This document sets forth requirements for enrolling, identity proofing and linking authenticators with subscribers’ enrollment records at each Identity Assurance Level (IAL), as well as credential service provider responsibilities. These standards serve both as normative and informative requirements.
IAL2 requires more rigorous processes and evidence collection to effectively address impersonation threats, and requires on-site attended identity proofing by a trusted referee.
NIST 800-63A IAL3 compliant solution
NIST IAL3 verification methods are intended to prevent more sophisticated attacks, including evidence falsification, theft and repudiation. They involve having a trained CSP representative interact directly with an applicant during an on-site attended IAL3 identity proofing session and deliver one or more authenticators relating to that account.
An alternative approach for CSPs could involve offering a Non-Biometric Pathway that does not include automated comparison of biometric samples submitted by applicants. Instead, this pathway requires validation of core attributes with credible sources and checks against vital statistics repositories (e.g. Death Master File).
Non-Biometric Pathway is an optional feature of IAL2. When utilized, CSPs must record which verification pathways were utilized in achieving an IAL2 result and make that information available via assertion or API to RPs. CSPs may additionally support using trusted referees who are trained and vetted to make risk-based decisions about applicants who cannot fulfill all IAL requirements.
Kiosks
TrustSwiftly provides a supervised remote identity proofing service that quickly approves real e-commerce customers while quickly stopping fraudsters. Using 15 different verification methods – document verification (support for thousands of documents worldwide), selfie, fingerprint, voice authentication and dynamic knowledge-based authentication (DKA), risky transactions are reviewed for review by TrustSwiftly; transactions connected directly with Stripe Radar are routed for further review by the system.
NIST 800-63A IAL3 helps prevent more sophisticated attacks, including advanced evidence falsification, theft, repudiation and other social engineering tactics. Furthermore, more stringent processes must be put in place to validate, authenticate and verify identity evidence – which may take place both remotely unattended or attended processes with or without the presence of a CSP representative present.
IAL3 was designed to limit highly scalable attacks while simultaneously encouraging user adoption, rejecting legitimate users less frequently and minimizing application departures. CSPs may employ multiple pathways leading to IAL2, recording which ones were utilized for each subscriber record and making this information available to RPs via assertion or API.
Managed solution
TrustSwiftly’s remote IAL3 compliant solution provides a robust defense against sophisticated fraud attempts with flexible verification methods including document validation (which supports thousands of global documents), biometric checks (facial recognition with liveness detection, fingerprint and voice verification) and dynamic knowledge-based authentication. Furthermore, its integration with Stripe Radar gives more powerful reviews of risky transactions.
IAL2 Non-Biometric Pathway provides verification pathways that don’t rely on automated comparison between an applicant’s biometric sample and that contained in evidence. These provide a sufficient deterrent against highly scalable attacks, protecting against identity impersonation, attribute falsification, theft and repudiation as well as more advanced social engineering tactics.
CSPs should offer multiple verification pathways and encourage their customers to select those which best meet their business requirements and threat environment. No matter which path is selected, CSPs should record each pathway used to achieve an IAL2 result and make that information available through assertion or API to their RPs.
Pre-configured hardware
No matter if you opt for DIY solutions or managed hardware options, reaching IAL3 is achievable. In both instances, however, a strong root of trust that can protect against quantum threats is required; such devices are FIPS 140-3 certified and provide cryptographic agility, modular SDK extensions and physical security.
CSPs can utilize the IAL2 Non-Biometric Pathway to verify an applicant’s identity without automating visual comparison of biometric samples or other forms of evidence. This pathway offers reasonable deterrence against impersonation attacks while significantly shortening attacker time-to-value.
The new IAL3 standard represents a substantial upgrade over the previous version, emphasizing physical security and tamper resistance, multi-factor authentication (especially at Level 4), side channel attack mitigation and hardware, firmware and software requirements. Furthermore, additional requirements exist for managing information security risks as well as privacy risks as well as providing a framework to integrate postquantum algorithms into existing systems.
