NIST and Digital Identity Verification 

We often take digital identity for granted… We create accounts all over the Internet for various services, but rarely think about the information that sits in a server for every company we interact with. Furthermore, we rarely think about the potential for fraud related to those identities and how that potential threat impacts finance or military defense businesses. That’s why, when it comes to crucial industries, digital identity verification is necessary.

 

What Is Digital Identity Verification?

Digital identities represent users in IT systems associated with different products, services and resources. These identities are increasingly common but fragmented, with users creating other accounts across multiple platforms. 

This is good for general consumers, but it isn’t sustainable in enterprise situations. That’s because, as the demands of digital identities serve as authentication and authorization vehicles for complex applications and sensitive resources, it’s important that businesses and agencies can verify that the user is who they say they are. This is a challenging prospect, however, because of a few drawbacks:

  • Presence: Authentication and authorization for digital systems often occur remotely. Problematically, the system cannot verify with 100% accuracy that the person using identity credentials is the correct user. Some multifactor authentication schemes will use measures like SMS or email token authentication to substitute for this kind of presence verification. Still, if the user’s email or devices are compromised, that approach is useless.
  • Liveness: Biometric authentication has come a long way, with more advanced scanning tech making its way into endpoint devices like laptops and mobile devices. Modern hackers, however, are always catching up, and many are finding ways to use physical props, selfies or other technologies to bypass biometric authentication. 

Both of these challenges stem from the fact that systems will rarely, if ever, check to verify the user in a physical sense during the act of authentication. Additionally, these systems also rarely carry any official verification from the onboarding process. 

With these limitations, it quickly becomes apparent that simple authentication is not sufficient for critical industries. Congress also agrees with this assessment, and following the 9-11 attacks and the passing of the U.S. Patriot Act, they instantiated strict overhauls of cybersecurity in the banking and finance industries. 

Some core laws in this industry are called Anti-Money Laundering Laws, or AML. To complement AML efforts in the world of online banking, the Patriot Act expanded security by introducing Know Your Customer/Client (KYC) laws. These allow asserting that banks must verify the identity of their customers via document ID or additional measures. Banks in verticals with a high risk of fraud may be asked to seek even more rigorous identity verification from customers. 

 

Identity Verification and NIST

digital identity verification

If this kind of identity verification is necessary for the financial industry, it is also essential for any government agency with applicable restrictions. 

The National Institute of Standards and Technology (NIST) releases Special Publication 800-63, Digital Identity Guidelines, to support secure identity management and verification. This series of documents covers several specialty areas, including the following:

Within these documents, two very important standards are defined. These standards play a critical role in ensuring that organizations can verify a user’s identity in line with anti-fraud efforts. 

  • Identity Assurance: Identity Assurance requires that an organization collect specific information from a client or customer to verify their identity. This requirement is measured as an Identity Assurance Level (IAL), where higher levels represent more strict verification requirements. IAL1 requires no actual assurance requirements. IAL2 calls for one or more pieces of official documentation for verification during an in-person or remote video session. IAL3 requires everything from IAL2, plus correlating biometrics and mandatory in-person verification. 
  • Authenticator Assurance: These standards require that a user provide specific information at the point of authentication to verify identity. Authentication Assurance, like IAL, is measured in Authentication Assurance Levels (AAL). AAL1 requires a system to collect credentials from a list of potential authentication methods, including secrets, passcodes, one-time passwords (OTP), MFA methods or hardware tokens. AAL2 restricts authentication to MFA OTP, software or hardware alongside a possession-based form of authentication. It must also include verification with an authorized agent. AAL3 specifically requires a hardware-based cryptographic authentication method as part of an MFA solution and agent-based verification.

In terms of application, IAL is usually a form of verification during onboarding and document management and can be used as an accompaniment to authentication. On the other hand, AAL dictates rigorous authentication methods for users accessing system resources. 

 

Coordinate Authentication and Security with Continuum GRC

Authentication and authorization are part of compliant systems with measurable, auditable components. Suppose you are working in an industry where IAL, AAL or general Identity and Access Management (IAM) measures are required for compliance. In that case, you will most likely have to run those systems through compliance audits. 

Continuum GRC ITAM is a streamlined, automated system that supports such assessments. Continuum GRC ITAM is the only FedRAMP authorized assessment solution globally and is configured for some of the most common and complex regulations and frameworks on the market. 

 

Ready to Get Started Managing Digital Identity and Access?

Call Continuum GRC at 1-888-896-6207 or complete the form below.

[wpforms id=”43885″]