Electronic Authentication Guideline
Table 3 - Identity Proofing Requirements by Assurance Level
issuing
credentials
Possession of a valid current primary government
picture ID
13
that contains Applicant’s picture, and either
address of record or nationality of record (e.g., driver’s
license or Passport)
Possession of a valid current government ID
14
(e.g., a
driver’s license or Passport) number and a financial or
utility account number (e.g. checking account, savings
account, utility account, loan or credit card, or tax ID)
confirmed via records of either the government ID or
account number. Note that confirmation of the
financial or utility account may require supplemental
information from the applicant.
actions
RA inspects photo-ID; compares picture to Applicant;
and records the ID number, address and date of birth
(DoB). (RA optionally reviews personal information in
records to support issuance process “a” below.)
If the photo-ID appears valid and the photo matches
Applicant then:
a) If personal information in records includes a
telephone number or e-mail address, the
CSP issues credentials in a manner that
confirms the ability of the Applicant to
receive telephone communications or text
message at phone number or e-mail address
associated with the Applicant in records. Any
secret sent over an unprotected session
shall be reset upon first use; or
b) If ID confirms address of record, RA
authorizes or CSP issues credentials. Notice
is sent to address of record, or;
c) If ID does not confirm address of record,
CSP issues credentials in a manner that
confirms the claimed address.
• RA inspects both ID number and account
number supplied by Applicant (e.g., for correct
number of digits). Verifies information provided
by Applicant including ID number OR account
number through record checks either with the
applicable agency or institution or through credit
bureaus or similar databases, and confirms that:
name, DoB, address and other personal
information in records are on balance consistent
with the application and sufficient to identify a
unique individual. For utility account numbers,
confirmation shall be performed by verifying
knowledge of recent account activity. (This
technique may also be applied to some financial
accounts.)
• Address/phone number confirmation and
notification:
15
a) CSP issues credentials in a manner that
confirms the ability of the Applicant to
receive mail at a physical address
associated with the Applicant in records; or
b) If personal information in records includes a
telephone number or e-mail address, the
CSP issues credentials in a manner that
confirms the ability of the Applicant to
receive telephone communications or text
message at phone number or e-mail
address associated with the Applicant in
records. Any secret sent over an
unprotected session shall be reset upon first
use and shall be valid for a maximum
lifetime of seven days; or
c) CSP issues credentials. RA or CSP sends
notice to an address of record confirmed in
16
12
A token at this Level may also be obtained by authenticating to the CSP using mechanisms at the same or
a higher Level (e.g., PIV). See 5.3.5 for more information.
13
The following resources offer examples of what some agencies consider to be primary or secondary ID:
• USCIS Form I-9, "Lists of Acceptable Documents", http://www.uscis.gov/files/form/i-9.pdf
• Instructions for First Time Passport Applicants
http://travel.state.gov/passport/get/first/first_830.html#step4first
• Secondary Evidence of Identification
http://travel.state.gov/passport/get/secondary_evidence/secondary_evidence_4314.html
14
Agencies issuing credentials to foreign nationals residing in foreign countries determine what constitutes
a valid Government issued ID as required.
15
Requirements that use USPS mail for address confirmation and/or notification have a legal basis: Title 18
U.S. Code: Criminal Procedure, Section 1708: Theft or receipt of stolen mail matter generally.
16
Agencies are encouraged to use methods a) and b) where possible to achieve better security. Method c)
is especially weak when not used in combination with knowledge of account activity