Identity Assurance Level Requirements

This section is normative.

Identity Assurance Level 1 Requirements

Identity proofing processes at IAL1 allow for a range of acceptable techniques to detect fraudulent claims to identities by malicious actors while facilitating user adoption, minimizing the rejection of legitimate users, and reducing application departures. The use of biometric matching (e.g., automated comparison of the applicant’s facial image to a facial portrait on supplied evidence) is optional at IAL1.

Proofing Types

1. IAL1 identity proofing MAY be delivered through any proofing type, as described in Sec. 2.1.3.
2. CSPs MAY combine proofing types and their stated requirements to create hybrid processes. For example, a CSP might leverage remote unattended identity proofing validation processes in advance of a remote attended session where the verification will take place. If such steps are combined, CSPs SHALL document their hybrid process and state how the applicable requirements for each of the employed proofing types are met.

Evidence Collection

For identity proofing at IAL1, the CSP SHALL collect:

1. One piece of:
   • FAIR evidence that can be digitally validated or that includes a facial portrait or other biometric or
   • STRONG evidence or
   • SUPERIOR evidence.

Attribute Collection

The CSP SHALL collect all core attributes, including at least one government identifier. Validated evidence is the preferred source of identity attributes. If the presented identity evidence does not provide all of the attributes that the CSP considers to be core attributes, it MAY collect attributes that are self-asserted by the applicant.

Evidence Validation

Each piece of evidence presented SHALL be validated using one of the following methods:

• Confirming the authenticity of digital evidence by interrogating the digital security features (e.g., signatures on assertions or data)
• Confirming the authenticity of physical evidence using automated scanning technology that can detect physical security features, as described in Sec. 3.14
• Confirming the integrity of physical security features on presented evidence through visual inspection by a proofing agent using real-time or asynchronous processes (e.g., offline manual review)
• Confirming the integrity of physical security features through physical and tactile inspection by a proofing agent at an on-site location

Attribute Validation

1. The CSP SHALL validate all core attributes and the government identifier against an authoritative or credible source to determine accuracy.
2. CSPs SHOULD evaluate attributes obtained from different sources (e.g., presented evidence, self-asserted, authoritative or credible sources) for consistency.
3. CSPs SHOULD validate any reference numbers on the presented identity evidence, if available.

Verification Requirements

The CSP SHALL verify the applicant’s ownership of one piece of evidence using one of the following methods:

• Confirming the applicant’s ability to return a confirmation code delivered to a validated address associated with the evidence
• Confirming the applicant’s ability to return a microtransaction value delivered to a validated financial or similar account
• Confirming the applicant’s ability to successfully complete an authentication and federation protocol equivalent to AAL2/FAL2 or higher to access an account related to the identity evidence
• Comparing the applicant’s facial image to a facial portrait on evidence via an automated comparison
• Visually comparing the applicant’s facial image to a facial portrait on evidence or in records associated with the evidence during an on-site attended session (i.e., in-person with a proofing agent), a remote attended session (i.e., live video with a proofing agent), or an asynchronous process (i.e., visual comparison made by a proofing agent at a different time). If the comparison is performed asynchronously at a later time, the CSP SHALL implement PAD and passive or active document presence checks to increase confidence that both the live applicant and physical documents are present during the submission or capture event.
• Using automated means to compare a facial image represented on or stored in the identity evidence or in records associated with the evidence to a live sample provided by the applicant

Remote Unattended Requirements

There are no additional requirements for remote unattended identity proofing beyond the requirements specified in Sec. 2, 3, and 4.

Remote Attended Requirements

1. During the video session, the applicant SHALL remain in view of the proofing agent during each step of the proofing process.
2. The video quality SHALL be sufficient to support the necessary steps in the validation and verification processes, such as inspecting evidence and comparing the applicant to the evidence.
3. The proofing agent SHALL be trained to identify signs of manipulation, coercion, or social engineering occurring during the session.
4. CSPs MAY record and maintain video sessions for fraud prevention and prosecution purposes pursuant to a privacy risk assessment, as defined in Sec. 3.3.1. If the CSP records a video session, the following further requirements apply:
   1. The CSP SHALL notify the applicant of the recording prior to initiating a recorded session.
   2. The CSP SHALL gain consent from the applicant prior to initiating a recorded session.
   3. The CSP SHALL publish their retention schedule and deletion processes for all video records.
5. The CSP SHALL implement injection protection and modified media controls, as defined in Sec. 3.14.
6. The CSP SHALL provide proofing agents with a method or mechanism to flag events for potential fraud.

On-Site Attended Requirements

1. The CSP SHALL provide a physical setting in which on-site identity proofing sessions are conducted.
2. All devices SHALL be protected by appropriate baseline security features comparable to FISMA moderate controls, including malware protection, administrator-specific access controls, and software update processes.
3. CSP proofing agents SHALL be trained to identify signs of manipulation, coercion, or social engineering occurring during the on-site session.
4. CSPs MAY record and maintain video sessions for fraud prevention and prosecution purposes pursuant to a privacy risk assessment, as defined in Sec. 3.3.1. If the CSP records a video session, the following additional requirements apply:
   1. The CSP SHALL notify the applicant of the recording prior to initiating a recorded session.
   2. The CSP SHALL gain consent from the applicant prior to initiating a recorded session.
   3. The CSP SHALL publish their retention schedule and deletion processes for all video records.
5. The CSP SHALL provide proofing agents with a method or mechanism to covertly flag events for potential fraud.

On-Site Unattended Requirements

1. All devices SHALL be safeguarded from tampering through observation by CSP representatives and/or physical and digital tamper prevention features.
2. All devices SHALL be protected by appropriate baseline security features comparable to FISMA moderate controls, including malware protection, administrator-specific access controls, and software update processes.
3. All devices SHALL be inspected periodically by trained technicians to deter tampering, modification, or damage.
4. CSPs MAY record and maintain video recordings of on-site unattended identity proofing sessions for fraud prevention and prosecution purposes pursuant to a privacy risk assessment, as defined in Sec. 3.3.1. If the CSP records a video session, the following additional requirements apply:
   1. The CSP SHALL notify the applicant of the recording prior to initiating a recorded session.
   2. The CSP SHALL gain consent from the applicant prior to initiating a recorded session.
   3. The CSP SHALL publish their retention schedule and deletion processes for all video records.

Notification of Proofing

Upon the successful completion of identity proofing at IAL1, the CSP SHALL send a notification of proofing to a validated address for the applicant, as specified in Sec. 3.10.

Initial Authenticator Binding

Once a unique subscriber account is established for the applicant (now subscriber) in the CSP’s identity system, one or more authenticators can be associated (i.e., bound) to the subscriber’s account. To minimize the need for account recovery, CSPs SHOULD encourage subscribers to bind at least two separate means of authentication. See Sec. 5 for more information about subscriber accounts and Sec. 4.1.2.1 of [SP800-63B] for more information on binding authenticators.

1. The CSP SHALL provide the ability for the applicant to bind an authenticator using one of the following methods:
   1. Remote enrollment of a subscriber-provided authenticator consistent with the requirements for the authenticator type, as defined in Sec. 4.1.3 of [SP800-63B]
   2. Distribution of a physical authenticator to a validated address
   3. Distribution or on-site enrollment of an authenticator
2. If authenticators are bound outside of a single protected session with the user, the CSP SHALL confirm the presence of the intended subscriber through one of the following methods:
   1. Return of a continuation code
   2. Comparison against a biometric collected at the time of proofing

Identity Assurance Level 2 Requirements

IAL2 identity proofing includes additional evidence, validation, and verification requirements to better mitigate impersonation attacks and other identity proofing errors relative to IAL1. IAL2 can be achieved through different types of identity proofing (e.g., remote unattended, remote attended), and identity verification at IAL2 can be accomplished with or without the use of biometrics. This section presents three different pathways to align with IAL2 outcomes and requirements: IAL2 Verification — Non-Biometric Pathway, IAL2 Verification — Biometric Pathway, and IAL2 Verification — Digital Evidence Pathway.

Proofing Types

1. IAL2 identity proofing MAY be delivered through any identity proofing type, as described in Sec. 2.1.3.
2. CSPs MAY combine identity proofing types and their stated requirements to create hybrid processes. For example, a CSP might leverage remote unattended identity proofing validation processes in advance of a remote attended session where the verification will take place. If such steps are combined, CSPs SHALL document their hybrid process and state how the applicable requirements for each of the employed proofing types are met.

Evidence Collection

For identity proofing at IAL2, the CSP SHALL collect:

1. One piece of FAIR evidence and one piece of STRONG evidence or
2. Two pieces of STRONG evidence or
3. One piece of SUPERIOR evidence.

Attribute Collection

The CSP SHALL collect all core attributes, including at least one government identifier. Validated evidence is the preferred source of identity attributes. If the presented identity evidence does not provide all of the attributes that the CSP considers to be core attributes, it MAY collect attributes that are self-asserted by the applicant.

Evidence Validation

1. Each piece of FAIR or STRONG evidence that is presented SHALL be validated using one of the following techniques:
   1. Confirming the authenticity of the digital evidence by interrogating the digital security features (e.g., signatures on assertions or data)
   2. Confirming the authenticity of the physical evidence using automated scanning technology that can detect physical security features
   3. Confirming the integrity of any physical security features through a visual inspection by a proofing agent using a real-time or asynchronous process (e.g., offline manual review)
   4. Confirming the integrity of any physical security features through physical and tactile inspection by a proofing agent at an on-site location
2. Each piece of SUPERIOR evidence SHALL be validated through the cryptographic verification of the evidence contents and the issuing source, including digital signature verification and the validation of any trust chain back to a trust anchor. Any piece of SUPERIOR evidence that cannot be validated using this method MAY be considered STRONG evidence if it can be validated by using one of the techniques provided above.

Attribute Validation

1. The CSP SHALL validate all core attributes by either:
   1. Comparing the government identifier and other core attributes against an authoritative or credible source to determine accuracy
   2. Validating the accuracy of digitally signed attributes that are contained on SUPERIOR evidence through the public key of the issuing source
2. CSPs SHOULD evaluate attributes obtained from different sources (e.g., presented evidence, self-asserted, authoritative or credible sources) for consistency.
3. CSPs SHOULD validate any reference numbers on the presented identity evidence, if available.

Verification Requirements

Verification pathways SHOULD be implemented consistent with relevant policy and be responsive to the use cases, populations, and threat environment of the online service being protected. CSPs SHOULD deploy more than one pathway to IAL2 verification and MAY combine pathways in order to achieve desired outcomes.

CSPs that offer multiple verification pathways SHALL record in the subscriber record which pathways were followed to achieve IAL2 and SHALL make that information available to RPs in the assertion, API, or as part of their trust agreement. When the Non-Biometric Pathway is used, the CSP SHALL additionally record whether a mailed confirmation code or a visual comparison of the applicant against evidence was used for verification.

IAL2 Verification — Non-Biometric Pathway

The IAL2 Non-Biometric Pathway provides verification methods that do not use an automated comparison of biometric samples provided by the applicant. This pathway can still involve the collection and verification of biometric data (e.g., visual comparison to a facial image contained on identity evidence performed by a proofing agent), but such comparisons are done through manual rather than automated means. Additional verification methods that do not require the use of automated biometric comparison are also included in the Digital Evidence Pathway requirements specified in Sec. 4.2.6.2. If provided as an option at IAL2, CSPs SHALL communicate their use of the Non-Biometric Pathway to all RPs that use their identity service.

1. For remote attended, remote unattended, and on-site unattended identity proofing, the CSP SHALL verify the applicant’s ownership of all pieces of presented identity evidence. For on-site attended identity proofing, the CSP SHALL verify the applicant’s ownership of the strongest piece of presented identity evidence.
2. Approved non-biometric methods for verifying FAIR evidence at IAL2 include:
   1. Confirming the applicant’s ability to return a confirmation code delivered to a validated address associated with the evidence (e.g., postal address, phone number)
   2. Visually comparing the applicant’s facial image to a facial portrait on the presented evidence (e.g., student or employee ID card) or in records associated with the evidence during an on-site attended session (i.e., in-person with a proofing agent), a remote attended session (i.e., live video with a proofing agent), or an asynchronous process (i.e., visual comparison made by a proofing agent at a different time)
3. Approved non-biometric methods for verifying STRONG and SUPERIOR evidence at IAL2 include:
   1. Confirming the applicant’s ability to return a confirmation code delivered to a physical address (i.e., postal address) that was obtained from the evidence and validated with an authoritative source
   2. Visually comparing the applicant’s facial image to a facial portrait on the presented evidence or in records associated with the evidence during an on-site attended session (i.e., in-person with a proofing agent), a remote attended session (i.e., live video with a proofing agent), or an asynchronous process (i.e., visual comparison made by a proofing agent at a different time). If the comparison is performed asynchronously at a later time, the CSP SHALL implement PAD and passive or active document presence checks to increase confidence that both the live applicant and physical documents are present during the captured identity proofing event.

Delivering a confirmation code to a physical address combined with the requirement to validate the address with an authoritative source provides reasonable deterrence against scaled, high-volume attacks on identity proofing processes and substantially impacts the time-to-value for attackers. For this reason, mailed confirmation codes are a viable option for identity proofing at IAL2 when biometrics or visual comparisons fail or alternative means are required (e.g., due to a subscriber’s limited access to technology or services). Such delivery methods remain vulnerable to interception by close associates and family members and to other schemes (e.g., mail-forwarding fraud). Organizations that assess a high likelihood and impact of such attacks should offer other methods of verification or apply additional mitigating controls.

IAL2 Verification — Digital Evidence Pathway

The IAL2 Digital Evidence Pathway allows individuals to use digital forms of evidence as part of the verification process, such as digital credentials (sometimes referred to as digital identity documents) or digital accounts.

1. For remote attended, remote unattended, and on-site unattended identity proofing, the CSP SHALL verify the applicant’s ownership of all pieces of presented identity evidence. For on-site attended identity proofing, the CSP SHALL verify the applicant’s ownership of the strongest piece of presented identity evidence.
2. Approved digital evidence verification methods for FAIR evidence at IAL2 include:
   1. Confirming the applicant’s ability to return a microtransaction value delivered to a validated account (e.g., checking account owned by the applicant that has been validated by an authoritative or credible source)
   2. Confirming the applicant’s ability to return a confirmation code delivered to a validated digital address associated with the digital evidence (e.g., MNO/phone account)
   3. Confirming the applicant’s ability to successfully complete an authentication and federation protocol equivalent to AAL2/FAL2 to access an account related to the identity evidence
3. Approved digital evidence verification methods for STRONG evidence at IAL2 involve confirming the applicant’s ability to successfully complete an authentication and federation protocol equivalent to AAL2/FAL2 or higher to access an account related to the identity evidence.
4. Approved digital evidence verification methods for SUPERIOR evidence at IAL2 include confirming the applicant’s possession of the evidence through the use of a local activation factor and the presentation of a cryptographically verifiable attribute bundle.

This verification method is viable for SUPERIOR evidence that allows for local authentication events, such as subscriber-controlled wallets and PKI credentials on smart cards. SUPERIOR evidence that does not support these functions (e.g., ePassports) can still be used but must be verified through one of the other pathways.

IAL2 Verification — Biometric Pathway

The IAL2 Biometric Pathway supports the automated comparison of biometric samples provided by the applicant.

1. For remote attended, remote unattended, and on-site unattended identity proofing, the CSP SHALL verify the applicant’s ownership of all pieces of presented identity evidence. For on-site attended identity proofing, the CSP SHALL verify the applicant’s ownership of the strongest piece of presented identity evidence.
2. Approved methods for verifying FAIR, STRONG, and SUPERIOR evidence for use in the IAL2 Biometric Pathway include:
   1. Using automated means to compare a facial image represented on or stored in the identity evidence or in records associated with the evidence to a live sample provided by the applicant
   2. Using automated means to compare a biometric characteristic other than a facial image stored on the identity evidence or in records associated with the evidence to a live sample provided by the applicant

Remote Unattended Requirements

There are no additional requirements for remote unattended identity proofing beyond the requirements specified in Sec. 2, 3, and 4.

Remote Attended Requirements

1. During the video session, the applicant SHALL remain in view of the proofing agent during each step of the proofing process.
2. The video quality SHALL be sufficient to support the necessary steps in the validation and verification processes, such as inspecting evidence and comparing the user to the evidence.
3. The proofing agent SHALL be trained to identify signs of manipulation, coercion, or social engineering occurring during the recorded session.
4. CSPs MAY record and maintain video sessions for fraud prevention and prosecution purposes pursuant to a privacy risk assessment, as defined in Sec. 3.3.1. If the CSP records a video session, the following further requirements apply:
   1. The CSP SHALL notify the applicant of the recording prior to initiating a recorded session.
   2. The CSP SHALL gain consent from the applicant prior to initiating a recorded session.
   3. The CSP SHALL publish their retention schedule and deletion processes for all video records.
5. The CSP SHALL implement injection protection and modified media controls, as defined in Sec. 3.14.
6. The CSP SHALL provide proofing agents with a method or mechanism to flag events for potential fraud.

On-Site Attended Requirements

1. The CSP SHALL provide a physical setting in which on-site identity proofing sessions are conducted.
2. All devices SHALL be protected by appropriate baseline security features comparable to FISMA moderate controls, including malware protection, administrator-specific access controls, and software update processes.
3. CSP proofing agents SHALL be trained to identify signs of manipulation, coercion, or social engineering occurring during the on-site session.
4. CSPs MAY record and maintain video sessions for fraud prevention and prosecution purposes pursuant to a privacy risk assessment, as defined in Sec. 3.3.1. If the CSP records a video session, the following additional requirements apply:
   1. The CSP SHALL notify the applicant of the recording prior to initiating a recorded session.
   2. The CSP SHALL gain consent from the applicant prior to initiating a recorded session.
   3. The CSP SHALL publish their retention schedule and deletion processes for all video records.
5. The CSP SHALL provide proofing agents with a method or mechanism to safely flag events for potential fraud.

On-Site Unattended Requirements

1. All devices SHALL be safeguarded from tampering through observation by CSP representatives and/or physical and digital tamper prevention features.
2. All devices SHALL be protected by appropriate baseline security features comparable to FISMA moderate controls, including malware protection, administrator-specific access controls, and software update processes.
3. All devices SHALL be inspected periodically by trained technicians to deter tampering, modification, or damage.
4. CSPs MAY record and maintain video recordings of on-site unattended identity proofing sessions for fraud prevention and prosecution purposes pursuant to a privacy risk assessment, as defined in Sec. 3.3.1. If the CSP records a video session, the following additional requirements apply:
   1. The CSP SHALL notify the applicant of the recording prior to initiating a recorded session.
   2. The CSP SHALL gain consent from the applicant prior to initiating a recorded session.
   3. The CSP SHALL publish their retention schedule and deletion processes for all video records.

Notification of Proofing

Upon the successful completion of identity proofing at IAL2, the CSP SHALL send a notification of proofing to a validated address for the applicant, as specified in Sec. 3.10. CSPs SHOULD send the notification of proofing to the applicant’s postal address.

Initial Authenticator Binding

Once a unique subscriber account is established for the applicant (now subscriber) in the CSP’s identity system, one or more authenticators can be associated (i.e., bound) to the subscriber’s account. To minimize the need for account recovery, CSPs SHOULD encourage subscribers to bind at least two separate means of authentication. See Sec. 5 for more information about subscriber accounts and Sec. 4.1.2.1 of [SP800-63B] for more information on binding authenticators.

1. The CSP SHALL provide the ability for the applicant to bind an authenticator using one of the following methods:
   1. Remote enrollment of a subscriber-provided authenticator consistent with the requirements for the authenticator type, as defined in Sec. 4.1.3 of [SP800-63B]
   2. Distribution of a physical authenticator to a validated address
   3. Distribution or on-site enrollment of an authenticator
2. If authenticators are bound outside of a single protected session with the user, the CSP SHALL confirm the presence of the intended subscriber through one of the following methods:
   1. Return of a continuation code
   2. Comparison against a biometric collected at the time of proofing

Identity Assurance Level 3

IAL3 adds additional rigor to the steps required at IAL2 and is subject to additional and specific processes, including the use of biometric information comparison, collection, and retention, to further protect the identity and RP from impersonation and other forms of identity fraud. In addition, identity proofing at IAL3 is performed onsite and attended by a proofing agent, as described in Sec. 2.1.2.

Proofing Types

IAL3 identity proofing SHALL only be delivered as on-site attended. The proofing agent MAY be co-located with the applicant or attend the identity proofing session via a CSP-controlled kiosk or device.

Evidence Collection

For identity proofing at IAL3, the CSP SHALL collect:

1. One piece of FAIR evidence and one piece of STRONG evidence or
2. Two pieces of STRONG evidence or
3. One piece of SUPERIOR evidence.

Attribute Requirements

1. The CSP SHALL collect all core attributes, including at least one government identifier. Validated evidence is the preferred source of identity attributes. If the presented identity evidence does not provide all of the attributes that a CSP considers to be core attributes, the CSP MAY collect attributes that are self-asserted by the applicant.
2. The CSP SHALL collect and retain a biometric sample from the applicant during the identity proofing process to support account recovery and non-repudiation and to establish a high level of confidence that the same participant is present in the proofing and issuance processes, if done separately. CSPs MAY choose to periodically re-enroll user biometrics based on the modalities they use and the likelihood that subscriber accounts will persist long enough to warrant such a refresh.

Evidence Validation

1. Each piece of FAIR or STRONG evidence that is presented SHALL be validated using one of the following techniques:
   1. Confirming the authenticity of the digital evidence by interrogating the digital security features (e.g., signatures on assertions or data)
   2. Confirming the authenticity of the physical evidence using automated scanning technology that can detect physical security features
   3. Confirming the integrity of any physical security features through a visual inspection by a proofing agent using a real-time or asynchronous process (e.g., offline manual review)
   4. Confirming the integrity of any physical security features through physical and tactile inspection by a proofing agent at an on-site location
2. Each piece of SUPERIOR evidence SHALL be validated through the cryptographic verification of the evidence contents and the issuing source, including digital signature verification and the validation of any trust chain back to a trust anchor. Any piece of SUPERIOR evidence that cannot be validated using this method MAY be considered STRONG evidence if it can be validated by using one of the techniques provided above.

Attribute Validation

1. The CSP SHALL validate all core attributes by either:
   1. Comparing the government identifier and other core attributes against an authoritative or credible source to determine accuracy or
   2. Validating the accuracy of digitally signed attributes that are contained on SUPERIOR evidence through the public key of the issuing source
2. CSPs SHOULD evaluate attributes obtained from different sources (e.g., presented evidence, self-asserted, authoritative or credible sources) for consistency.
3. CSPs SHOULD validate any reference numbers on the presented identity evidence, if available.

Verification Requirements

1. The CSP SHALL verify the applicant’s ownership of the strongest piece of evidence (STRONG or SUPERIOR) by one of the following methods:
   1. Confirming the applicant’s ability to successfully authenticate to a physical device or application (e.g., a mobile driver’s license) and comparing a digitally protected and transmitted facial portrait to the applicant
   2. Comparing the applicant’s facial image to the facial portrait on the presented evidence via an automated comparison
   3. Visually comparing the applicant’s facial image to the facial portrait on the presented evidence during an on-site attended session or a remote attended session
   4. Performing an automated comparison of a stored biometric on the identity evidence or in the authoritative records associated with the evidence to a sample provided by the applicant

On-Site Attended Requirements — Colocated Agent

1. The CSP SHALL provide a secure, physical setting in which on-site identity proofing sessions are conducted.
2. The CSP SHALL provide sensors and capture devices for the collection of biometrics from the applicant.
3. The CSP SHALL have the proofing agent view the source of the collected biometric for the presence of any non-natural materials (e.g., putty, glue).
4. The CSP SHALL have the proofing agent collect the biometric samples in such a way that ensures the sample was collected from the applicant and no other source.
5. The CSP SHALL ensure that all information systems and technology leveraged by proofing agents and trusted referees are protected consistent with at least FISMA moderate or comparable levels of controls, including physical controls for the proofing facility.
6. CSP proofing agents SHALL be trained to identify signs of manipulation, coercion, or social engineering occurring during the on-site session.
7. CSPs MAY record and maintain video sessions for fraud prevention and prosecution purposes pursuant to a privacy risk assessment, as defined in Sec. 3.3.1. If the CSP records a session, the following additional requirements apply:
   1. The CSP SHALL notify the applicant of the recording prior to initiating a recorded session.
   2. The CSP SHALL gain consent from the applicant prior to initiating a recorded session.
   3. The CSP SHALL publish their retention schedule and deletion processes for all video records.
8. The CSP SHALL provide proofing agents with a method or mechanism to discretely flag events or actions as potential fraud.

On-Site Attended Requirements — Kiosk-Based

The CSP MAY offer a remote means of interacting with a proofing agent whereby the agent and the applicant are not co-located (i.e., in the same room). For example, applicants might interact with a CSP-controlled kiosk with the proofing agent participating remotely in the session over video. In such cases, the following requirements apply in addition to those provided for the on-site attended identity proofing in Sec. 4.3.7. In previous versions of this document, this approach was referred to as Supervised Remote Identity Proofing (SRIP).

1. The CSP SHALL monitor the entire identity proofing session through a high-resolution video transmission with the applicant.
2. The CSP SHALL have a live proofing agent participate remotely with the applicant for the evidence collection, evidence validation, and verification steps of the identity proofing process. Data entry of attributes for resolution and enrollment MAY be done without the presence of a live proofing agent.
3. The CSP SHALL require all actions taken by the applicant during the evidence collection, evidence validation, and verification steps to be clearly visible to the remote proofing agent.
4. The CSP SHALL require that all digital validation and verification of evidence (e.g., via chip or wireless technologies) be performed by integrated scanners and sensors (e.g., embedded fingerprint reader).
5. All devices used to support interaction between the proofing agent and the applicantSHALL be safeguarded from tampering through observation by CSP representatives or monitoring devices (e.g., cameras) and through physical and digital tamper prevention features.
6. All devices used to support interaction between the proofing agent and the applicant SHALL be protected by appropriate baseline security features that are comparable to at least FISMA moderate controls, including malware protection, administrator-specific access controls, and software update processes.
7. All devices used to support interaction between the proofing agent and the applicant SHALL be inspected periodically by trained technicians to deter tampering, modification, or damage.

Notification of Proofing

Upon the successful completion of identity proofing at IAL3, the CSP SHALL send a notification of proofing to a validated address for the applicant, as specified in Sec. 3.10. CSPs SHOULD send the notification of proofing to the applicant’s postal address.

Initial Authenticator Binding

1. The CSP SHALL distribute or enroll the subscriber’s initial authenticator during an on-site attended interaction with a proofing agent.
2. If the CSP distributes or enrolls the initial authenticator outside of a single authenticated protected session with the subscriber, the CSP SHALL compare a biometric sample collected from the subscriber to the one collected at the time of proofing prior to registration of the authenticator and MAY request that the subscriber bring the identity evidence used during the proofing process to further strengthen the process of binding the authenticator to the subscriber.

Summary of Requirements

Table 1 summarizes the requirements for each of the identity assurance levels.

Table 1. IAL requirements summary

Process	IAL1	IAL2	IAL3
Proofing Types	Remote Unattended Remote Attended On-Site Unattended On-Site Attended	Same as IAL1	On-Site Attended
Evidence Collection	Attended: • 1 FAIR, or • 1 STRONG, or • 1 SUPERIOR Unattended: • 1 FAIR, or • 1 STRONG, or • 1 SUPERIOR	For all proofing types: • 1 FAIR + 1 STRONG, or • 2 STRONG, or • 1 SUPERIOR	For all proofing types: • 1 FAIR + 1 STRONG, or • 2 STRONG, or • 1 SUPERIOR
Attribute Collection	All Core Attributes	All Core Attributes	All Core Attributes + Biometric Sample
Evidence Validation	Physical Evidence: • Automated document authentication • Visual inspection • Physical/tactile inspection Digital Evidence: • Interrogation of digital security features	Same as IAL1, plus: SUPERIOR Evidence: • Digital signature verification	Same as IAL2
Attribute Validation	• Confirmation of core attributes against authoritative or credible sources • Confirmation of digitally signed attributes through digital signature verification	Same as IAL1	Same as IAL2
Verification	Verify applicant’s ownership of the FAIR, STRONG, or SUPERIOR evidence per 4.1.6	Verify applicant’s ownership of all presented evidence using methods provided in 4.2.6	Verify applicant’s ownership of all presented evidence using methods provided in 4.3.6