What Is Identity Assurance?
Identity Assurance is a solution-based approach that ensures that a person's claimed identity is their real identity at all times. In other words, that you can trust that they are really who they say they are.
An identity assurance solution provides a comprehensive framework for securely linking an individual's identity with who they claim to be throughout the entire user lifecycle. It provides continuous verification, validation and protection from the first point of contact with a user, through digital identity creation and ongoing use, until that identity is retired or deleted.
Elements of Identity Assurance
An Identity Assurance framework generally includes the following inter-connected components:
- Authentication — specifically phishing-resistant, passwordless authentication.
- Identity proofing and verification
- Continuous risk monitoring
All of these operate together during the identity lifecycle. For example, upon detecting an increased level of risk, the system can alert or invoke a re-authentication or re-verification based on defined policies.
NIST Identity Assurance Levels (IAL)
The National Institute of Standards and Technology (NIST) has defined a set of Identity Assurance Level (IAL) standards that indicate the degree of certainty that someone’s claimed identity is their real identity. The NIST IALs are part of the Digital Identity Guidelines, NIST 800-63-3. NIST specifies three identity assurance levels, these are:
- IAL1: It is not required to link the individual to a specific real-world identity. Information provided by the person is self-asserted and does not need to be separately verified.
- IAL2: Uses digital documents as evidence to support that the claimed identity exists in the real-world and verifies that the correct person is associated with it.
- IAL3: Requires an authorized and trained representative to verify the individual in person.
It should be noted that the NIST IALs only ever measure a single point in time and do not address ongoing authentication and other critical aspects of identity assurance. Those are contained in other sections of the Digital Identity Guidelines.
Identity Assurance Example:
A new employee scans her driver’s license for digital verification. Concurrently, she participates in a live video chat with her manager to verify her identity. Once both the automated and the human-based identity verifications successfully pass, she is given passwordless credentials and access to company systems. A few months later, the identity assurance risk engine detects that she is trying to log in 5000 miles from her known residence and in the middle of the night. She may be asked to reverify based on the departure from the norm and potential increased risk. Upon the successful reverification, she start working — from her hotel in Paris.
