Description: When an identity is created and periodically when in an active state, an acceptable level of identity assurance must be maintained to verify access is granted to the correct identity. To minimize the likelihood of breach, this identity proofing process must be completed prior to access being provisioned and periodically throughout the access lifetime for the identity. Identity assurance exercises may be part of the following events:
- Creation or activation of an authoritative identity record.
- Requests affecting an identity’s access (e.g., account or privilege requests, password reset, etc.)
- Periodic, scheduled review of authoritative identity record
Benefit: Reduce the risk of a data breach due to unauthorized access by a bad actor using stolen credentials or credentials for an identity that should no longer be active.
Watch the deep dive webinar to learn more about this security outcome.
Implementation Approaches
Security Frameworks
NIST Cybersecurity Framework 1.1
- PR.AC-1: Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes
- PR.AC-3: Remote access is managed
- PR.AC-6: Identities are proofed and bound to credentials and asserted in interactions
NIST SP 800-207; Zero Trust Architecture
- 2.1.3: Access to individual enterprise resources is granted on a per-session basis
- 2.1.4: Access to resources is determined by dynamic policy—including the observable state of client identity, application/service, and the requesting asset—and may include other behavioral and environmental attributes.
NIST SP 800-63; Digital Identity Guidelines
- NIST 800-63A, 4.2: General requirements that apply to identity proofing for Identity Assurance Levels (IAL)2 and IAL3.
- NIST 800-63A, 4.4: IAL2 specific requirements for presence, resolution, evidence, validation, verification, confirmation and security controls.
- NIST 800-63A, 4.5: IAL3 specific requirements for presence, resolution, evidence, validation, verification, confirmation and security controls.
- NIST 800-63A, 5: Lists requirements to resolve, validate, and verify an identity and any supplied evidence. The requirements are intended to ensure claimed identity is actual identity of subject.
| Title | Identity Proofing via Physical Verification |
| Technology Components | Authoritative Identity Data Sources:Human Resources Information Systems (HRIS) Non-Employee System of Record Vendor Management System (VMS) Identity Governance and Administration (IGA) Identity Verification Systems |
| Description | The identity of the person is verified by a responsible party to match the identity held within the authoritative source. This verified authoritative identity data then drives downstream identity data and access. Responsible party within an organization verifies physical identification against data held within the authoritative source throughout the identity’s lifetime, including events such as:Onboarding/re-onboardingAd-hoc revalidation triggered by access events including account or privilege requests, password resets, etc.Scheduled, periodic revalidationExamples of a responsible party are human resources representative, manager, sponsor, etc. Examples of physical identification include driver’s license, passport, security badge, etc. |
| Pre-requisites | Responsible parties within an organization must be identified Acceptable physical identification must be defined Sufficient identity data must be collected and maintained in a searchable repository |
| Member Companies | Fischer Identity, SailPoint, Saviynt, Seczetta |
| Title | Identity Proofing via On-line Data |
| Technology Components | Authoritative Identity Data Sources:Human Resources Information Systems (HRIS) Non-Employee System of RecordVendor Management System (VMS) Identity Governance and Administration (IGA) Identity Verification Systems |
| Description | The identity of the person is verified via electronic means to match the identity held within the authoritative source. This verified authoritative identity data then drives downstream identity data and access. Electronic identity verification compares authoritative attributes with real-time verified data in order to appropriately match the identity to the authoritative source as necessary throughout the identity’s lifetime, including events such as:Onboarding/re-onboardingAd-hoc revalidation triggered by access events including account or privilege requests, password resets, etc.Scheduled, periodic revalidation |
| Pre-requisites | Identity Data required to do electronic verification must be collected and maintained and be auditable Identity data must be maintained in a searchable repository Policies must be defined to recognize significant events that triggers identity validation/re-validation Ability to reference and compare trusted identity verification data with data that is either available in an authoritative source or provided real-time by the end user |
| Member Companies | Fischer Identity, SailPoint, Saviynt, Seczetta, ThreatMetrix |
