Identity verification represents the processes of confirming that the evidence, previously shown to be valid, actually refers to the applicant that is appearing for identity proofing. The objective of identity verification is to confirm a linkage between the validated evidence for the claimed identity and the physical, live existence of the person presenting the evidence. For IAL2 and IAL3 this binding is done by a physical or biometric comparison of the photograph on the strongest piece of evidence to the applicant or by a biometric comparison between information on the evidence and a biometric characteristic obtained from the applicant.
The following table presents verification methods that may be applied to achieve a verification level of strength of fair and higher. The requirements for these levels are presented in Table 5-3 in SP 800-63A (5.3.1). It should be noted that identity verification is performed against the strongest piece of identity evidence submitted and validated. For IAL2 and IAL3 the strongest piece of evidence will always be either STRONG or SUPERIOR evidence; therefore, verification of FAIR evidence binding will never be required. The KBV method for FAIR evidence verification is presented in the table below for information and use as additional binding strength as determined appropriate by the CSP.
Table A.5.1. Verification Methods and Strengths
| Verification Strength | Verification Method | Description |
|---|---|---|
| SUPERIOR | Biometric Verification | Biometric comparison against biometric characteristics on the strongest piece(s) of evidence against live biometric capture for remote or in-person identity proofing. May be used for identity verification for FAIR, STRONG, and SUPERIOR strength. |
| STRONG | In-Person Physical Verification | Physical comparison of applicant to facial-image photograph on strongest piece(s) of validated evidence. May be used for identity verification for FAIR and STRONG strength. |
| STRONG | Remote Physical Verification | Physical comparison of applicant to facial-image photograph on strongest piece(s) of validated evidence. May be used for identity verification for FAIR and STRONG strength. |
| FAIR | Knowledge-Based Verification (KBV) | Comparison of challenge response to KBV questions provided by applicant. May be used for identity verification for FAIR strength only. |
As indicated in the table above and SP 800-63A Table 5-3 (5.3.1), physical or biometric comparison is required for STRONG verification strength and biometric comparison is required for SUPERIOR verification strength against the strongest piece of validated identity evidence.
Physical comparison is a comparison by a person (i.e., CSP-trained personnel) of the applicant to the photograph (i.e., facial image) on any of the strongest piece(s) of validated identity evidence collected. This comparison can be an in-person comparison for in-person identity proofing processes or may be conducted remotely for remote identity proofing. In both cases, the operator must perform a physical comparison of the applicant to the facial image photograph on the evidence. That is, the in-person proofing personnel will physically compare the facial image of the live applicant to the photograph of facial image on the strongest piece of validated evidence. For remote physical comparison, the applicants’ facial image may be captured by high resolution video or camera for physical comparison to the facial image photograph on the identity evidence. For remote facial image capture, the requirements of SP 800-63B, section 5.2.3. shall be applied and the methods for remote facial image collection and comparison are discussed below.
Biometric comparison is an automated comparison of a biometric characteristic (e.g., facial image, fingerprint, iris) collected and recorded as a reference to a live capture of the same biometric characteristic for comparison. For identity proofing verification, a biometric characteristic recorded on the strongest piece of identity evidence is compared to the corresponding biometric characteristic of the applicant captured live during the identity proofing session. For in-person biometric collection and comparison, the CSP must employ capabilities for biometric capture and comparison during the in-person session. Since most STRONG and SUPERIOR evidence contains a photographic image (i.e., facial image) on the evidence, the most common form of biometric collection for in-person proofing and biometric comparison will be facial image biometric matching. Automated biometric system matching capability must meet the requirements presented in SP 800-63B section 5.2.3. Biometric comparison is required for identity verification at SUPERIOR strength, which is required at IAL3.
For IAL2 remote identity proofing processes, either physical comparison or biometric comparison may be performed for identity verification based on the strongest piece of validated identity evidence. Unlike the in-person verification method described above, remote identity proofing requires the collection of both an image of the identity evidence and a live capture of the facial image of the applicant for physical or biometric comparison. The CSP must employ liveness detection capabilities to ensure that the applicant’s facial image used for comparison is “live” and not a spoofing or presentation attack. There are considerable risks of impersonation, presentation and spoofing attacks without mitigating controls to ensure live capture of the applicants’ facial image. Potential methods for the determination of live facial image capture for remote proofing involve supervision by trained personnel and automated capabilities for liveness detection as presented below.
It is noted that liveness detection is a necessary control whether the identity verification is performed through physical comparison of the live capture of the applicants’ facial image to the photograph on the strongest piece of identity evidence or through automated biometric facial image comparison.