Thu, 29 Aug 2019 02:51:47 +0000
Paul A. Grassi
James L. Fenton
Privacy Authors:
Naomi B. Lefkovitz
Jamie M. Danker
Usability Authors:
Yee-Yin Choong
Kristen K. Greene
Mary F. Theofanos
This publication is available free of charge from:
https://doi.org/10.6028/NIST.SP.800-63a
Paul A. Grassi Applied Cybersecurity Division Information Technology Laboratory |
James L. Fenton Altmode Networks Los Altos, CA |
Privacy Authors: Naomi B. Lefkovitz Applied Cybersecurity Division Information Technology Laboratory Jamie M. Danker National Protection and Programs Directorate Department of Homeland Security |
Usability Authors: Yee-Yin Choong Kristen K. Greene Information Access Division Information Technology Laboratory Mary F. Theofanos Office of Data and Informatics Material Measurement Laboratory |
This publication is available free of charge from:
https://doi.org/10.6028/NIST.SP.800-63a
June 2017
U.S. Department of Commerce
Wilbur L. Ross, Jr., Secretary
National Institute of Standards and Technology
Kent Rochford, Acting NIST Director and Under Secretary of Commerce for Standards and
Technology
This publication has been developed by NIST in accordance with its statutory responsibilities under the Federal Information Security Modernization Act (FISMA) of 2014, 44 U.S.C. § 3551 et seq., Public Law (P.L.) 113-283. NIST is responsible for developing information security standards and guidelines, including minimum requirements for federal information systems, but such standards and guidelines shall not apply to national security systems without the express approval of appropriate federal officials exercising policy authority over such systems. This guideline is consistent with the requirements of the Office of Management and Budget (OMB) Circular A-130.
Nothing in this publication should be taken to contradict the standards and guidelines made mandatory and binding on federal agencies by the Secretary of Commerce under statutory authority. Nor should these guidelines be interpreted as altering or superseding the existing authorities of the Secretary of Commerce, Director of the OMB, or any other federal official. This publication may be used by nongovernmental organizations on a voluntary basis and is not subject to copyright in the United States. Attribution would, however, be appreciated by NIST.
National Institute of Standards and Technology Special Publication 800-63-3
Natl. Inst. Stand. Technol. Spec. Publ. 800-63A, 45 pages (June 2017)
CODEN: NSPUE2
This publication is available free of charge from:
https://doi.org/10.6028/NIST.SP.800-63a
Certain commercial entities, equipment, or materials may be identified in this document in order to describe an experimental procedure or concept adequately. Such identification is not intended to imply recommendation or endorsement by NIST, nor is it intended to imply that the entities, materials, or equipment are necessarily the best available for the purpose.
There may be references in this publication to other publications currently under development by NIST in accordance with its assigned statutory responsibilities. The information in this publication, including concepts and methodologies, may be used by federal agencies even before the completion of such companion publications. Thus, until each publication is completed, current requirements, guidelines, and procedures, where they exist, remain operative. For planning and transition purposes, federal agencies may wish to closely follow the development of these new publications by NIST.
Organizations are encouraged to review all draft publications during public comment periods and provide feedback to NIST. Many NIST cybersecurity publications, other than the ones noted above, are available at http://csrc.nist.gov/publications/.
Comments on this publication may be submitted to:
National Institute of Standards and Technology
Attn: Applied Cybersecurity Division, Information Technology Laboratory
100 Bureau Drive (Mail Stop 2000) Gaithersburg, MD 20899-2000
Email: dig-comments@nist.gov
All comments are subject to release under the Freedom of Information Act (FOIA).
The Information Technology Laboratory (ITL) at the National Institute of Standards and Technology (NIST) promotes the U.S. economy and public welfare by providing technical leadership for the nation’s measurement and standards infrastructure. ITL develops tests, test methods, reference data, proof of concept implementations, and technical analyses to advance the development and productive use of information technology. ITL’s responsibilities include the development of management, administrative, technical, and physical standards and guidelines for the cost-effective security and privacy of other than national security-related information in federal information systems. The Special Publication 800-series reports on ITL’s research, guidelines, and outreach efforts in information system security, and its collaborative activities with industry, government, and academic organizations.
These guidelines provide technical requirements for federal agencies implementing digital identity services and are not intended to constrain the development or use of standards outside of this purpose. This guideline focuses on the enrollment and verification of an identity for use in digital authentication. Central to this is a process known as identity proofing in which an applicant provides evidence to a credential service provider (CSP) reliably identifying themselves, thereby allowing the CSP to assert that identification at a useful identity assurance level. This document defines technical requirements for each of three identity assurance levels. This publication supersedes corresponding sections of NIST Special Publication (SP) 800-63-2.
authentication; credential service provider; electronic authentication; digital authentication; electronic credentials; digital credentials; identity proofing; federation.
The authors would like to acknowledge the contributions and guidance of our international peers, including Adam Cooper, Alastair Treharne, and Julian White from the Cabinet Office, United Kingdom, and Tim Bouma from the Treasury Board of Canada Secretariat, Government of Canada, Kaitlin Boeckl for her artistic contributions to all volumes in the SP 800-63 suite, and the contributions of our many reviewers, including Joni Brennan from the Digital ID & Authentication Council of Canada (DIACC), Ben Piccarreta and Ellen Nadeau from NIST, and Danna Gabel O’Rourke from Deloitte & Touche LLP. In addition, special thanks to the Federal Privacy Council’s Digital Authentication Task Force for the contributions to the development of privacy requirements and considerations.
The authors would also like to acknowledge the thought leadership and innovation of the original authors: Donna F. Dodson, Elaine M. Newton, Ray A. Perlner, W. Timothy Polk, Sarbari Gupta, and Emad A. Nabbus. Without their tireless efforts, we would not have had the incredible baseline from which to evolve 800-63 to the document it is today.
The terms “SHALL” and “SHALL NOT” indicate requirements to be followed strictly in order to conform to the publication and from which no deviation is permitted.
The terms “SHOULD” and “SHOULD NOT” indicate that among several possibilities one is recommended as particularly suitable, without mentioning or excluding others, or that a certain course of action is preferred but not necessarily required, or that (in the negative form) a certain possibility or course of action is discouraged but not prohibited.
The terms “MAY” and “NEED NOT” indicate a course of action permissible within the limits of the publication.
The terms “CAN” and “CANNOT” indicate a possibility and capability, whether material, physical or causal or, in the negative, the absence of that possibility or capability.
3. Definitions and Abbreviations
4. Identity Assurance Level Requirements
5. Identity Resolution, Validation and Verification
7. Threats and Security Considerations
This section is informative.
This document provides requirements for enrollment and identity proofing of applicants that wish to gain access to resources at each Identity Assurance Level (IAL). The requirements detail the acceptability, validation, and verification of identity evidence that will be presented by a subscriber to support their claim of identity. This document also details the responsibilities of Credential Service Providers (CSPs) with respect to establishing and maintaining enrollment records and binding authenticators (either CSP-issued or subscriber-provided) to the enrollment record.
This section is informative.
One of the challenges associated with digital identity is the association of a set of online activities with a single specific entity. While there are situations where this is not required or is even undesirable (e.g., use cases where anonymity or pseudonymity are required), there are others where it is important to reliably establish an association with a real-life subject. Examples include obtaining health care and executing financial transactions. There are also situations where the association is required for regulatory reasons (e.g., the financial industry’s ‘Know Your Customer’ requirements, established in the implementation of the USA PATRIOT Act of 2001) or to establish accountability for high-risk actions (e.g., changing the release rate of water from a dam).
There are also instances where it is desirable for a relying party (RP) to know something about a subscriber executing a transaction, but not know their real-life identity. For example, it may be desirable to only know a subscriber’s home ZIP code for purposes of census-taking or petitioning an elected official. In both instances, the ZIP code is sufficient to deliver the service; it is not necessary or desirable to know the underlying identity of the person.
The following table states which sections of this document are normative and which are informative:
Section Name | Normative/Informative |
---|---|
1. Purpose | Informative |
2. Introduction | Informative |
3. Definitions and Abbreviations | Informative |
4. Identity Assurance Level Requirements | Normative |
5. Identity Resolution, Validation, and Verification | Normative |
6. Derived Credentials | Normative |
7. Threats and Security Considerations | Informative |
8. Privacy Considerations | Informative |
9. Usability Considerations | Informative |
10. References | Informative |
When a subject is identity proofed, the expected outcomes are:
Assurance in a subscriber’s identity is described using one of three IALs:
IAL1: There is no requirement to link the applicant to a specific real-life identity. Any attributes provided in conjunction with the subject’s activities are self-asserted or should be treated as self-asserted (including attributes a CSP asserts to an RP). Self-asserted attributes are neither validated nor verified.
IAL2: Evidence supports the real-world existence of the claimed identity and verifies that the applicant is appropriately associated with this real-world identity. IAL2 introduces the need for either remote or physically-present identity proofing. Attributes could be asserted by CSPs to RPs in support of pseudonymous identity with verified attributes. A CSP that supports IAL2 can support IAL1 transactions if the user consents.
IAL3: Physical presence is required for identity proofing. Identifying attributes must be verified by an authorized and trained CSP representative. As with IAL2, attributes could be asserted by CSPs to RPs in support of pseudonymous identity with verified attributes. A CSP that supports IAL3 can support IAL1 and IAL2 identity attributes if the user consents.
At IAL2 and IAL3, pseudonymity in federated environments is enabled by limiting the number of attributes sent from the CSP to the RP, or the way they are presented. For example, if a RP needs a valid birthdate but no other personal details, the RP should leverage a CSP to request just the birthdate of the subscriber. Wherever possible, the RP should ask the CSP for an attribute reference. For example, if a RP needs to know if a claimant is older than 18 they should request a boolean value, not the entire birthdate, to evaluate age. Conversely, it may be beneficial to the user that uses a high assurance CSP for transactions at lower assurance levels. For example, a user may maintain an IAL3 identity, yet should be able to use their CSP for IAL2 and IAL1 transactions.
Since the individual will have undergone an identity proofing process at enrollment, transactions with respect to individual interactions with the CSP may not necessarily be pseudonymous.
Detailed requirements for each of the IALs are given in Section 4 and Section 5.
See SP 800-63 Appendix A for a complete set of definitions and abbreviations.
This section contains both normative and informative material.
This document describes the common pattern in which an applicant undergoes an identity proofing and enrollment process whereby their identity evidence and attributes are collected, uniquely resolved to a single identity within a given population or context, then validated and verified. See SP 800-63-3 Section 6.1 for details on how to choose the most appropriate IAL. A CSP may then bind these attributes to an authenticator (described in SP 800-63B).
Identity proofing’s sole objective is to ensure the applicant is who they claim to be to a stated level of certitude. This includes presentation, validation, and verification of the minimum attributes necessary to accomplish identity proofing. There may be many different sets that suffice as the minimum, so CSPs should choose this set to balance privacy and the user’s usability needs, as well as the likely attributes needed in future uses of the digital identity. For example, such attributes — to the extent they are the minimum necessary — could include:
This document also provides requirements for CSPs collecting additional information used for purposes other than identity proofing.
This section is normative.
Figure 4-1 outlines the basic flow for identity proofing and enrollment.
Figure 4-1 The Identity Proofing User Journey
The following provides a sample of how a CSP and an applicant interact during the identity proofing process:
Note: The identity proofing process can be delivered by multiple service providers. It is possible, but not expected, that a single organization, process, technique, or technology will fulfill these process steps.
The following requirements apply to any CSP performing identity proofing at IAL2 or IAL3.
This section is normative.
This section is normative.
IAL2 allows for remote or in-person identity proofing. IAL2 supports a wide range of acceptable identity proofing techniques in order to increase user adoption, decrease false negatives (legitimate applicants that cannot successfully complete identity proofing), and detect to the best extent possible the presentation of fraudulent identities by a malicious applicant.
A CSP SHALL proof according to the requirements in Section 4.4.1 or Section 4.4.2. A CSP SHOULD implement identity proofing in accordance with Section 4.4.1. Depending on the population the CSP serves, the CSP MAY implement identity proofing in accordance with Section 4.4.2.
Collection of PII SHALL be limited to the minimum necessary to resolve to a unique identity in a given context. This MAY include the collection of attributes that assist in data queries. See Section 5.1 for general resolution requirements.
The CSP SHALL collect the following from the applicant:
See Section 5.2.1 Identity Evidence Quality Requirements for more information on acceptable identity evidence.
The CSP SHALL validate identity evidence as follows:
Each piece of evidence SHALL be validated with a process that can achieve the same strength as the evidence presented. For example, if two forms of STRONG identity evidence are presented, each piece of evidence will be validated at a strength of STRONG.
See Section 5.2.2 Validating Identity Evidence for more information on validating identity evidence.
The CSP SHALL verify identity evidence as follows:
See Section 5.3 Identity Verification for more information on acceptable identity evidence.
The CSP SHALL support in-person or remote identity proofing. The CSP SHOULD offer both in-person and remote proofing.
Note: Postal address is the preferred method of sending any communications, including enrollment code and notifications, with the applicant. However, these guidelines support any confirmed address of record, whether physical or digital.
The CSP MAY collect biometrics for the purposes of non-repudiation and re-proofing. See SP 800-63B, Section 5.2.3 for more detail on biometric collection.
The CSP SHALL employ appropriately tailored security controls, to include control enhancements, from the moderate or high baseline of security controls defined in SP 800-53 or equivalent federal (e.g., FEDRAMP) or industry standard. The CSP SHALL ensure that the minimum assurance-related controls for moderate-impact systems or equivalent are satisfied.
In instances where an individual cannot meet the identity evidence requirements specified in Section 4.4.1, the agency MAY use a trusted referee to assist in identity proofing the applicant. See Section 5.3.4 for more details.
This section is normative.
IAL3 adds additional rigor to the steps required at IAL2, to include providing further evidence of superior strength, and is subject to additional and specific processes (including the use of biometrics) to further protect the identity and RP from impersonation, fraud, or other significantly harmful damages. Biometrics are used to detect fraudulent enrollments, duplicate enrollments, and as a mechanism to re-establish binding to a credential. In addition, identity proofing at IAL3 is performed in-person (to include supervised remote). See Section 5.3.3 for more details.
Collection of PII SHALL be limited to the minimum necessary to resolve to a unique identity record. This MAY include the collection of attributes that assist in data queries. See Section 5.1 for general resolution requirements.
The CSP SHALL collect the following from the applicant:
See Section 5.2.1 Identity Evidence Quality Requirements for more information on acceptable identity evidence.
The CSP SHALL validate identity evidence as follows:
Each piece of evidence must be validated with a process that is able to achieve the same strength as the evidence presented. For example, if two forms of STRONG identity evidence are presented, each piece of evidence will be validated at a strength of STRONG.
See Section 5.2.2 Validating Identity Evidence for more information on validating identity evidence
The CSP SHALL verify identity evidence as follows:
See Section 5.3 Identity Verification for more information on acceptable identity evidence.
The CSP SHALL perform all identity proofing steps with the applicant in-person. See Section 5.3.3 for more details.
The CSP SHALL collect and record a biometric sample at the time of proofing (e.g., facial image, fingerprints) for the purposes of non-repudiation and re-proofing. See Section 5.2.3 of SP 800-63B for more detail on biometric collection.
The CSP SHALL employ appropriately tailored security controls, to include control enhancements, from the high baseline of security controls defined in SP 800-53 or an equivalent federal (e.g., FEDRAMP) or industry standard. The CSP SHALL ensure that the minimum assurance-related controls for high-impact systems or equivalent are satisfied.
This section is normative.
An enrollment code allows the CSP to confirm that the applicant controls an address of record, as well as offering the applicant the ability to reestablish binding to their enrollment record. Binding NEED NOT be completed in the same session as the original identity proofing transaction.
An enrollment code SHALL be comprised of one of the following:
This section is informative.
Table 4-1 summarizes the requirements for each of the authenticator assurance levels:
Table 4-1 IAL Requirements Summary
Requirement | IAL1 | IAL2 | IAL3 |
---|---|---|---|
Presence | No requirements | In-person and unsupervised remote. | In-person and supervised remote. |
Resolution | No requirements | The minimum attributes necessary to accomplish identity resolution. KBV may be used for added confidence. |
Same as IAL2. |
Evidence | No identity evidence is collected | One piece of SUPERIOR or STRONG evidence depending on strength of original proof and validation occurs with issuing source, or Two pieces of STRONG evidence, or One piece of STRONG evidence plus two (2) pieces of FAIR evidence. |
Two pieces of SUPERIOR evidence, or One piece of SUPERIOR evidence and one piece of STRONG evidence depending on strength of original proof and validation occurs with issuing source, or Two pieces of STRONG evidence plus one piece of FAIR evidence. |
Validation | No validation | Each piece of evidence must be validated with a process that is able to achieve the same strength as the evidence presented. | Same as IAL2. |
Verification | No verification | Verified by a process that is able to achieve a strength of STRONG. | Verified by a process that is able to achieve a strength of SUPERIOR. |
Address Confirmation | No requirements for address confirmation | Required. Enrollment code sent to any address of record. Notification sent by means different from enrollment code. | Required. Notification of proofing to postal address. |
Biometric Collection | No | Optional | Mandatory |
Security Controls | N/A | SP 800-53 Moderate Baseline (or equivalent federal or industry standard). | SP 800-53 High Baseline (or equivalent federal or industry standard). |
This section is normative.
This section lists the requirements to resolve, validate, and verify an identity and any supplied identity evidence. The requirements are intended to ensure the claimed identity is the actual identity of the subject attempting to enroll with the CSP and that scalable attacks affecting a large population of enrolled individuals require greater time and cost than the value of the resources the system is protecting.
The goal of identity resolution is to uniquely distinguish an individual within a given population or context. Effective identity resolution uses the smallest set of attributes necessary to resolve to a unique individual. It provides the CSP an important starting point in the overall identity proofing process, to include the initial detection of potential fraud, but in no way represents a complete and successful identity proofing transaction.
The goal of identity validation is to collect the most appropriate identity evidence (e.g., a passport or driver’s license) from the applicant and determine its authenticity, validity, and accuracy. Identity validation is made up of three process steps: collecting the appropriate identity evidence, confirming the evidence is genuine and authentic, and confirming the data contained on the identity evidence is valid, current, and related to a real-life subject.
This section provides quality requirements for identity evidence collected during identity proofing.
Table 5-1 lists strengths, ranging from unacceptable to superior, of identity evidence that is collected to establish a valid identity. Unless otherwise noted, to achieve a given strength the evidence SHALL, at a minimum, meet all the qualities listed.
Table 5-1 Strengths of Identity Evidence
Strength | Qualities of Identity Evidence |
---|---|
Unacceptable | - No acceptable identity evidence provided. |
Weak | - The issuing source of the evidence did not perform identity proofing. - The issuing process for the evidence means that it can reasonably be assumed to have been delivered into the possession of the applicant. - The evidence contains: - At least one reference number that uniquely identifies itself or the person to whom it relates. OR - The issued identity evidence contains a photograph or biometric template (of any modality) of the person to whom it relates. |
Fair | - The issuing source of the evidence confirmed the claimed identity through an identity proofing process. - The issuing process for the evidence means that it can reasonably be assumed to have been delivered into the possession of the person to whom it relates. - The evidence: - contains at least one reference number that uniquely identifies the person to whom it relates. OR - contains a photograph or biometric template (any modality) of the person to whom it relates. OR - can have ownership confirmed through KBV. - Where the evidence includes digital information, that information is protected using cryptographic or proprietary methods, or both, and those methods ensure the integrity of the information and enable the authenticity of the claimed issuing source to be confirmed. - Where the evidence includes physical security features, it requires proprietary knowledge to be able to reproduce it. - The issued evidence is unexpired. |
Strong | - The issuing source of the evidence confirmed the claimed identity through written procedures designed to enable it to form a reasonable belief that it knows the real-life identity of the person. Such procedures shall be subject to recurring oversight by regulatory or publicly-accountable institutions. For example, the Customer Identification Program guidelines established in response to the USA PATRIOT Act of 2001 or the Red Flags Rule, under Section 114 of the Fair and Accurate Credit Transaction Act of 2003 (FACT Act). - The issuing process for the evidence ensured that it was delivered into the possession of the subject to whom it relates. - The issued evidence contains at least one reference number that uniquely identifies the person to whom it relates. - The full name on the issued evidence must be the name that the person was officially known by at the time of issuance. Not permitted are pseudonyms, aliases, an initial for surname, or initials for all given names - The: - Issued evidence contains a photograph or biometric template (of any modality) of the person to whom it relates. OR - Applicant proves possession of an AAL2 authenticator bound to an IAL2 identity, at a minimum. - Where the issued evidence includes digital information, that information is protected using cryptographic or proprietary methods, or both, and those methods ensure the integrity of the information and enable the authenticity of the claimed issuing source to be confirmed. - Where the issued evidence contains physical security features, it requires proprietary knowledge and proprietary technologies to be able to reproduce it. - The evidence is unexpired. |
Superior | - The issuing source of the evidence confirmed the claimed identity by following written procedures designed to enable it to have high confidence that the source knows the real-life identity of the subject. Such procedures shall be subject to recurring oversight by regulatory or publicly accountable institutions. - The issuing source visually identified the applicant and performed further checks to confirm the existence of that person. - The issuing process for the evidence ensured that it was delivered into the possession of the person to whom it relates. - The evidence contains at least one reference number that uniquely identifies the person to whom it relates. - The full name on the evidence must be the name that the person was officially known by at the time of issuance. Not permitted are pseudonyms, aliases, an initial for surname, or initials for all given names. - The evidence contains a photograph of the person to whom it relates. - The evidence contains a biometric template (of any modality) of the person to whom it relates. - The evidence includes digital information, the information is protected using cryptographic or proprietary methods, or both, and those methods ensure the integrity of the information and enable the authenticity of the issuing source to be confirmed. - The evidence includes physical security features that require proprietary knowledge and proprietary technologies to be able to reproduce it. - The evidence is unexpired. |
Once the CSP obtains the identity evidence, the accuracy, authenticity, and integrity of the evidence and related information is checked against authoritative sources in order to determine that the presented evidence:
Table 5-2 lists strengths, ranging from unacceptable to superior, of identity validation performed by the CSP to validate the evidence presented for the current proofing session and the information contained therein.
Table 5-2 Validating Identity Evidence
Strength | Method(s) performed by the CSP |
---|---|
Unacceptable | - Evidence validation was not performed, or validation of the evidence failed. |
Weak | - All personal details from the evidence have been confirmed as valid by comparison with information held or published by an authoritative source. |
Fair | - The evidence: - details have been confirmed as valid by comparison with information held or published by the issuing source or authoritative source(s). OR - has been confirmed as genuine using appropriate technologies, confirming the integrity of physical security features and that the evidence is not fraudulent or inappropriately modified. OR - The evidence has been confirmed as genuine by trained personnel. OR - The issued evidence has been confirmed as genuine by confirmation of the integrity of cryptographic security features. |
Strong | - The evidence has been confirmed as genuine: - using appropriate technologies, confirming the integrity of physical security features and that the evidence is not fraudulent or inappropriately modified. OR - by trained personnel and appropriate technologies, confirming the integrity of the physical security features and that the evidence is not fraudulent or inappropriately modified. OR - by confirmation of the integrity of cryptographic security features. - All personal details and evidence details have been confirmed as valid by comparison with information held or published by the issuing source or authoritative source(s). |
Superior | - The evidence has been confirmed as genuine by trained personnel and appropriate technologies including the integrity of any physical and cryptographic security features. - All personal details and evidence details from the evidence have been confirmed as valid by comparison with information held or published by the issuing source or authoritative source(s). |
Training requirements for personnel validating evidence SHALL be based on the policies, guidelines, or requirements of the CSP or RP.
The goal of identity verification is to confirm and establish a linkage between the claimed identity and the real-life existence of the subject presenting the evidence.
Table 5-3 details the verification methods necessary to achieve a given identity verification strength. The CSP SHALL adhere to the requirements in Section 5.3.2 if KBV is used to verify an identity.
Table 5-3 Verifying Identity Evidence
Strength | Identity Verification Methods |
---|---|
Unacceptable | - Evidence verification was not performed or verification of the evidence failed. Unable to confirm that the applicant is the owner of the claimed identity. |
Weak | - The applicant has been confirmed as having access to the evidence provided to support the claimed identity. |
Fair | - The applicant’s ownership of the claimed identity has been confirmed by: - KBV. See Section 5.3.2. for more details. OR - a physical comparison of the applicant to the strongest piece of identity evidence provided to support the claimed identity. Physical comparison performed remotely SHALL adhere to all requirements as specified in [SP 800-63B, Section 5.2.3.]. OR - biometric comparison of the applicant to the identity evidence. Biometric comparison performed remotely SHALL adhere to all requirements as specified in [SP 800-63B, Section 5.2.3.]. |
Strong | - The applicant’s ownership of the claimed identity has been confirmed by: - physical comparison, using appropriate technologies, to a photograph, to the strongest piece of identity evidence provided to support the claimed identity. Physical comparison performed remotely SHALL adhere to all requirements as specified in [SP 800-63B, Section 5.2.3.]. OR - biometric comparison, using appropriate technologies, of the applicant to the strongest piece of identity evidence provided to support the claimed identity. Biometric comparison performed remotely SHALL adhere to all requirements as specified in [SP 800-63B, Section 5.2.3.]. |
Superior | - The applicant’s ownership of the claimed identity has been confirmed by biometric comparison of the applicant to the strongest piece of identity evidence provided to support the claimed identity, using appropriate technologies. Biometric comparison performed remotely SHALL adhere to all requirements as specified in [SP 800-63B, Section 5.2.3.]. |
The following requirements apply to the identity verification steps for IAL2 and IAL3. There are no restrictions for the use of KBV for identity resolution.
In-person proofing can be satisfied in two ways:
CSPs can employ remote proofing processes to achieve comparable levels of confidence and security to in-person events. The following requirements establish comparability between in-person transactions where the applicant is in the same physical location as the CSP to those where the applicant is remote.
Supervised remote identity proofing and enrollment transactions SHALL meet the following requirements, in addition to the IAL3 validation and verification requirements specified in Section 4.6:
800-63B Section 6.1 Authenticator Binding for instructions on binding authenticators to subscribers.
This section is informative.
Deriving credentials is based on the process of an individual proving to a CSP that they are the rightful subject of an identity record (i.e., a credential) that is bound to one or more authenticators they possess. This process is made available by a CSP that wants individuals to have an opportunity to obtain new authenticators bound to the existing, identity proofed record, or credential. As minimizing the number of times the identity proofing process is repeated benefits the individual and CSP, deriving identity is accomplished by proving possession and successful authentication of an authenticator that is already bound to the original, proofed digital identity.
The definition of derived in this section does not imply that an authenticator is cryptographically tied to a primary authenticator, for example deriving a key from another key. Rather, an authenticator can be derived by simply issuing on the basis of successful authentication with an authenticator that is already bound to a proofed identity, rather than unnecessarily repeating an identity proofing process.
There are two specific use cases for deriving identity:
As stated above, all requirements for PIV-derived credentials can be found in SP 800-157. For the second use case described above, this guideline does not differentiate between physical and digital identity evidence. Therefore it is acceptable, if the authenticator or an assertion generated by the primary CSP meet the requirements of Section 5, for them to be used at identity evidence for IAL2 and IAL3. In addition, any authenticators issued as a result of providing digital identity evidence are subject to the requirements of SP 800-63B.
This section is informative.
There are two general categories of threats to the enrollment process: impersonation, and either compromise or malfeasance of the infrastructure provider. This section focuses on impersonation threats, as infrastructure threats are addressed by traditional computer security controls (e.g., intrusion protection, record keeping, independent audits) and are outside the scope of this document. For more information on security controls, see SP 800-53, Recommended Security and Privacy Controls for Federal Information Systems and Organizations.
Threats to the enrollment process include impersonation attacks and threats to the transport mechanisms for identity proofing, authenticator binding, and credential issuance. Table 7-1 lists the threats related to enrollment and identity proofing.
Table 7-1 Enrollment and Identity Proofing Threats
Activity | Threat/Attack | Example |
---|---|---|
Enrollment | Falsified identity proofing evidence | An applicant claims an incorrect identity by using a forged driver’s license. |
Fraudulent use of another’s identity | An applicant uses a passport associated with a different individual. | |
Enrollment repudiation | A subscriber denies enrollment, claiming that they did not enroll with the CSP. |
Enrollment threats can be deterred by making impersonation more difficult to accomplish or by increasing the likelihood of detection. This recommendation deals primarily with methods for making impersonation more difficult; however, it does prescribe certain methods and procedures that may help prove who perpetrated an impersonation. At each level, methods are employed to determine that a person with the claimed identity exists, that the applicant is the person entitled to the claimed identity, and that the applicant cannot later repudiate the enrollment. As the level of assurance increases, the methods employed provide increasing resistance to casual, systematic, and insider impersonation. Table 7-2 lists strategies for mitigating threats to the enrollment and issuance processes.
Table 7-2 Enrollment and Issuance Threat Mitigation Strategies
Activity | Threat/Attack | Mitigation Strategy | Normative Reference(s) |
---|---|---|---|
Enrollment | Falsified identity proofing evidence | CSP validates physical security features of presented evidence. | 4.4.1.3, 4.5.3, 5.2.2 |
CSP validates personal details in the evidence with the issuer or other authoritative source. | 4.4.1.3, 4.5.3, 4.5.6 5.2.2 | ||
Fraudulent use of another’s identity | CSP verifies identity evidence and biometric of applicant against information obtained from issuer or other authoritative source. | 4.4.1.7, 4.5.7, 5.3 | |
Verify applicant-provided non-government-issued documentation (e.g., electricity bills in the name of the applicant with the current address of the applicant printed on the bill, or a credit card bill) to help achieve a higher level of confidence in the applicant’s identity. | 4.4.1.7, 4.5.7, 5.3 | ||
Enrollment repudiation | CSP saves a subscriber’s biometric. | 4.4.1.7, 4.5.7 |
This section is informative.
These privacy considerations provide information regarding the General Requirements set forth in Section 4.2.
Section 4.2 requirement 2 permits the collection of only the PII necessary to validate the existence of the claimed identity and associate the claimed identity to the applicant, based on best available practices for appropriate identity resolution, validation, and verification. Collecting unnecessary PII can create confusion regarding why information not being used for the identity proofing service is being collected. This leads to invasiveness or overreach concerns, which can lead to loss of applicant trust. Further, PII retention can become vulnerable to unauthorized access or use. Data minimization reduces the amount of PII vulnerable to unauthorized access or use, and encourages trust in the identity proofing process.
Section 4.2 requirement 13 does not permit the CSP to collect the SSN unless it is necessary for performing identity resolution, when resolution cannot be accomplished by collection of another attribute or combination of attributes. Overreliance on the SSN can contribute to misuse and place the applicant at risk of harm, such as through identity theft. Nonetheless, the SSN may achieve identity resolution for RPs in particular federal agencies that use SSNs to correlate a subscriber to existing records. Thus, this document recognizes the role of the SSN as an identifier and makes appropriate allowance for its use.
Note: Evidence requirements at the higher IALs preclude using the SSN or the Social Security Card as acceptable identity evidence.
Prior to collecting the SSN for identity proofing, organizations need to consider any legal obligation to collect the SSN, the necessity of using the SSN for interoperability with third party processes and systems, or operational requirements. Operational requirements can be demonstrated by an inability to alter systems, processes, or forms due to cost or unacceptable levels of risk. Operational necessity is not justified by ease of use or unwillingness to change.
For federal agencies, the initial requirement in [Executive Order (EO) 9397] (#9397) to use the SSN as a primary means of identification for individuals working for, with, or conducting business with their agency, has since been eliminated. Accordingly, EO 9397 cannot be referenced as the sole authority establishing the collection of the SSN as necessary.
Federal agencies need to review any decision to collect the SSN relative to their obligation to reduce the collection and unnecessary use of SSNs under Office of Management and Budget policy.
Section 4.2 requirement 3 requires the CSP provide explicit notice to the applicant at the time of collection regarding the purpose for collecting and maintaining a record of the attributes necessary for identity proofing, including whether such attributes are voluntary or mandatory in order to complete the identity proofing transactions, and the consequences for not providing the attributes.
An effective notice will take into account user experience design standards and research, and an assessment of privacy risks that may arise from the collection. Various factors should be considered, including incorrectly inferring that applicants understand why attributes are collected, that collected information may be combined with other data sources, etc. An effective notice is never only a pointer leading to a complex, legalistic privacy policy or general terms and conditions that applicants are unlikely to read or understand.
Section 4.2 requirement 4 does not permit the CSP to use attributes collected and maintained in the identity proofing process for any purpose other than identity proofing, authentication, authorization, or attribute assertions, related fraud mitigation, or to comply with law or legal process unless the CSP provides clear notice and obtains consent from the subscriber for additional uses.
Consult your SAOP if there are questions about whether proposed uses fall within the scope of these permitted uses. This notice should follow the same principles as described in Section 8.2 Notice and Consent and should not be rolled up into a legalistic privacy policy or general terms and conditions. Rather if there are uses outside the bounds of these explicit purposes, the subscriber should be provided with a meaningful way to understand the purpose for additional uses, and the opportunity to accept or decline. The CSP cannot make acceptance by the subscriber of additional uses a condition of providing identity proofing services.
Section 4.2 requirement 5 requires the CSP to provide effective mechanisms for redressing applicant complaints or problems arising from the identity proofing, and make the mechanisms easy for applicants to find and access.
The Privacy Act requires federal CSPs that maintain a system of records to follow procedures to enable applicants to access and, if incorrect, amend their records. Any Privacy Act Statement should include a reference to the applicable SORN(s), which provide the applicant with instructions on how to make a request for access or correction. Non-federal CSPs should have comparable procedures, including contact information for any third parties if they are the source of the information.
CSPs should make the availability of alternative methods for completing the process clear to users (e.g., in person at a customer service center, if available) in the event an applicant is unable to establish their identity and complete the registration process online.
Note: If the ID proofing process is not successful, CSPs should inform the applicant of the procedures to address the issue but should not inform the applicant of the specifics of why the registration failed (e.g., do not inform the applicant, “Your SSN did not match the one that we have on record for you”), as doing so could allow fraudulent applicants to gain more knowledge about the accuracy of the PII.
Section 4.2 requirement 7 and 10 require the CSP to conduct a privacy risk assessment. In conducting a privacy risk assessment, CSPs should consider:
Section 4.2 requirement 12 covers specific compliance obligations for federal CSPs. It is critical to involve your agency’s SAOP in the earliest stages of digital authentication system development to assess and mitigate privacy risks and advise the agency on compliance requirements, such as whether or not the PII collection to conduct identity proofing triggers the Privacy Act of 1974 [Privacy Act] or the E-Government Act of 2002 [E-Gov]requirement to conduct a Privacy Impact Assessment. For example, with respect to identity proofing, it is likely that the Privacy Act requirements will be triggered and require coverage by either a new or existing Privacy Act system of records due to the collection and maintenance of PII or other attributes necessary to conduct identity proofing.
The SAOP can similarly assist the agency in determining whether a PIA is required. These considerations should not be read as a requirement to develop a Privacy Act SORN or PIA for identity proofing alone; in many cases it will make the most sense to draft a PIA and SORN that encompasses the entire digital authentication process or include the digital authentication process as part of a larger programmatic PIA that discusses the program or benefit the agency is establishing online access to.
Due to the many components of digital authentication, it is important for the SAOP to have an awareness and understanding of each individual component. For example, other privacy artifacts may be applicable to an agency offering or using proofing services such as Data Use Agreements, Computer Matching Agreements, etc. The SAOP can assist the agency in determining what additional requirements apply. Moreover, a thorough understanding of the individual components of digital authentication will enable the SAOP to thoroughly assess and mitigate privacy risks either through compliance processes or by other means.
This section is informative.
This section is intended to raise implementers’ awareness of the usability considerations associated with enrollment and identity proofing (for usability considerations for typical authenticator usage and intermittent events, see SP 800-63B, Section 10.
ISO/IEC 9241-11 defines usability as the “extent to which a product can be used by specified users to achieve specified goals with effectiveness, efficiency and satisfaction in a specified context of use.” This definition focuses on users, goals, and context of use as the necessary elements for achieving effectiveness, efficiency, and satisfaction. A holistic approach considering these key elements is necessary to achieve usability.
The overarching goal of usability for enrollment and identity proofing is to promote a smooth, positive enrollment process for users by minimizing user burden (e.g., time and frustration) and enrollment friction (e.g., the number of steps to complete and amount of information to track). To achieve this goal, organizations have to first familiarize themselves with their users.
The enrollment and identity proofing process sets the stage for a user’s interactions with a given CSP and the online services that the user will access; as negative first impressions can influence user perception of subsequent interactions, organizations need to promote a positive user experience throughout the process.
Usability cannot be achieved in a piecemeal manner. Performing a usability evaluation on the enrollment and identity proofing process is critical. It is important to conduct usability evaluation with representative users, realistic goals and tasks, and appropriate contexts of use. The enrollment and identity proofing process should be designed and implemented so it is easy for users to do the right thing, hard to do the wrong thing, and easy to recover when the wrong thing happens.
From the user’s perspective, the three main steps of enrollment and identity proofing are pre-enrollment preparation, the enrollment and proofing session, and post-enrollment actions. These steps may occur in a single session or there could be significant time elapsed between each one (e.g., days or weeks).
General and step-specific usability considerations are described in sub-sections below.
ASSUMPTIONS
In this section, the term “users” means “applicants” or “subscribers.”
Guidelines and considerations are described from the users’ perspective.
Accessibility differs from usability and is out of scope for this document. Section 508 was enacted to eliminate barriers in information technology and require federal agencies to make their electronic and information technology public content accessible to people with disabilities. Refer to Section 508 law and standards for accessibility guidance.
This sub-section provides usability considerations that are applicable across all steps of the enrollment process. Usability considerations specific to each step are detailed in Sections 9.2 to 9.4.
To avoid user frustration, streamline the process required for enrollment to make each step as clear and easy as possible.
Clearly communicate how and where to acquire technical assistance. For example, provide helpful information such as a link to online self-service feature, chat sessions, and a phone number for help desk support. Ideally, sufficient information should be provided to enable users to answer their own enrollment preparation questions without outside intervention.
Clearly explain who is collecting their data and why. Also indicate the path their data will take, in particular where the data is being stored.
This section describes an effective approach to facilitate sufficient pre-enrollment preparation so users can avoid challenging, frustrating enrollment sessions. Ensuring users are as prepared as possible for their enrollment sessions is critical to the overall success and usability of the enrollment and identity proofing process.
Such preparation is only possible if users receive the necessary information (e.g., required documentation) in a usable format in an appropriate timeframe. This includes making users aware of exactly what identity evidence will be required. Users do not need to know anything about IALs or whether the identity evidence required is scored as “fair,” “strong,” or “superior,” whereas organizations need to know what IAL is required for access to a particular system.
To ensure users are equipped to make informed decisions about whether to proceed with the enrollment process, and what will be needed for their session, provide users:
Explanation of the need for — and benefits of — identity proofing to allow users to understand the value proposition.
Information on the monetary amount and acceptable forms of payment, and if there is an enrollment fee. Offering a larger variety of acceptable forms of payment allows users to choose their preferred payment operation.
Usability considerations specific to the enrollment session include:
If users receive the authenticator during the enrollment session, provide users information on the use and maintenance of the authenticator. For example, information could include instructions for use (especially if there are different requirements for first-time use or initialization), information on authenticator expiration, how to protect the authenticator, and what to do if the authenticator is lost or stolen.
Post-enrollment refers to the step immediately after enrollment but prior to typical usage of an authenticator (for usability considerations for typical authenticator usage and intermittent events, see SP800-63B, Section 10.1-10.3. As described above, users have already been informed at the end of their enrollment session regarding the expected delivery (or pick-up) mechanism by which they will receive their authenticator.
Usability considerations for post-enrollment include:
Minimize the amount of time that users wait for their authenticator to arrive. Shorter wait times will allow users to access information systems and services more quickly.
Inform users whether they need to go to a physical location to pick up their authenticators. The previously-identified usability considerations for appointments and reminders still apply.
Along with the authenticator, give users information relevant to the use and maintenance of the authenticator; this may include instructions for use, especially if there are different requirements for first-time use or initialization, information on authenticator expiration, and what to do if the authenticator is lost or stolen.
This section is informative.
[A-130] OMB Circular A-130, Managing Federal Information as a Strategic Resource, July 28, 2016, available at: https://obamawhitehouse.archives.gov/sites/default/files/omb/assets/OMB/circulars/a130/a130revised.pdf.
[COPPA] Children’s Online Privacy Protection Act of 1998 (“COPPA”), 15 U.S.C. 6501-6505, 16 CFR Part 312, available at: https://www.law.cornell.edu/uscode/text/15/chapter-91.
[EO 9397] Executive Order 9397, Numbering System for Federal Accounts Relating to Individual Persons, November 22, 1943, available at: https://www.ssa.gov/foia/html/EO9397.htm.
[DMF] National Technical Information Service, Social Security Death Master File, available at: https://www.ssdmf.com/Library/InfoManage/Guide.asp?FolderID=1.
[E-Gov] E-Government Act of 2002 (includes FISMA) (P.L. 107-347), December 2002, available at: http://www.gpo.gov/fdsys/pkg/PLAW-107publ347/pdf/PLAW-107publ347.pdf.
[FBCACP] X.509 Certificate Policy For The Federal Bridge Certification Authority (FBCA), Version 2.30, October 5, 2016, available at: https://www.idmanagement.gov/wp-content/uploads/sites/1171/uploads/FBCA_CP.pdf.
[FBCASUP] FBCA Supplementary Antecedent, In-Person Definition, July 16, 2009.
[FEDRAMP] General Services Administration, Federal Risk and Authorization Management Program, available at: https://www.fedramp.gov/.
[GPG 45] UK Cabinet Office, Good Practice Guide 45, Identity proofing and verification of an individual, November 3, 2014, available at: https://www.gov.uk/government/publications/identity-proofing-and-verification-of-an-individual.
[M-03-22] OMB Memorandum M-03-22, OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002, September 26, 2003, available at: https://georgewbush-whitehouse.archives.gov/omb/memoranda/m03-22.html.
[M-04-04] OMB Memorandum M-04-04, E-Authentication Guidance for Federal Agencies, December 16, 2003, available at: https://georgewbush-whitehouse.archives.gov/omb/memoranda/fy04/m04-04.pdf.
[Privacy Act] Privacy Act of 1974 (P.L. 93-579), December 1974, available at: https://www.justice.gov/opcl/privacy-act-1974.
[Red Flags Rule] 15 U.S.C. 1681m(e)(4), Pub. L. 111-319, 124 Stat. 3457, Fair and Accurate Credit Transaction Act of 2003, December 18, 2010, available at: https://www.ftc.gov/sites/default/files/documents/federal_register_notices/identity-theft-red-flags-and-address-discrepancies-under-fair-and-accurate-credit-transactions-act/071109redflags.pdf.
[Section 508] Section 508 Law and Related Laws and Policies (January 30, 2017), available at: https://www.section508.gov/content/learn/laws-and-policies.
[Canada] Government of Canada, Guideline on Identity Assurance, available at: http://www.tbs-sct.gc.ca/pol/doc-eng.aspx?id=30678§ion=HTML.
[ISO 9241-11] International Standards Organization, ISO/IEC 9241-11 Ergonomic requirements for office work with visual display terminals (VDTs) — Part 11: Guidance on usability, March 1998, available at: https://www.iso.org/standard/16883.html.
NIST 800 Series Special Publications are available at: http://csrc.nist.gov/publications/nistpubs/index.html. The following publications may be of particular interest to those implementing systems of applications requiring e-authentication.
[SP 800-53] NIST Special Publication 800-53 Revision 4, Recommended Security and Privacy Controls for Federal Information Systems and Organizations, April 2013 (updated January 22, 2015), https://doi.org/10.6028/NIST.SP.800-53r4.
[SP 800-63-3] NIST Special Publication 800-63-3, Digital Identity Guidelines, June 2017, https://doi.org/10.6028/NIST.SP.800-63-3.
[SP 800-63B] NIST Special Publication 800-63B, Digital Identity Guidelines: Authentication and Lifecycle Management, June 2017, https://doi.org/10.6028/NIST.SP.800-63b.
[SP 800-63C] NIST Special Publication 800-63C, Digital Identity Guidelines: Assertions and Federation, June 2017, https://doi.org/10.6028/NIST.SP.800-63c.
[SP 800-157] NIST Special Publication 800-157, Guidelines for Derived Personal Identity Verification (PIV) Credentials, December 2014, http://dx.doi.org/10.6028/NIST.SP.800-157.