3.2 E-authentication
3.2.4 Registration Process
3.2.4.4 Requirements for One-Time Use
For infrequently used applications, issuance and maintenance of credentials would be
prohibitively expensive. Claimants can be authenticated for immediate one-time access to an application for Levels 1 thru 3. At Level 1, there is no requirement for identity proofing before one-time use. At Levels 2 and 3, application owners act as the RA/CSP in the remote
registration processes described in Table 8, using processes that do not require confirmation of the address of record and omitting credential issuance.
For immediate one-time access at Level 2, application owners can use the registration processes specified in Table 7 that:
Confirm “the ability of the Applicant to receive telephone communications or text message at
phone number or e-mail address associated with the Applicant in records”; or
Subsequently send a “notice to an address of record confirmed in the records check.” For immediate one-time access at Level 3, application owners can use the registration process specified in Table 8 that:
Confirms “the ability of the Applicant to receive telephone communications at a phone
number associated with the Applicant in records, while recording the Applicant’s voice or using alternative means that establish an equivalent level of non-repudiation.”
April 17, 2014 - Version 1.3 (FINAL) 37
Table 8 Registration and Identity Proofing
Levels of Assurance
Control Level 1 Level 2 Level 3 Level 4
1. Registration Requirements There are no level-specific requirements at Level 1.
Both in-person and remote registration are permitted.
The Applicant supplies his or her full legal name, an address of record, and date of birth (DoB), and may also supply other individual identifying information subject to CMS requirements.
Both in-person and remote registration are permitted.
The Applicant supplies his or her full legal name, an address of record, and date of birth (DoB), and may also supply other individual identifying information subject to CMS requirements.
Only in-person registration is permitted.
The Applicant supplies his or her full legal name, an address of record, and date of birth (DoB), and may also supply other individual identifying information subject to CMS requirements.
2. In-Person Identity Proofing Requirements 2.1. Basis for Issuing Credentials There are no level-specific requirements at Level 1.
Possession of a valid current primary government picture ID24 that contains Applicant’s picture, and either
address of record or nationality of record (e.g., driver’s license or passport).
Possession of verified current primary government picture ID that contains Applicant’s picture and either address of record or nationality of record ID (e.g., driver’s license or passport).
In-person appearance and verification of:
1. A current primary government picture ID that contains Applicant’s picture, and either address of record or nationality of record (e.g., driver’s license or passport), and;
2. Either a second, independent government ID document that contains current corroborating information (e.g., either address of record or nationality of record), or verification of a financial account number (e.g., checking account, savings account, loan or credit card) confirmed via records. 2.2. RA and There are no RA inspects photo-ID, compares RA inspects photo-ID and verifies via Primary Photo ID:
24
The following resources offer examples of what some agencies consider to be primary or secondary ID:
U.S. Citizenship and Immigration Services (USCIS) Form I-9, “Lists of Acceptable Documents”, http://www.uscis.gov/files/form/i-9.pdf
Instructions for First Time Passport Applicants, http://travel.state.gov/passport/get/first/first_830.html#step4first
38 April 17, 2014 - Version 1.3 (FINAL) Levels of Assurance
Control Level 1 Level 2 Level 3 Level 4
CSP Actions level-specific requirements at Level 1.
picture to Applicant, and records the ID number, address, and DoB. (RA optionally reviews personal
information in records to support issuance process “1” below.) If ID appears valid and photo matches Applicant, then:
1. If personal information in records includes a telephone number or e-mail address, the CSP issues credentials in a manner that confirms the ability of the Applicant to receive telephone communications or text message at phone number or e-mail address associated with the Applicant in records. Any secret sent over an unprotected session shall be reset upon first use; or 2. If ID confirms address of record,
RA authorizes or CSP issues credentials. Notice is sent to address of record, or;
3. If ID does not confirm address of record, CSP issues credentials in a manner that confirms the claimed address.
the issuing government agency or through credit bureaus or similar databases. Confirms that: name, DoB, address, and other personal information in record are consistent with the application. Compares picture to Applicant, and records the ID number.
If ID is valid and photo matches Applicant then:
1. If personal information in records includes a telephone number, the CSP issues credentials in a manner that confirms the ability of the Applicant to receive telephone communications at a number associated with the Applicant in records, while recording the Applicant’s voice or using alternative means that establish an equivalent level of nonrepudiation; or
2. If ID confirms address of record, RA authorizes or CSP issues credentials. Notice is sent to address of record, or;
3. If ID does not confirm address of record, CSP issues credentials in a manner that confirms address.
RA inspects photo-ID and verifies via the issuing government agency or through credit bureaus or similar databases. Confirms that: name, DoB, address, and other personal information in record are consistent with the application. Compares picture to Applicant, and records ID number.
Secondary Government ID or financial account:
1. RA inspects secondary
government ID and if apparently valid, confirms that the identifying information is consistent with the primary photo-ID, or;
2. RA verifies financial account number supplied by Applicant through record checks or through credit bureaus or similar
databases, and confirms that: name, DoB, address, and other personal information in records are on balance consistent with the application and sufficient to identify a unique individual. Note: Address of record shall be confirmed through validation of either primary or secondary ID. Current Biometric:
RA records a current biometric (e.g., photograph or fingerprints) to ensure that Applicant cannot repudiate application.
April 17, 2014 - Version 1.3 (FINAL) 39 Levels of Assurance
Control Level 1 Level 2 Level 3 Level 4
CSP issues credentials in a manner that confirms address of record. 3. Remote Identity Proofing Requirements
3.1 Basis for Issuing Credentials There are no level-specific requirements at Level 1.
Possession of a valid current government ID25 (e.g., a driver’s license or passport) number and a financial or utility account number (e.g., checking account, savings account, utility account, loan, or credit card, to tax ID) confirmed via records of either the government ID or account number. Note that confirmation of the financial or utility account may require supplemental information from the Applicant.
Possession of a valid current government ID (e.g., a driver’s license or passport) number and a financial or utility account number (e.g., checking account, savings account, utility account, loan, or credit card) confirmed via records of both numbers. Note that
confirmation of the financial or utility account may require supplemental information from the Applicant.
Not Applicable 3.2. RA and CSP Actions There are no level-specific requirements at Level 1.
RA inspects both ID number and account number supplied by
Applicant (e.g., for correct number of digits.) Verifies information provided by Applicant including ID number or account number through record checks either with the applicable agency or institution, or through credit bureaus or similar databases, and confirms that: name, DoB, address, and other personal
information in records are on balance consistent with the application and sufficient to identify a unique individual. For utility account numbers, confirmation shall be performed by verifying knowledge of recent account activity. (This technique may also be applied to
RA verifies information provided by Applicant including ID number and account number through record checks either with the applicable agency or institution, or through credit bureaus or similar databases, and confirms that: name, DoB, address, and other personal
information in records are consistent with the application and sufficient to identify a unique individual. At a minimum, the records check for both the ID number and the account number should confirm the name and address of the Applicant. For utility account numbers, confirmation shall be performed by verifying knowledge of recent account activity. (This technique may also be applied to
Not Applicable
40 April 17, 2014 - Version 1.3 (FINAL) Levels of Assurance
Control Level 1 Level 2 Level 3 Level 4
some financial accounts.)
Address/phone number confirmation and notification:
1. CSP issues credentials in a manner that confirms the ability of the Applicant to receive mail at a physical address associated with the Applicant in records; or 2. If personal information in records
includes a telephone number or e-mail address, the CSP issues credentials in a manner that confirms the ability of the Applicant to receive telephone communications or text message at phone number or e-mail address associated with the Applicant in records. Any secret sent over an unprotected session shall be reset upon first use and shall have a maximum lifetime of seven days; or
3. The CSP issues credentials. RA or CSP sends notice to an address of record confirmed in the records check. 26
some financial accounts.) Address confirmation:
1. CSP issues credentials in a manner that confirms the ability of the Applicant to receive mail at a physical address associated with the Applicant in records; or 2. If personal information in records
includes both an electronic address and a physical address that are linked together with the Applicant’s name, and are consistent with the information provided by the applicant, then the CSP may issue credentials in a manner that confirms ability of the Applicant to receive
messages (Simple Message Service (SMS), voice or e-mail) sent to the electronic address. Any secret sent over an unprotected session shall be reset upon first use and shall have a maximum lifetime of seven days. 4. Records Retention Requirements There are no level-specific requirements at Level 1.
A record of the registration, history, and status of each token and
credential (including revocation) shall be maintained by the CSP or its representative.
The minimum record retention period
A record of the registration, history, and status of each token and
credential (including revocation) shall be maintained by the CSP or its representative.
The minimum record retention period
A record of the registration, history, and status of each token and
credential (including revocation) shall be maintained by the CSP or its representative.
The minimum record retention period
26 Agencies are encouraged to use methods “1” and “2” where possible to achieve better security. Method “3” is especially weak when not used in combination with knowledge of account activity.
April 17, 2014 - Version 1.3 (FINAL) 41 Levels of Assurance
Control Level 1 Level 2 Level 3 Level 4
for data is seven (7) years and six (6) months beyond the expiration or revocation (whichever is later) of the credential.
for data is seven (7) years and six (6) months beyond the expiration or revocation (whichever is later) of the credential.
for data is ten (10) years and six (6) months beyond the expiration or revocation of the credential.
5. Remote One-Time Use Credential Requirements 5.1 Identity Proofing There are no level-specific requirements at Level 1.
Application owners act as the RA/ CSP in the remote registration processes described in this table (Section 3.1 above), using processes that do not require confirmation of the address of record and omitting credential issuance.
Application owners act as the RA/ CSP in the remote registration processes described in this table (Section 3.1 above), using processes that do not require confirmation of the address of record and omitting credential issuance. Not Applicable 5.2 Registration Process There are no level-specific requirements at Level 1.
For immediate one-time access, application owners can use the registration processes specified in this table (Section 3.2 above) that: 1. Confirm “the ability of the
Applicant to receive telephone communications or text message at phone number or e-mail address associated with the Applicant in records”; or 2. Subsequently send a “notice to
an address of record confirmed in the records check.”
For immediate one-time access, application owners can use the registration process specified in this table (Section 3.2 above) that: 1. Confirms “the ability of the
Applicant to receive telephone communications at a phone number associated with the Applicant in records while
recording the Applicant’s voice or using alternative means that establish an equivalent level of non-repudiation.”
Not Applicable
Remote registration at Levels 2 and 3 requires confirmation of a financial or utility account number. The requirement for a financial account or utility account number may be satisfied by a cellular or landline telephone service account under the following conditions: The phone is associated in Records with the Applicant’s name and address of record; and
42 April 17, 2014 - Version 1.3 (FINAL)
April 17, 2014 - Version 1.3 (FINAL) 43