What Are the Elements of Identity Proofing?
This series aims to help companies understand the basics of identity proofing and implement it effectively. In our first post, we explored how identity proofing has been defined by the National Institute of Standards and Technology (NIST). We also contextualized it within how companies validate the identities of their customers and prevent modern identity fraud.
Now, we’ll be taking a closer look at the specific elements of identity proofing and how they work in practice.
The pieces of the identity proofing puzzle
In its documentation on identity proofing, NIST outlines three key elements for confirming a customer’s identity: resolution, validation, and verification. These three factors work together to verify that the individual is who they say they are.
As the starting point in the identity proofing process, effective identity resolution uses the smallest set of attributes possible (within a given context or population) to confirm that an individual is who they claim to be. While it includes the initial detection of potentially fraudulent activity, it doesn’t provide a complete and successful identity proofing service.
Identity resolution has historically used knowledge-based verification (KBV) methods, like a user’s mother’s maiden name, first high school, or father’s middle name, to resolve their claimed identity.
Using identity validation, businesses can determine the authenticity, validity, and accuracy of evidence provided by a user in a three-step process. The first is to collect the most appropriate identity evidence, such as a passport or driver’s license, digital signatures, personalized security questions, facial recognition, and fingerprint scans. The second confirms the evidence is genuine and authentic; and the last step confirms the data contained on the identity evidence is valid, current, and related to a real person.
As part of the first step of the process, it’s important that customers provide evidence that appropriately determines their identity. Under the NIST’s Digital Identity Guidelines, the quality of customer evidence can be classified into five categories:
Unacceptable: No acceptable evidence of identity has been provided.
Weak: Identity proofing is not performed, but photographic or biometric evidence is assumed to identify the user’s identity.
Fair: The evidence uniquely identifies the user through at least one reference number, a photograph or biometric factor, or KBV. Furthermore, the evidence has been confirmed through cryptographic or proprietary tools and via proprietary knowledge.
Strong: In addition to the fair evidence criteria, the user’s identity can be confirmed through an authenticator factor bound to their identity.
Superior: The ultimate identity evidence classification provides high confidence that the user is who they claim to be. The enterprise will have been able to visually identify the user or performed further checks to confirm their identity, and evidence will include digital information that is protected using approved cryptographic or proprietary methods.
For the second and third steps—where the company has to determine whether the evidence is valid and accurate—NIST’s guidelines classify evidential strengths as:
Unacceptable: Evidence validation was not performed, or validation failed.
Weak: Personal details are confirmed as valid compared to information held by the enterprise.
Fair: Evidence is confirmed as valid or genuine using appropriate technologies that approve it isn’t fraudulent, or verified as genuine by trained personnel or using cryptographic security tools.
Strong: Evidence has been confirmed to be genuine using appropriate technologies, trained personnel, or cryptographic tools. All personal and evidence details will have been validated compared to information held by the enterprise.
Identity verification is the last component of identity proofing and helps enterprises to confirm and establish a link between a user’s claimed identity and their existence using the evidence they present. For this piece, NIST has also established a classification system to determine how strong a company’s identity verification process is:
Unacceptable: Evidence verification was not performed or failed so the enterprise cannot confirm the applicant is the owner of the claimed identity.
Weak: The user has evidence to support their claimed identity.
Fair: The user’s identity has been confirmed using KBV, a physical comparison or a biometric comparison.
Strong: The user’s identity has been confirmed by physical comparison to a photograph or biometric comparison using appropriate technologies.
Superior: The user’s identity has been confirmed by biometric comparison using appropriate technologies.
Okta’s role in Identity Proofing
Traditionally, enterprises have had to choose between the time-intensive, insecure process of building an identity solution from scratch, or using a prebuilt solution that compromised the user experience. Now, they can get the best of both worlds by building customized, trusted, tailored user journeys through Okta Identity Engine.
The Okta Identity Engine provides a set of customizable building blocks for every identity experience, including pre-defined authentication, authorization, and registration flows. Enterprises can then create dynamic, context-based user journeys and adapt identity experiences accordingly. For example, they can provide passwordless authentication flows, progressive profiling that optimizes user experiences, and customizable branding for services like hotel loyalty apps based on user activity.
In order to keep their customers and data secure, enterprises need to build trust models around the users that register on their websites. To do this effectively, companies can use tools like Okta Hooks—which enables developers or IT teams to modify flows or quickly integrate other systems with custom code on any cloud or infrastructure—or adopt technology from Okta’s partners to confirm identity proofing.
Using the various elements of identity proofing, enterprises can accurately confirm the identity of each of their customers, protecting themselves from fraudulent registrations. Identity resolution, validation, and verification is the crucial foundation for businesses to build customizable identity systems. With this in place, they can focus on creating seamless and secure digital experiences for their users.
Want to learn more about identity proofing and how Okta can help? Get in touch.
For more information on identity proofing, take a look at the following materials: