Identity proofing is a common term to describe the act of verifying a person's identity, as in verifying the "proof of an ID". Other terms to describe this process include identity verification and identity vetting. This overview will attempt to simplify and address the key elements of identity proofing and authentication in the eyes of the National Institutes of Standards and Technology (NIST) and the Office of the National Coordinator (ONC) by the United States Government.
Identity proofing is the process of collecting and verifying information about a person for the purpose of proving that a person who has requested an account, a credential, or other special privilege is indeed who he or she claims to be, and establishing a reliable relationship that can be trusted electronically between the individual and said credential for purposes of electronic authentication. This process may include, for example, in-person or remote evaluation of a driver’s license, passport, birth certificate, or other government-issued identity, as well as other factors specified in the individual certificate policy of the organization issuing the certificate. Identity proofing is performed before the account is created (e.g., portal, email), the credential is issued (e.g., digital certificate) or the special privilege is granted.
Electronic authentication (e-authentication) is the process of establishing confidence in user identities electronically presented to an information system. It is the process of establishing confidence that an individual using a credential that is known to the system (e.g., login name, digital certificate) is indeed the person to whom the credential was issued.
There are three types of authentication factors: something you know (e.g., password, PIN), something you have (e.g., smart card, hard token, mobile phone), something you are (e.g., biometric characteristic such as a fingerprint or voice pattern). Authentication is performed each time a user logs into an account (e.g., portal, email) or otherwise uses a credential. Multi-factor authentication, which requires more than one type of authentication to be used at the point of system login is sometimes used to achieve a higher level of assurance.
The National Institute of Standards and Technology’s (NIST) Digital Identity Guidelines SP 800-63-3 recommends technical guidelines for implementing electronic authentication. The NIST guidance describes a coordinated set of identity-proofing and authentication methods that, when used together, can provide specific levels of confidence that the entities involved in electronic transactions are who they claim to be. Each assurance level describes the degree of certainty that the user has presented a valid identifier (a credential) that refers to his or her identity.
At OneRecord, we take security seriously. This article is a work in progress, so check back as we expand it.
If you have any questions or concerns please contact us via the "help button" in the bottom right hand corner of the screen or email us at firstname.lastname@example.org.