NIST 800-63A is a comprehensive digital identity guideline covering enrollment and verification procedures. Revision 4 incorporates modern threats into its continuous evaluation approach.
The core structure remains the same with three assurance levels - IAL, AAL and FAL - but requirements have been modernized accordingly. For instance, remote identity proofing methods now are fully recognized pathways towards attaining an IAL2 assurance level.
TrustSwiftly’s IAL3 Compliant Solution
NIST SP 800-63-3 Digital Identity Guidelines are indispensable to modern identity management, emphasizing extensive identity proofing, strong phishing-resistant authentication, and secure federated identity practices. Adherence to these standards is both a strategic imperative and user experience enhancer, with the latest version emphasizing multi-factor authentication (MFA) with strong anti-phishing protection as well as cryptographic authenticators like FIDO passkeys for enhanced cybersecurity and user experience.
The NIST SP 800-63-4 Digital Identity Guidelines have been revised to better protect against cyber attacks and fraud, prioritizing phishing-resistant authentication methods over SMS-based authentication methods and including biometric comparison requirements as part of their requirements.
TrustSwiftly has developed an identity verification solution that conforms with NIST 800-63A IAL3 standards for remote workers , hosted on a secure device and loaded into an app for proofing. This application is used in supervised environments like kiosk stands or bank branches - to avoid an individual threat actor using advanced spoofing techniques attempting to bypass verification processes.
IAL3 Verification Process
Identity Assurace Level (IAL) refers to the level of trust an online service provider can have in a user's identity claims. NIST 800-63A IAL3 outlines three levels for identity assurance levels: IAL1, IAL2 and IAL3. Each requires various processes and methods for validating and verifying an individual, in addition to specific safeguards against impersonation or fraud for applicants applying online.
IAL1 provides the lowest confidence level of verification, requiring minimal proofing processes and limited validation of self-asserted data. This level is best suited for applications with low risk such as signing up for social media accounts or general online forums.
IAL2 adds greater rigor to the verification process by strengthening evidence and tightening validation and verification requirements, in order to counter impersonation attacks. This may involve biometric authentication (such as automated facial comparison with evidence contained within identity evidence) as well as in-person or supervised remote identification methods; additionally a CSP supporting IAL2 must disclose which pathways connect directly with registered providers (RPs) via an assertion API agreement or trust agreement.
IAL3 Authentication
IAL3 provides the highest level of identity assurance. This process involves verifying multiple pieces of evidence such as validating identification documents and biometric comparison. This provides high levels of assurance that claimant owns authenticators connected with subscriber account, thus reducing fraud and unauthorised access across digital platforms.
Organizations with stringent requirements, such as those operating within highly-regulated industries like healthcare or who require digital identities for compliance mandates, use this IAL. It limits highly scalable attacks while protecting against sophisticated forms of falsification, theft, repudiation and other threats.
As described in Section 5.6 of [SP800-63A], CSPs or IdPs providing services under IAL3 must implement mechanisms for subscribers who experience authentication failure to obtain relief, as per [SP800-63A]. Redress mechanisms shall be easy for enrollees to find, use, and understand; options could include requesting that authenticators authenticity or security be assessed again by verifier. Furthermore, these redress mechanisms must be evaluated regularly by CSPs or IdPs to ensure their effectiveness.
IAL3 Security
At the IAL3 identity proofing, verification requires an in-person (including remotely supervised remote) verified identification session with biometric characteristics collection to prevent more sophisticated attacks including evidence falsification, theft or repudiation.
Trust Swiftly's hardware-based remote IAL3 compliant solution enables applicants to independently verify their identities from anywhere around the world, simplifying and streamlining the NIST IAL3 verification process for employees while saving organizations time and money.
TrustSwiftly's IAL3 solution uses facial recognition with liveness detection, document authentication that verifies government issued documents, and address validation through cross-referencing official databases and utility bills to validate submitted addresses against real world records to effectively authenticate an individual's claimed identity and protect privileged accounts against advanced infiltration attempts - providing regulatory compliance, eliminating user friction, meeting FedRAMP High requirements while decreasing costly fines and damage to your company's reputation.