The National Institute of Standards & Technology (NIST) prescribes a process required for the verification of a person's identity as it is asserted by the institution. This is needed for high risk data handling and processes where it is essential to ensure that the person with access to or the ability to manipulate data is verified.
Overview of the Identity Proofing Process
Identity verification (a/k/a identity proofing, as defined in the standard) is where the institution verifies your legal identity using documents issued by other governmental agencies. This process is setting up a "level of assurance" (LOA) that you are the legally entitled person to use the credentials (user name and the associated password) and multi-factor technology that has been issued to you. The process is multifaceted to make it more difficult for a nefarious individual from manipulating the system.
Who must have their Identity Proofing completed?
Those that have access to the UW-System Human Resource System (HRS) or the UW-System Shared Financial System (SFS) are required to have the LOA2 identity proofing. Approximately 10% of faculty and staff are required to have this extra level of verification. This will continue to expand as additional systems require this of their users. The Carding Office will conduct identity proofing with their customers whenever possible to proactively validate and provide this assurance transparently. Those that have not been validated will be denied access by those systems until this process is completed and the identity is "asserted" into our federated user directory.
What forms of ID can be used?
The following forms of identification are accepted when conducting the identity proofing process:
- US Drivers License
- US Identification Card
- Military Identification Card
- Passport
- Travel Visa
- Other State or Nationally-issued Document
Note: We cannot accept expired documents.
Note: If there is a local address on the document, it must match your current official address of record in the Human Resource System (HRS) or the student information system (eSIS). If the address does not match, then we must follow the mismatch address process and cannot do an "in-person" or "not in person" process. Minor variations of abbreviations or nomenclature are acceptable.
Steps of the Identity Proofing Process - In Person
- Visit the Carding Office (or call to set up an appointment to do a video call)
- Present your legal photo identification documents that match your "address of record" to the staff
- The staff verifies the information on your documents and that your ID photo matches you
- The staff records the information into the Identity Management System (IdMS) as required
- The staff "proofs" you at Level of Assurance 2 (LOA2) and returns your documents
- The staff "asserts" our assurance into the authentication system for other systems to consume as required
This process takes approximately 5 minutes.
Steps of the Identity Proofing Process - Not in Person
If you are willing to conduct a video call with the ID Carding Office, we can conduct the "in-person" above process with you. You will present the identification documentation to the camera and we can verify against your video image like we would in person. We follow the steps above as if "in-person" with you physically.
Otherwise, if you are not able or willing to do that video call process, then the following will occur for a "remote" proofing process:
- You contact the Carding Office, where we can (over the telephone) begin the process. You state your legal name and date of birth for us to verify.
- Within one regular business day, we mail a letter to you via the US Postal Service to your official legal home address of record.
- When you receive that letter, follow the instructions in the letter during our standard Carding Office business hours. You are instructed to call us and to provide the one-time PIN code that is printed in the letter to us. This confirms that you are the person you say you are at the address of record in the Human Resource System (HRS) or student information system (eSIS).
- The staff records the verification of identity into the Identity Management System (IdMS) as required
- The staff "proofs" you at Level of Assurance 2 (LOA2)
- The staff "asserts" our assurance into the authentication system for other systems to consume as required
This process can take up to 1 to 2 weeks depending on mail delivery and your responsiveness to the letter. We have the letter prepared and sent out within one business day and once you contact us with the PIN code we assert the proofing while you are on the phone. Some software or services that consume identity services may not recognize this for up to 24 hours; most systems recognize the update live.
Steps of the Identity Proofing Process - Address Mismatch
United States citizens that cannot provide a passport (which is issued through an extensive validation process) will be required follow this process if their state-issued identification documents do not match their address of record. This can occur when a person has a PO Box or when they move but the state that issues the ID documents do not update the physical copy. It is common now to notify the DMV and they only electronically update records but they do not issue a new ID card or drivers license.
Citizens of other countries need to produce a valid national ID, passport or travel visa. Only the country must match; local address matching is not required. The above remote or in-person processes apply.
The process to valid a new address is the same as the "not in person" process above.
Levels of Assurance (LOA)
There are two primary levels of assurance that will be "proofed" to in our system beginning at level 2 and extending to level 3. Each information system manger sets their requirements based on the security posture of that system. Some systems require only a username and password, some require an addition of the Duo multi-factor system and some require this extra level of identity proofing.
Level 1
User name and password are issued in a secure manner but the legal identity of the individual holding those is not verified.
Level 2
User name, password and a multi-factor token are issued to an individual and the legal identity of that person is verified using the documents presented. The documents are not verified beyond inspecting them at the time the user presents them to the institution for review.
Level 3
Level 3 expands on level 2, adding a requirement that the documents presented by the individual are independently verified with the third party that issued them. This may be through directly contacting that third party to verify the legitimacy of the documents.
References
NIST 800-63 Publication