UM Identity Verification And Proofing Standard
UM Information Security Office- Area: INFORMATION SECURITY POLICY
Document History
| Date | Document Version | Revision Description | Author |
|---|---|---|---|
| 3/18/2024 | 1.0 | New Document | Neff, CISO |
Approvals
| Approval Date | Approved Version | Approver Role | Approver |
|---|---|---|---|
| 8/1/2024 | 1.0 | CISO | Neff, CISO |
Introduction
The university's Identity Verification and Proofing Standard is designed to establish a secure and reliable framework for verifying the identities of individuals before allowing password changes or access to sensitive information. By adopting and adapting the National Institute of Standards and Technology (NIST) digital identity guidelines, the university ensures a robust and comprehensive approach to identity verification. This standard is essential for maintaining the integrity and security of the university's digital assets.
Definitions
Authentication Assurance Level (AAL)
AAL deals with the confidence in the assertion that the individual who is accessing the service is the same individual who previously established an identity in the identity proofing process. It also has three levels:
- AAL1: Provides single-factor authentication, such as a password or PIN. It is suitable for low-risk scenarios.
- AAL2: Requires two-factor authentication, combining something the user knows (password) with something the user has (a mobile device or hardware token), providing a higher level of security.
- AAL3: The most secure level, requiring multi-factor authentication with at least one factor being a hardware cryptographic token or similar device that is resistant to phishing and other attacks. This level is appropriate for high-risk transactions.
Identity Assurance Level (IAL)
IAL pertains to the rigor and accuracy of the identity proofing process, determining how confidently a service can assert that it knows the true identity of the individual. It is categorized into three levels:
- IAL1: At this level, there is no requirement for an applicant's identity to be proven. It is the lowest level of assurance and typically used for applications where the risk of incorrect identity is low.
- IAL2: Requires that the identity proofing process establishes evidence of a real-world existence and verifies that the claimed identity is not fraudulent. It involves collecting and validating identity information.
- IAL3: Involves more stringent identity proofing requirements than IAL2, including in-person verification. This level is used for high-risk scenarios where the consequences of an incorrect identity claim are severe.
Federation Assurance Level (FAL)
FAL measures the confidence in the assertion of identity and authentication information transmitted between different entities or systems. This aspect of the framework is crucial for ensuring secure and reliable identity information exchange across system boundaries. FAL also includes three levels:
- FAL1: Allows for the assertion of identity and authentication information through a secured but basic method. It typically involves the use of assertions like SAML or OpenID Connect.
- FAL2: Requires stronger assertion protocols and encrypted assertion mechanisms, enhancing security compared to FAL1.
- FAL3: The highest level of federation assurance, requiring strong cryptographic binding of assertions to the requester and possibly including user consent mechanisms to increase security and privacy.
Identity Proofing
Identity proofing establishes the true identity of an individual, often before they are granted access to a system or service for the first time. It is the initial vetting process to confirm that an individual's identity information is accurate and matches with a real-world identity. This process often involves collecting and verifying various forms of government-issued identification and may include background checks, in-person verification, or online checks against authoritative sources to ensure the authenticity of the claimed identity. The goal of identity proofing is to prevent identity theft and fraud by ensuring that only legitimate individuals can create and use an identity within a system or service.
Identity Verification
Identity verification is the process of confirming the identity of an individual. It involves validating that a person is who they claim to be, typically by checking their personal information against official documents or trusted digital records. Identity verification often includes steps like entering a username and password, providing personal information, and may also involve biometric checks or two-factor authentication methods.
STANDARD
Assurance Levels Framework
The university adopts the NIST (SP800-63a) framework of Identity Assurance Level (IAL), Authentication Assurance Level (AAL), and Federation Assurance Level (FAL). These levels are tailored to the risk and sensitivity of the accessed service, balancing security with user convenience.
Verification and Proofing
Identity proofing details requirements for the evidence presented by a user to support their identity claim. Identity proofing’s sole objective is to ensure the user is who they claim to be to an acceptable level of confidence through the presentation and verification of the required level of evidence. The requirements for obtaining assurance in a user's identity is described using one of three identity assurance levels (IALs):
- IAL1: Requests for non-sensitive information, directory information or otherwise non-PII. IAL1 requests do not require further verification.
- IAL2: Requests which require a moderate level of identity assurance may be satisfied by:
- Use of an active UM NetID or UM Identity
- Or the collection and verification of a minimum combination of PII such as UM 790 (or UM System equivalent), legal name, DOB, a permanent address, personal Email address or phone number on file.
- IAL3: Requests that require a higher level of assurance which would include matching a photo ID to a person’s face. This may be accomplished in person or electronically, or via a proxy such as a notary. Documents used for identity assurance need to be originals or a notarized copy.
- IAL3 Example – Send a video meeting request to an Email address that is on file. In the video meeting request the individual display a driver’s license in front of the camera and verify it matches the face and other PII on file.
Password Resets and Multifactor Authentication Changes
For password resets, MFA bypass and passcodes, and changes to MFA settings, UM requires IAL3.
Physical Presence
At IAL3, physical presence is mandatory during the identity proofing process. This means that the user must be physically present for verification. IAL3 Supervised Remote Identity Proofing is intended to achieve comparable levels of confidence and security to an in-person interaction with the user.
Authorized Verification
Identifying attributes (such as personal information) must be verified by an authorized and trained representative.
Proof of Identity
The goal is to identify the person attempting to authenticate. This level ensures a higher degree of confidence in the individual’s identity.
Continuous Improvement
The university will continually evaluate and refine its identity verification standards, responding to technological advancements, community feedback, and evolving security threats. This includes a regular review of the impact on both the organization and individuals, integrating equity, privacy, and usability into the ongoing development of the identity risk management model.
Procedures
The UM Information Security Office (ISO) will update this document periodically in response to emerging trends and guidance from information security professional organizations.
References
- NIST SP800-63a (Digital Identity Guidelines Enrollment and Identity Proofing Requirements)
- UM Information Security Policy