What is NIST LOA3 Identity Verification?
Digital identity proofing is a critical step for businesses, governments, and other organizations to ensure safety and security online. Without digital identity proofing, it is impossible to ensure anyone online is legitimately who they say they are. As the number of online interactions and transactions continue to grow rapidly, identity theft scams and online fraud are also on the rise.
The National Institute of Standards and Technologies (NIST) has created the guidelines for digital identity proofing. They define four levels of assurance (LOAs) in the NIST 800-63-2 digital identity guidelines. Although NIST 800-63-2 has been superseded by NIST 800-63-3, the four levels of assurance of the legacy standard are still in use by many federal and state agencies to verify that citizens are who they say they are before being granted access to restricted information or accounts. LOA3 defines both the identity proofing and authentication requirements.
Identity Proofing
The identity proofing requirements are used the first time an individual requests access to their account in order to initially verify that an identity exists and that the identity actually belongs to the person claiming it. Identity proofing can be completed remotely or in person.
Example
Consider accounts that hold information already registered to a certain person, such as a government account linked to a social security number. To request access to that information, you must first provide evidence that you are the owner of that identity, potentially by using a passport, driver’s license, or government-issued ID.
What You Need
Evidence Collection
LOA3 requires evidence of one of the following to verify identity:
- A valid government ID number
- A financial or utility account number
Verification
To tie the identity claimed to the identity presented on the evidence, complete one of the following:
- Government ID: The information presented on the government ID (name, date of birth, etc.) is confirmed to match the personal information submitted on the application. The personal information is then matched against an authoritative database like a credit bureau or government agency.
- Account numbers: The personal information submitted on the application is matched to a financial or utility record. The applicant then answers a series of questions based on their knowledge of recent account activity.
Authentication
The authentication requirements are used on each subsequent login to ensure the individual logging into the account is the same as the person whose identity was verified and tied to the account. LOA3 introduces multi-factor authentication (MFA) as a requirement. Cryptographic techniques must be used for the authentication protocols.
Authenticators Required
At least two authenticators from different categories are required. LOA3 does not directly address biometrics, which would count as “something you are.” Therefore the two authenticators must be from the “something you know” and “something you have” categories. A “memorized secret,” commonly a strong password, can be used in combination with the following authenticators to achieve Level 3 MFA.
ID.me’s LOA3 Identity Proofing Services
The digital identity landscape can be confusing, but ID.me is here to simplify the industry for businesses, government agencies, and consumers. ID.me’s team can help you build a robust, scalable, and efficient solution. We provide a complete identity platform featuring NIST 800-63-2 LOA3 aligned capabilities with identity proofing and a flexible identity broker.
See ID.me’s work in action by contacting us on our sales demo page