Verifying compliance with FedRAMP High is essential, yet traditional in-person proofing methods are costly and difficult to sustain for remote workforces. Discover how Trust Swiftly's hardware-based IAL3 identity proofing solution can save time, money, and ensure compliance moving forward.

NIST is currently revising their Interdisciplinary Aptitude Level guidelines (IALs) to better reflect current best practices, with this decision tree below from NIST 800-63-3 providing more clarity.

Verification

NIST IAL3 service providers verification processes demand more rigor, tighter oversight and an elevated level of identity proofing to provide access to top-level systems and services. Unlike lower assurance levels, they may require in-person or remote verification processes requiring costly in-person visits - this creates both logistical and cost challenges for many companies.

Verification processes under IAL3 involve an examiner confirming a person's identity with documents, physical/digital characteristics and biometric comparison. They must also make certain that evidence presented is authentic, valid and unexplained.

After an IAL3 verification is complete, the CSP must securely connect at least one authenticator (YubiKey or biometric profile) with the verified identity. This prevents loss or theft of one authenticator from leading to stand-in fraud; and also helps limit malicious software on either authenticator or endpoint used for reestablishing binding; using a cryptographic binding protocol ensures security against spoofing, identity evasion and man-in-the-middle attacks.

Identity Proofing

Identity proofing is a core part of digital identity guidelines. This process verifies an applicant's claimed identity by matching validated evidence with physical biometrics; at IAL3 this takes place directly.

To meet NIST 800-63A IAL3 compliance, your identity assurance platform should support multi-factor authentication journeys with hardware-backed authenticators for IAL2 and IAL3, along with having a robust federation engine capable of supporting encryption for IAL3 or higher.

Identity assurance solutions should include a policy to limit PII collection. This prevents invasiveness or overreach concerns that could compromise customer trust while simultaneously optimizing use of federated data resources to reduce overhead costs while guaranteeing maximum security levels.

Reporting

To comply with the IAL3 requirement for privileged access, CSPs must verify the identity of individuals using multiple methods of verification. This prevents fraudsters from hijacking identities to gain privileged access, and makes it more challenging for attackers to breach security systems.

At CSP we use both remote and in-person methods, biometrics, and attendance at identity proofing sessions in person to authenticate subjects in ways which resist attacks such as evidence tampering, theft, repudiation and more advanced social engineering tactics. Furthermore, this requires the presence of a trained CSP representative for on-site identity proofing sessions in which biometric characteristics are collected and subjects are enrolled into subscriber accounts.

Trust Swiftly's approach is more effective than simple document and biometric comparison, since it reduces the risk of spoofing, identity evasion and fraud by requiring a supervised in-person session. Combining remote verification with human oversight provides maximum IAL3 security - its robustness has even been validated via an open bounty challenge with researchers and ethical hackers testing their abilities against its defenses.

Compliance

TrustSwiftly's remote IAL3 compliant solution reduces costs and risk by creating a strong authentication system to detect fraud where traditional security has failed.


IAL2 Non-Biometric Pathway offers alternative verification methods that don't rely on automated comparison of an applicant's biometric sample to the biometric portrait contained on identity evidence, for instance visual comparison between applicant face and the photograph on identity evidence.

The IAL1 Applicant References Pathway allows CSPs to verify applicants using references provided they meet certain requirements, such as being close to them and being able to provide enough information that helps confirm identity of applicants. CSPs should include details on how their policy regarding applicant references will be implemented in their Privacy Risk Analysis (PIA), making sure it's accessible by registered providers (RPs).