Identity proofing as defined in the NIST Special Publications (SP) 800-63A is the process of verifying that an individual is who they claim to be, typically by providing evidence to a Credential Service Provider (CSP) to establish their identity at a specific IAL, such as IAL1, IAL2 or IAL3. This publication focuses on enrollment and identity proofing, providing guidance for organizations on how to manage digital identities such as PIV ID at designated levels of assurance. Identity proofing is crucial for ensuring the security and integrity of digital systems and services, especially when accessing sensitive information or transactions. 

Key Concepts

• Verification of Identity: Identity proofing is a process that verifies that a person is who they say they are. 
• Evidence Presentation: It involves an applicant presenting evidence to a CSP, allowing the CSP to assert the applicant's identity at a specific IAL. It can include personal information, identity documents (like photo IDs), and biometric data (like fingerprints or facial recognition). 
• NIST IALs: NIST defines three IALs - IAL1 (Some confidence), IAL2 (High confidence), and IAL3 (Very high confidence). As security requirements increase, organizations must ensure greater confidence in verifying user identities. While higher assurance levels help mitigate fraud, they may also introduce additional steps in the user experience.
  • IAL1: IAL1 represents the lowest level of identity assurance, where no formal verification is required. User attributes are typically self-asserted, such as when creating an account using an email address. For example, social media platforms or streaming services may choose not to require any proof of identity, simply establishing a user ID and password, and ensuring access to those services are paid for.
  • IAL2: IAL2 requires verification of the user’s identity through remote or in-person proofing. Acceptable proof may include address verification, official credentials, passports, or driver’s licenses. Biometric collection is optional at this level. For example, a bank will require in-person proof of identity (e.g., driver’s license or passport) when opening a new checking account.
  • IAL3: IAL3 demands in-person verification with physical evidence to confirm the user’s identity. This includes government-issued identification or address verification, along with mandatory biometric verification, such as facial recognition or fingerprint scanning. For example, to gain access to high security areas or websites containing highly sensitive data or physical assets (such as sensitive governmental facilities/rooms or medical record archives), a federal agency may require

Why is Identity Proofing Important?

• Security: Identity proofing helps ensure that the person receiving the PIV card is genuinely who they claim to be, preventing impersonation and unauthorized access to sensitive information or facilities.
• Regulatory Compliance: The PIV card issuance process, including identity proofing, is part of compliance with federal regulations such as FIPS 201 (Federal Information Processing Standards), which sets guidelines for secure identification.
• Trust: Ensures trust in the identity verification process, enabling individuals to securely access systems and physical spaces, knowing that only verified, trusted individuals are granted access.

Identity proofing is a crucial process in the issuance of a digital identity. It involves validating personal information, authenticating identity through provided documents, biometrics, and conducting background checks to ensure that the individual is trustworthy and authorized for secure access.