This article lists the identity proofing requirements to resolve, validate, and verify any claimed digital identity and any user-supplied identity evidence. The requirements ensure that the claimed identity is the actual real-life identity of the subject attempting to enroll with the Credential Service Provider (CSP) and not an impostor. This ensures that scalable attacks affecting a large population of enrolled individuals require greater time and cost than the value of the resources the system is protecting. Criminals looking to attack a system must go through resolution that distinguishes the requestor, validation of the supplied documentation, and verification that it is linked to a real person.
Identity Proofing – Resolution
The goal of identity resolution is to distinguish a user from a given population in the identity proofing cycle. There are plenty of factors that can be used at this step, but effective identity validation should take the least amount of information needed before singling out an individual amongst a group of users. Unique documentation is used in this process as well as knowledge-based verification to connect a claimed digital identity to an existing real life identity. Identity evidence supplied at this stage should be unique to the applicant.
The purpose of identity validation is to collect the appropriate documentation from a claimant before verifying and confirming it against an existing database. The identity evidence supplied can fall on a scale of strength – from weak to superior. Superior pieces of evidence identify the individual and can be quickly cross checked against secure databases, whereas weak pieces are unverifiable and don’t distinguish a claimant from a user base whatsoever. Depending on the Identity Assurance Level (IAL) and Authenticator Assurance Level (AAL), user evidence must fall under the appropriate strength categories. The highest levels will not accept weak evidence and require superior, verifiable information. Weak documentation also includes any information that can’t be checked for tampering, such as a blurry ID photo.
After collection and validation of the identity evidence supplied is complete, the final step is to confirm that the claimed digital identity is linked to the real-life existence of the subject. The strongest evidence is supported and reinforced by existing records and databases that can be easily cross-checked. The supplied evidence should match existing records and confirm the legitimacy of the applicant. Knowledge-based verification questions are allowed at this step, but they must be supported by validated identity evidence and may not have answers which stay the same (e.g. what was your first car?). These precautions ensure that all data supplied is trusted, valid and easily verifiable, which creates trust in the application process as well as the local user base.