copap94012
This guideline updates IALs to permit more flexible remote identity proofing processes and more options in federated environments, while also introducing an evidence quality factor as its notional strength metric.
IALs (Identity Assurance Levels) provide assurance levels for digital identities that can be used to verify a requester’s real world identity before providing access to services. There are three IAL levels – IAL1, IAL2, and IAL3.
Authentication
NIST Special Publication 800-63 from the National Institute of Standards and Technology sets identity standards for use online, outlining how organizations verify identities and securely share them between systems. While its impactful message cannot be overstated, its complex language can make its meaning appear daunting to those outside of cybersecurity.
NIST 800-63A IAL3 makes it simpler for buyers to understand how the framework operates by breaking it into assurance levels for identity proofing, authentication and federation – providing more adaptable risk management in response to evolving threats.
IAL3 level assurance requires direct observation of applicants during IAL3 identity proofing sessions – either in-person or remotely supervised – as well as document validation against authoritative sources, biometric comparison against claimed digital identities to reduce impersonation and fraud, as well as providing strong protection from SIM swapping or MFA bypass by securely linking biometrics with digital identities.
Pseudonymity
Pseudonymity can be an effective way to protect a person’s reputation, yet can have unintended repercussions. For instance, sharing content that offends other social media users could result in negative press, lost business and popularity loss – this is why many choose multiple pseudonyms so as to lessen the impact of an initial public name on their reputation.
NIST 800-63A IAL3 establishes three levels of identity assurance: IAL1, IAL2 and IAL3 respectively. IAL3 involves more stringent verification processes such as face-to-face or video interaction with a trained CSP representative, collection of several biometric characteristics, enrollment in subscriber accounts, protection against advanced attacks such as evidence falsification/repudiation as well as more sophisticated social engineering tactics.
Federation
Federation with NIST 800-63A IAL3 verification is an identity proofing process designed to reduce fraud losses while meeting modern user experience expectations. CSPs using this approach need only submit three pieces of superior evidence and two pieces of fair evidence in order to successfully prove a claimant’s identity, while it prevents highly scalable attacks such as falsifying evidence or repudiation.
NIST IAL3 verification refers to the process of verifying that information provided by an applicant on their strongest piece of evidence reflects their physical existence, usually done via physical or biometric comparison.
TrustSwiftly provides a passwordless and secure IAL3 compliant solution that directly meets IAL3 guidelines via remote yet supervised identity verification sessions using cameras and chat. It features step-up reproofing based on risk, document authentication against authoritative sources, facial image captures with liveness detection to reduce impersonation attempts, SIM swaps or MFA bypasses and document authentication against authoritative sources – all designed to reduce impersonation attempts while protecting against SIM swaps or MFA bypasses.
Biometrics
Biometrics is the science and technology of identifying people based on intrinsic characteristics. This encompasses various technologies – from physical sensors to behavioral analysis – which capture and recognize an individual’s face, fingerprints, retinal retina or iris structures, hand measurements, voice patterns or any combination thereof.
Before implementing a biometric system, it is crucial that stakeholders are consulted in order to gauge their comfort with it and provide internal and external avenues of recourse should misuse occur, or an issue arise with regards to biometric data or system fault. This consultation process should include complaints/enquiry mechanisms as well as internal/external avenues of redress should issues arise that need rectifying or faults discovered within it.
Enrollment processes are key components of effective biometric systems, as the quality of reference data will dictate future presentations’ accuracy and reliability. This includes rates of false acceptance or rejection that could be affected by factors like poor lighting or posture during enrollment. It’s also imperative that CSPs establish clear policies regarding how biometric data will be utilized, including default retention periods and processes.
