Introducing NIST Identity Assurance Levels with SAML
NIST Identity Assurance Levels with SAML
Today, federal institutions require their subscribers to be verified to NIST Identity Assurance Level 2 (IAL2) before they can access their tax return or healthcare benefits. With a simple request from providers, 1Kosmos is able to trigger an identity verification journey that takes your user to the desired Identity assurance level remotely. This journey lends itself to other industries where identity verification is indispensible – like physicians prescribing controlled substances, etc.
Following the NIST guidelines around digital identity verification, here is the journey that users can take to get to IAL2:
- Step 1: Email & Phone Verification
- Step 2: Govt ID Verification
- Step 3: Biometric Verification
- Step 4: Generate Reusable IAL2 Credential
During Identity verification, the platform is designed to tailor the journey depending on the evidence provided by the user. Criteria around the strength of the document, verification results against 3rd parties, biometric verification and triangulation of data determines the path of the user. Once IAL2 is achieved, the journey terminates returning the user back to the Service Provider with a successful result.
Proof of Verification
1Kosmos uses a decentralized identity platform to store the Proof of Verification (PoV). PoV is a process by which a summary of the types and specifics of user verification details that were used to compute an IAL2 for the user. These user details are verified from data on the different Government-issued documents presented by the user. PoV is stored on a permissioned blockchain. This process creates an immutable record that can be presented and verified at a later time. No sensitive PII information is ever stored on the blockchain.
Document Expiry Handling
If a user’s government-issued document expires, their IAL level automatically drops to IAL1. This triggers a reproofing workflow that allows the user to reach the desired IAL before access to services can be restored. This reproofing journey ensures that a user’s identity is always verified at the time of authentication.
SAML based IAL Proofing Journey
- Relying parties can trigger an identity verification using a AuthnContextClassRef with the desired IAL level.
- A response is returned letting the relying party know if the user passed identity verification and their current IAL level.