Identity proofing solutions add a level of security to your enterprise and create a better user experience for your employees and customers.
What is identity proofing? Identity proofing is a process that verifies a person is who they say they are to gain access to specific programs or data. This process confirms this identity exists and it is the person attempting to gain access.
How Does Identity Proofing Work and Why Does It Matter?
In a 2020 study, Javelin found that fraud costs organizations almost $17 billion in the previous year. The reasons for these immense losses are varied and complex in some cases, but many of them can be reduced to issues related to Identity and access management (IAM), including poor security hygiene, misconfigured authentication systems, or a lack of proper proofing.
Identity proofing addresses one of the limitations of most IAM systems: they allow users to self-register through identification criteria that don’t help verify users in a meaningful way. This is due to the nature of digital identification and its limitations.
The National Institute of Standards and Technology (NIST) gives us two unique definitions for IAM and verification:
- Claimed Identity: Information the user gives to the system when they register their identity with IAM. This can typically be an email address, phone number, or PIN.
- Actual Identity: Information that demonstrates that the user accessing an IAM system is actually who they claim to be.
While the difference between the two might seem subtle, there is actually a huge gap. With claimed identity, the user can provide general information during registration, like an email address, without any mechanism to demonstrate that they actually are who they say they are. So a hacker with access to a victim’s email attempts to break into the system using that email because it assumes the user with the email is authentic.
Actual identity proofing requirements call for more, or multiple levels, of proof. It’s like when you attempt to access services at a bank: the bank tellers will often ask for identification in the form of a driver’s license or passport before discussing confidential account information with you.
In a digital context, proofing can include manual forms of identification like government documents or other methods of proof that include biometrics, questions regarding historical information (like a credit report or payment history), or an aliveness test. In either case, proofing adds a level of security to IAM by requiring users to prove who they are at the point of access.
Proofing is a significant step in IAM, so much so that NIST published Digital Identity Guidelines documentation on Enrollment and Identity Proofing. This document outlines requirements which can be broken down, according to NIST guidelines, into a three-step process:
- Resolution, or distinguishing an identity within a system of identities.
- Validation, or gathering evidence from the person and verifying that the evidence is authentic.
- Verification, or confirming the person’s identity at the time of access.
Additionally, UK law outlines five steps for identity proofing:
- Acquiring evidence through strong documentation
- Validating the authenticity of that documentation
- Determine the persistence (activity) of that identity over time through bills or other records
- Checking for potential fraud by comparing against a national fraud database
- Verifying ownership for the person claiming it
In both approaches, the idea is that proofing provides organizations with reliable proof that a person is who they claim to be.
Regulations, Compliance, and Identity Proofing
NIST breaks down proofing evidence into categories of strength based on the procedures used to acquire and verify that information at the collection point. These categories include the following:
- Weak Evidence: Typical verification can include a piece of registered biometric information, a photograph, or a unique reference number that was not enrolled through a proofing process.
- Fair Evidence: This can include biometrics, a photograph, or a unique number that accompanied a verification of claimed identity through a proofing process. Additionally, evidence can also include ownership through knowledge-based questions related to the user. Finally, digital identification information is encrypted or otherwise secured, and the integrity of the data can be confirmed.
- Strong Evidence: In this designation, evidence was delivered by the user with additional confirmation (with documentation dictated by regulations or other compliance standards) that the user is the one who provided that information. This also includes secure processes that show that the evidence provided was given only to the person to whom it relates, does not contain any aliases, and has at least one unique identification number. Alongside these requirements, the verification must also include a photo or biometric ID of the user or an approved authenticator. All requirements for Fair Evidence designation also apply.
- Superior Evidence: Alongside the requirements for Strong Evidence, Superior Evidence must include several checks during the issuing of evidence, including visual checks or other background checks to confirm the person’s existence and connect the user to that identity. Superior Evidence must also contain a photograph and an additional biometric template, digital encryption, and additional physical security features requiring proprietary technologies to confirm identity.
Based on these levels of evidence, the NIST Digital Identity Guidelines break down assurance into different levels of rigor:
- Identity Assurance Level 1 (IAL1): This level doesn’t require the mapping of a claimed identity to a real person—there is no required identity proofing.
- Identity Assurance Level 2 (IAL2): This level requires remote or in-person proofing using Strong or Superior Evidence as per procedures outlined in NIST SP 800-63A. This can include a driver’s license or a passport, as well as biometrics for liveness tests.
- Identity Assurance Level 3 (IAL3): Requires in-person or supervised proofing using Superior or Strong Evidence and mandatory biometric information.
Remote proofing does provide additional challenges to identity proofing at IAL2 or IAL3. NIST 800-63A dictates that remote proofing requires one of the following:
- A remote operator is present for part of a proofing session that can confirm requirements have been met and that the person in question has provided evidence.
- Automated technologies, like liveness tests or evidence verification, ensure requirements have been met and no spoofing or fraud occurs.
- An offline operator takes evidence from a previous proofing session and evaluates evidence for authenticity.
Moving Beyond Traditional Identity Management with Identity Proofing
Users and devices interact with IAM systems in complex and unpredictable ways. Unfortunately, many organizations, even government agencies and enterprise businesses, rely on outdated identification and verification methods like passwords, PINs, and emails. While an essential part of identification, biometrics provide a false sense of security for many of us. As such, we see avoidable data breaches occur because IAM systems don’t confirm the person accessing a system is who they say they are.
Strong identity proofing prevents the preventable by requiring individuals to prove their actual identity. Strong forms of proof like in-person or remote verification, liveness tests, and government documents with photographic IDs can take potential vulnerabilities and mitigate them.
Biometrics have been an excellent first step, but only an incremental one. In a world of increasing cyber espionage and threats from foreign actors, it’s critical to create proofing that connects actual identity with claimed identity without impeding access to legitimate users.
1Kosmos BlockID and Identity Proofing
Identity management is one of the more essential functions in an IT system. 1Kosmos BlockID is taking that important function and revolutionizing it. The future is passwordless, and BlockID combines identity proofing with passwordless authentication to bring together tight, compliant security with a streamlined and intuitive user experience.
BlockID includes features like the following:
- KYC compliance: BlockID Verify is KYC compliant to support eKYC verification that meets the demands of the financial industry.
- Strong compliance adherence: BlockID meets NIST 800 63-3 for Identity Assurance Level 2 (IAL2) and Authentication Assurance Level 2 (AAL2).
- Incorruptible Blockchain Technology: Store user data in protected blockchains with simple and secure API integration for your apps and IT infrastructure.
- Zero-trust security: BlockID is a cornerstone for a zero-trust framework, so you can ensure user authentication happens at every potential access point.
- Liveness Tests: BlockID includes liveness tests to improve verification and minimize potential fraud. With these tests, our application can prove that the user is physically present at the point of authentication.
- Enhanced User Experience: With the BlockID app, authentication and login are simple, straightforward, and frictionless across systems, applications and devices. Logging into a system isn’t difficult, and you don’t have to sacrifice usability in the name of security.
With these measures, you won’t have to worry about the typical weaknesses of password systems like brute-force attacks or stolen passwords.
If you’re ready to learn about BlockID and how it can help you remain compliant and secure, read our eBook on how to Go Beyond Passwordless Solutions. Make sure you sign up for the 1Kosmos email newsletter for updates on products and events.