NIST 800-63A IAL3 requirements are more stringent than IAL2, intended to deter more advanced attacks such as fraud, repudiation and advanced evidence falsification. Furthermore, an identity proofing session must take place with each applicant present and attended by a CSP representative during an on-site attended identity proofing session.

As soon as on-site attended identity proofing has been successful, the CSP enrolls the applicant into their subscriber account and provides one or more authenticators tied specifically to that account.

Authenticator and Verifier

This guideline sets forth NIST IAL3 verification methods for credential service providers (CSPs) at three Identity Assurance Levels (IALs). IAL3 identity proofing involves an applicant reliably identifying themselves with sufficient proof. RPs then use this evidence against an applicant's claimed identity for accessing services.

IAL1 allows for remote or in-person identity proofing and requires CSPs to collect only what's necessary for identification resolution, validation and verification - thus providing various techniques to detect malicious actors while simultaneously increasing adoption by minimizing application departures and rejections.

IAL3 Protocol is the strongest of three levels and requires physical verification of identity for subjects, such as collecting biometrics and comparing them against an image reference. Though costly for CSPs, this offers maximum security protection from phishing attacks and social engineering scams.

Attribute Validation

At levels two and three, CSPs should ensure that attributes provided by an applicant are consistent across various pieces of evidence, which is known as its strength of assurance. This helps protect against attacks that exploit data such as birthdays to compromise other pieces such as name, address, phone number, email address or credit card number.

CSPs SHOULD offer reliable referee services when automated verification processes fail, where an impartial vouching service will vouch for attributes, conditions or identities claimed by an applicant. It should document these processes within its practice statement. Visiting the site allows you to gain knowledge about NIST IAL3 verification faster.

The IAL2 Non-Biometric Pathway allows for an alternative verification method that does not involve direct comparison of biometric samples by humans or automated systems. CSPs who offer this pathway should notify RPs about its usage and inform applicants which channels are being utilized, such as visual comparison against evidence or receiving an electronic confirmation code in the mail.

Attribute Verification

IAL3 provides the highest level of assurance that digital identities match with real world identifications. To reach this standard of verification, an on-site proofing session utilizing biometric capture technology must take place, either with someone present or remotely. Liveness detection and stringent chain-of-custody procedures also form part of this level of authentication.

Leaders among IAL3 compliant solution utilize advanced document verification methods such as multispectral UV light analysis and facial recognition with liveness detection for document verification, while offering seamless user experiences and providing robust protections against socially engineered fakes.

Verifying attributes requires a trusted referee from either the CSP or third-party service, who has been thoroughly vetted and approved to make risk-based decisions about an applicant's proofing case - including exception handling when attributes don't match (e.g. a recent name/address change). They review evidence supporting legitimacy of asserted attribute values against authoritative records, then bind these verified attributes with an authenticator by their CSP for binding to subscriber accounts.

When employing the on-site, in-person attended IAL3 pathway, an agent must be present and trained in order to detect fake identities and realistic silicone masks worn by attackers. All data must also be stored securely for compliance reasons and FedRAMP requirements; keeping raw biometrics stored increases legal risks significantly and increases how often biometrics must be refreshed so as to prevent bypass attacks by third-party agents or socially engineered attacks.

TrustSwiftly NIST 800-63A IAL3 also formalizes remote identity proofing as a recognized pathway to IAL2, marking an important change for HR, Legal and Security teams who now must work collaboratively on scoping proofing processes as well as archiveal locations in order to comply with compliance standards for every step in their lifecycle.