ensuring users are provided notice of the collection of their data, and that collection and retention of their data is only performed with their consent. Similar to above, these steps minimize legal risk to the organization and confirm that the users are aware of and comfortable with the nature of the data that is being collected.
1. Identity verification is slightly different for users interacting with online sites, such as online banking sites. When a user first tries to create an account, the bank will take additional steps to verify the user’s identity. This typically requires the user to provide information known to the user and the bank, such as an account number and personal information about the user, such as an identification number or social security number.
2. During the initial registration process, the bank will also ask the user to provide additional information such as the user’s favourite colour, the middle name of their oldest sibling or the model of their first car. Later, if the user needs to change their password or wants to transfer money, the bank can ask the user these questions as a method of identification.
I’m adding to that,Therefore, today’s information systems or system operating organisations have been presented with the fact that the more secure the authentication method, the more complex the registration process. And many financial institutions now routinely use more advanced authentication techniques, such as two-factor authentication, or employ physical characteristics. They collect information from customers and then use databases to verify the accuracy of that information.
The levels of authentication range from 1 to 3. Level 1 indicates the true identity of the subject, level 2 requires subject identity to be verified remotely or physically, and level 3 requires physical presence and must be verified by an authorized Authentication Service Provider (CSP). The CSP has quality requirements for the identification information collected, including: unacceptable, fair, strong and unacceptable, fair, strong and superior.
This document describes the common pattern in which an applicant undergoes an identity proofing and enrollment process whereby their identity evidence and attributes are collected,
Identity proofing’s sole objective is to ensure the applicant is who they claim to be to a stated level of certitude. This includes presentation, validation, and verification of the minimum attributes necessary to accomplish identity proofing. There may be many different sets that suffice as the minimum, so CSPs should choose this set to balance privacy and the user’s usability needs, as well as the likely attributes needed in future uses of the digital identity. For example, such attributes — to the extent they are the minimum necessary — could include:
1. Full name
2. Date of birth
3. Home Address
This document also provides requirements for CSPs collecting additional information used for
purposes other than identity proofing.
The goal of identity validation is to collect the most appropriate identity evidence (e.g., a passport or driver’s license) from the applicant and determine its authenticity, validity, and accuracy. Identity validation is made up of three process steps: collecting the appropriate identity evidence, confirming the evidence is genuine and authentic, and confirming the data contained on the identity evidence is valid, current, and related to a real-life subject.
This article explores the different levels of identity assurance. These levels are divided into one to three levels, each with its own unique requirements. At the first level, there is no need to confirm the true identity of the subject. The second level requires that the subject’s identity be linked to a real identity, either remotely or through physical proof of identity. The third level is more stringent, requiring that the subject must physically exist and that its identity must be verified by an authorized CSP (Authentication Service Provider). In addition, the CSP also has clear quality requirements for the identification information collected, including four levels of unacceptable, average, strong and excellent. These requirements ensure the rigor and reliability of the identification process.
NIST SP 800-63A “Digital Identity Guidelines: Enrollment and Identity Proofing” is a set of guidelines published by the National Institute of Standards and Technology (NIST) in the United States. It focuses on the process of user enrollment and identity proofing in digital identity management and authentication systems and provides best practices and guidance for organizations and individuals.
NIST SP 800-63A covers the following topics:
1. User Enrollment: The guideline provides best practices for the user enrollment process, including collecting user information, verifying user identity, and creating user accounts. It offers recommendations on designing enrollment flows, collecting necessary information, verifying user identities, and creating trusted user accounts.
2. Identity Proofing: The guideline provides detailed information on various methods and technologies for identity proofing. It includes traditional single-factor authentication methods such as usernames and passwords, as well as more robust multi-factor authentication methods such as SMS verification codes, biometrics, and hardware tokens. The guideline also provides recommendations for users to select appropriate authentication methods that meet security and user experience requirements.
3. Identity Proofing Security: The guideline emphasizes the security aspects of the identity proofing process. It provides best practices to prevent fraud and identity impersonation, including risk assessment of user information, use of secure authentication protocols and technologies, and recommendations to address identity proofing attacks.
NIST SP 800-63A aims to help organizations and individuals establish secure, reliable, and user-friendly digital identity authentication and management systems. It offers best practices and guidance for user enrollment and identity proofing in order to ensure the security, accuracy, and trustworthiness of digital identities. These guidelines can assist organizations and industries in developing and implementing identity proofing strategies and technologies, and help mitigate the risks of fraud and identity impersonation.
NIST SP 800-63A is a supplement to the digital Identity guidance issued by the National Institute of Standards and Technology (NIST), focusing on the “Enrollment” and “Identity Proofing” segments. The document provides organizations with detailed guidance on how to securely and efficiently conduct user registration and authentication proof to ensure the accuracy and reliability of digital identity systems.
NIST SP 800-63A provides organizations with detailed guidance on how to securely and efficiently conduct user registration and proof of identity. These guidelines are essential to building a secure and reliable digital identity system that helps protect user identity information and resources from unauthorized access and disclosure. These guidelines also help organizations comply with relevant laws, regulations and best practices to ensure compliance and privacy protection.
I found the key point which is about SAOP. It is critical to involve your agency’s SAOP in the earliest stages of digital authentication system development to assess and mitigate privacy risks and advise the agency on compliance requirements, such as whether or not the PII collection to conduct identity proofing triggers the Privacy Act of 1974 [Privacy Act] or the E-Government Act of 2002 [E-Gov] requirement to conduct a Privacy Impact Assessment. For example, with respect to identity proofing, it is likely that the Privacy Act requirements will be triggered and require coverage by either a new or existing Privacy Act system of records due to the collection and maintenance of PII or other attributes necessary to conduct identity proofing. The SAOP can similarly assist the agency in determining whether a PIA is required. In addition, due to the many components of digital authentication, it is important for the SAOP to have an awareness and understanding of each individual component. For example, other privacy artifacts may be applicable to an agency offering or using proofing services such as Data Use Agreements, Computer Matching Agreements, etc. The SAOP can assist the agency in determining what additional requirements apply. Moreover, a thorough understanding of the individual components of digital authentication will enable the SAOP to thoroughly assess and mitigate privacy risks either through compliance processes or by other means.
In this chapter, I learned that the assurance of subscriber identity is described using one of three IALs:
IAL1: There is no need to link the applicant to a specific real-world identity.
IAL2: Evidence supports the real-world existence of the claimed identity and verifies that the applicant is appropriately associated with that real-world identity. CSPs that support IAL2 can also support IAL1 transactions if the user agrees.
IAL3: Proof of identity requires physical presence. Identifying attributes must be verified by an authorized and trained CSP representative.
IAL3-enabled CSPs can support both IAL1 and IAL2 identity attributes if the user agrees to do so