NIST SP 800-63 

Overview 

The National Institute of Standards and Technology Digital Identity Guidelines (NIST SP 800-63-3 or NIST SP 800-63 version 3) special publication lays out the specifications for managing digital identity. The NIST SP 800-63-3 consists of four volumes:

• SP 800-63 Digital Identity Guidelines
• SP 800-63A Enrollment and Identity Proofing
• SP 800-63B Authentication and Lifecycle Management
• SP 800-63C Federation and Assertions

SP 800-63A Enrollment and Identity Proofing is relevant to IDEMIA ID&V.

This document describes how to use the ID&V solution in the context of Volume A: Enrollment and Identity Proofing(NIST SP 800-63A).

Introduction to NIST SP 800-63-3 Identity Proofing 

Based on NIST SP 800-63A, the identity proofing process phases are:

• Resolution: Collect information about the applicant's claimed identity in the form of identity evidence and personally identifiable information (PII), and resolve the claimed identity to a single unique identity
• Validation: Validate that the identity evidence is genuine, valid, and accurate, and that the identity evidence data matches records at authoritative source databases
• Verification: Verify that the physical applicant is the same individual described by the identity evidence by comparing the applicant's face to portrait images contained in the evidence or authoritative source databases

Identify Proofing Diagram 

The overall identity proofing process flow is shown below.

Source: SP 800-63A

IAL Proofing Requirements

SP 800-63A sets the requirements to achieve a given Identity Assurance Level (IAL). The three IALs reflect the options that agencies may select from based on their risk profile, and any potential harm caused by an attacker making a successful false claim of an identity.

The IALs are as follows:

IAL1: There is no requirement to link the applicant to a specific real-life identity

IAL2: Evidence supports the real-world existence of the claimed identity, and verifies that the applicant is appropriately associated with this real-world identity

IAL3: Physical presence is required for identity proofing; identifying attributes must be verified by an authorized and trained representative of the CSP

Source: SP 800-63A

The ID&V solution offers NIST SP 800-63-3 IAL2 identity proofing directly.

IAL3 identity proofing may also be achieved using ID&V with a conformant physical and electronic implementation that is outside of the scope of this document.

NIST SP 800-63-3 Concepts in ID&V 

Evidence Concepts 

NIST

In SP 800-63A, the term "evidence" corresponds more closely to the physical document or the data contained in an issued document.

SP 800-63A strong evidence includes:

• PII data
• Subject names
• Photo

ID&V

In the ID&V system, the term "evidence" refers to a piece of information to be used for proofing the applicant:

• ID&V ID_Documents might include subject names
• The ID&V portrait evidence refers to a photo of the subject obtained using biometric liveness detection

ID&V evidence is organized into categories comprised of a combination of:

• The source of identifying information
• The type of evidence issuer
• The type of information provided

Evidence Sources 

NIST Types

The evidence types relevant to SP 800-63A include:

• ID_Documents
• ID_Claim
• Portrait
• Consents

ID&V Types

ID&V evidence sources could be:

• A System of Record
• Piece of physical evidence
• Other authoritative systems

Issuer Types

Evidence issuers could be:

• Government issuers
• Utility service providers

Information types could include:

• Biographic

• biometric

• Images

  The cross-reference tables below map relationships between the ID&V terms and the SP 800-63A terms.

Strength of Evidence and Validation Concepts 

NIST Strengths

SP 800-63A defines evidence strengths ranging from weak to superior:

• The SP 800-63A defines evidence validation strength as ranging from weak to superior.
• The SP 800-63A defines validation strength for a given piece of evidence as it relates to the methods used to confirm that the evidence is genuine, authentic, correct, and pertains to a real person.

The strength of evidence is related to:

• The rigor of the evidence issuer's identification and issuance processes
• The physical and electronic security features of the evidence
• The mechanisms available to confirm that the applicant is the subject of the evidence

ID&V Strengths

• In ID&V the equivalent to SP 800-63A evidence strength is known as ID&V evidence strength, ranging from LEVEL0 to LEVEL4. The ID&V evidence strength is assigned by the evidence type.
• In ID&V the equivalent to SP 800-63A validation strength is known as the ID&V evidence score ranging from LEVEL0 to LEVEL4. The ID&V evidence score is determined per piece of evidence, and relates to the specifics validation steps performed on the given piece of evidence.

ID&V Evidence and SP 800-63A Identity Verification for IAL2 

This section describes how the ID&V evidence is used to verify the SP 800-63A identity for the IAL2 requirement.

Obtain ID&V Portrait Evidence Type

The ID&V Portrait evidence type can be obtained using liveness detection presentation attack detection while capturing an image of the applicant, then comparing the captured image against a reference image.

The reference image may come from an issuer System of Record (SoR) or from a verified piece of evidence.

SP 800-63A does not strictly require applicant liveness detection during remote proofing operations. However, ID&V strongly recommends using liveness detection to prevent trivially simple presentation attacks.

ID&V Capture for SP 800-63A IAL2 Evidence

Each ID&V evidence type uses a specific ID&V capture mechanism as follows:

• The main ID&V mechanism for the acquisition of DRIVERS LICENSE document images for IAL2 is the IDEMIA Web Capture SDK. This SDK is used to obtain high quality images of the front and back of the evidence document, extract data from the images using OCR, and authenticate the document by checking document security features.

• The main ID&V mechanism for the acquisition of PASSPORT MRZ data and data stored on-chip for IAL2 is the IDEMIA Native NFC SDK. This SDK is used to authenticate ICAO 9303 Passports by obtaining the MRZ from the passport, then reading the NFC chip on a passport and performing the necessary verifications and security checks.

  Additional capture mechanisms are possible. Refer to the documentation for each ID&V capture mechanism for more information.

Confirm SP 800-63A Identity Verification

Once the required evidence has been validated, the final stage of the SP 800-63A IAL2 flow is to confirm that the physical applicant matches the reference image of the strongest piece of evidence, known as SP 800-63A identity verification.

The ID&V Portrait evidence type is used for this purpose.

Verification Mechanisms for SP 800-63A IAL2 Evidence

Each ID&V evidence type uses specific evidence verification methods. The table below lists the most common evidence types used for SP 800-63A IAL2 proofing, along with their capture and verification mechanisms.

As each piece of verified evidence is added to the ID&V Identity, key identity elements from the incoming evidence are compared to the designated reference evidence to ensure that each piece of evidence pertains to the same individual.

The reference evidence is determined by scoring each piece of evidence that is added, based on several parameters, and selecting the highest scoring evidence.

A reference evidence is designated for ID Documents and Portrait evidence types.

Mapping SP 800-63A Elements to ID&V Equivalents for IAL2 

This section maps SP 800-63A terms and levels to their ID&V equivalents.

This document only covers SP 800-63A IAL2 for the evidence types processable in the US Market.

Evidence Strength Mapping for IAL2

The table below shows the mapping between the SP 800-63A evidence strength and ID&V evidence types.

Validation Strength Mapping for IAL2

The table below shows the mapping between SP 800-63A validation strength and ID&V verification methods and scores. Each piece of evidence must be validated at its strength level. For example, SP 800-63A Strong evidence must be validated using an SP 800-63A Strong validation mechanism.

Applicant Verification Strength Mapping for IAL2

SP 800-63A requires comparison of the physical applicant to the strongest piece of validated evidence to confirm that the physical applicant is the subject of the SP 800-63A evidence bundle.

To achieve SP 800-63A IAL2 using ID&V, the live facial image of the person must be compared to a reference image from the piece of SP 800-63A Strong evidence or from the issuing source of that evidence.

There are several possible sources of the reference image, depending on the evidence type and issuing jurisdiction:

SP 800-63A IAL2 mapping for ID&V Level of Assurance

SP 800-63A IAL2 is equivalent to ID&V LOA5.

Options for Using ID&V to Verify IAL2 

There are several ways to use ID&V to attain SP 800-63A IAL2 verification. The options depend on which pieces of SP 800-63A evidence are available for validation, the mechanism used to acquire images of that evidence, and the mechanism used to perform facial biometric matching and liveness detection.

The following activities are part of the proofing flow design and configuration:

• Choose the types and combinations of SP 800-63A evidence that will be used to attempt IAL2 proofing (e.g., U.S. Drivers License, US Passport, SSN, mobile phone number, or credit card number);
• Confirm the ID&V evidence acquisition method for each evidence type (e.g., IDEMIA web capture SDK, IDEMIA Biometric Services SDK). The evidence type and evidence acquisition method determines the available mechanisms to validate the evidence and data;
• Arrange the order of actions required to construct an ID&V Identity that can attain SP 800-63A IAL2 proofing.

Activity 1: Choose which combinations of evidence will be used for IAL2 flows 

SP 800-63A IAL2 requires validation of one of several possible combinations of evidence, typically referred in SP 800-63A shorthand as 1 SUPERIOR, or; 2 STRONG, or; 1 STRONG plus 2 FAIR. These combinations are labeled A, B, C1, C2, C3 and C4 in the summary table below. The practical implications are that only a limited number of combinations of ID&V evidence can be used to achieve SP 800-63A IAL2.

Activity 2: Confirm the mechanism for SP 800-63A evidence acquisition and validation 

This section describes the ID&V mechanisms for acquisition of evidence document images for ID&V evidence category ID_Document.

SP 800-63A STRONG Evidence

If the SP 800-63A STRONG evidence document selected:

• Is a U.S. Drivers License (ID&V evidence type DRIVING LICENSES), images of the front and back of the document are required and can be captured using the IDEMIA Web Capture SDK; or

• Is a U.S. Passport (ID&V evidence type PASSPORT), the MRZ and NFC chip must be read and processed and can be captured using the IDEMIA Native NFC SDK.

The IDEMIA Web Capture SDK will return front and back evidence images, identity attribute data from OCR, identity attribute data from PDF417 barcode and a cropped photo. These data elements are added to the ID&V Identity.

The IDEMIA Native NFC SDK returns the MRZ, identity attribute data and portrait photo contained in the passport chip.

A submission limitation has been added to comply with PAD (presentation attacks detection) requirements. The ID&V system will not accept a new submission after N attempts. The number of attempts is configurable in the ID&V system. Each rejected attempt will be responded with a 403 http error code.

SP 800-63A FAIR Evidence

If using the SP 800-63A FAIR evidence type, the responsibility for obtaining the account reference numbers rests with the integrator. The FAIR evidence is provided as account number parameters in the API calls.

ID&V Portrait Evidence

The IDEMIA Capture SDK is used to acquire a facial image with liveness detection.

The captured facial image must be compared to a designated reference image from the SP 800-63A STRONG evidence validation activity.

Summary of valid IAL2 Evidence Types, Validation Mechanisms & Scores 

The table lists the acceptable SP 800-63A evidence combinations for IAL2, potential ID&V evidence types and their capture and verification mechanisms, and the ID&V evidence status and scores required to reach IAL2 proofing.

Note: ID&V is able to produce additional statuses and scores, but those additional values do not qualify for IAL2 proofing.

Activity 3: Define the order of flow processing 

The order of processing is driven by the need to verify evidence then correlate it with the reference evidence. For example, integrators should submit the strongest available evidence to ID&V followed by weaker evidence.

Example ID&V Flow to Achieve SP 800-63A IAL2 

Basic Workflow Details 

Basic Workflow: IAL2 Evidence Requirements

For evidence you must have a user's:

• Consent to process the evidence for the purpose of identification
• Valid State issued Drivers License (Strong evidence)
• Valid SSN (Fair evidence)
• Valid phone number (landline or mobile) (Fair evidence)
• Picture (i.e., selfie) with liveness detection activated (Strong Identity Verification)

Basic Workflow: IAL2 Verification Methods

The verification methods used are listed below:

• (Doc Auth & Issuing source validation) for the Drivers License
• ID Claim for the SSN
• ID Claim for the phone number
• Enrollment code for the phone number
• Consistency checks of the identity evidence
• User's portrait biometric and liveness verification

Phone enrollment code is configurable in ID&V with a minimal 10 digits.

Basic Workflow: Workflow Steps

The primary workflow steps for IAL2 are listed below:

• Initiating session with ID&V (Step 1)
• Submitting consents (Step 2)
• Sending Driving License images (Step 3)
• Sending information of SSN and Phone Number using ID Claim (Step 4)
• Perform liveness capture of the user (selfie+liveness) (Step 5)
• Get Identity: If LOA5 is reached, the identity proofing has reached IAL2 (Step 6)

Basic workflow: Diagram of workflow steps

A diagram of the IAL2 workflow steps that ID&V uses based on the NIST standard is shown.

ID&V Basic IAL2 Workflow WebService Calls

There are many ways to implement the appropriate Web Service requests depending on your programming language.

For the sake of clarity, the request examples use the cURL tool syntax.

The variables used in the request URLs are:

Step 1: Create Identity

An example of how to create identity is shown in the snippet:

Shell
1curl -X POST https://[URL_MAIN_PART]/gips/v1/identities  \
2-H 'Content-Type: multipart/form-data' \
3-H 'apikey: [APIKEY_VALUE]'

Step 2: Submitting consents

An example of how to submit consents is shown in the snippet:

Shell
1curl -X POST \
2  https://[URL_MAIN_PART]/gips/v1/identities/[IDENTITY_ID]/consents \
3  -H 'Content-Type: application/json' \
4  -H 'apikey: [APIKEY_VALUE]' \
5  -d '[{
6    "approved": true,
7    "type": "ID_CLAIM"
8}, {
9    "approved": true,
10    "type": "GIV"
11}{
12    "approved": true,
13    "type": "PORTRAIT"
14}]'

Step 3-a: Submitting a Document Capture

The purpose of this step is to capture images of the evidence documents. There are two main approaches: use the IDEMIA Web Capture SDK to capture images from a mobile device video stream, or to supply ID&V with static images of the document. As described earlier in this document, IDEMIA Web Capture SDK is the recommended option.

If static images are used, the following cURL command is appropriate as shown in the snippet:

Shell
1curl -X POST \
2https://[URL_MAIN_PART]/gips/v1/identities/[IDENTITY_ID]/id-documents/capture \
3-H 'Content-Type: multipart/form-data' \
4-H 'apikey: [APIKEY_VALUE]' \
5-F 'DocumentFront=@[ABSOLUTE_LOCAL_PATH_TO_IDDOCUMENT_FRONT]'
6-F 'DocumentBack=@[ABSOLUTE_LOCAL_PATH_TO_IDDOCUMENT_BACK]'
7-F 'DocumentCaptureDetails=@[ABSOLUTE_LOCAL_PATH_TO_DOCUMENTCAPTUREDETAILS]'

Submission Limitation:

• A 403 http error code will be returned if the number of attempts is exceeded.

• The DOCUMENT_VELOCITY_CHECK indicator could be raised in the identity . It is a warning indicator that is returned when the same document is submitted multiple times in a short period of time. The indicator is used to detect potential fraud attempts.

Step 3-b: Check the Identity result

An example of how to check the identity result is shown in the snippet:

Shell
1curl -X GET \
2https://[URL_MAIN_PART]/gips/v1/identities/[IDENTITY_ID] \
3-H 'Content-Type: application/json' \
4    -H 'apikey: [APIKEY_VALUE]'

Verify the following:

• The Driving License status="VERIFIED"
• The evidence score should be "LEVEL3"
• Data from the Driving License populates the Identity attributes

Step 4-a: Submitting an ID Claim (SSN = personalNumber; Phone Number = mobile)

An example of how to submit an ID claim is shown in the snippet:

Shell
1curl -X POST \
2  https://[URL_MAIN_PART]/gips/v1/identities/[IDENTITY_ID]/claim \
3  -H 'Content-Type: application/json' \
4  -H 'apikey: [APIKEY_VALUE]' \
5  -d '{
6    "attributesData": {
7            "givenNames": [{
8                    "value": "CHRISTOPHE"
9                }
10            ],
11            "surname": {
12                "value": "ULYSSE"
13            },
14            "dateOfBirth": {
15                "value": "1968-10-18"
16            },
17            "personalNumber": {
18                "value": "666436878",
19                "issuingCountry": "USA"
20
21            }
22        },
23    "addressesData": {
24            "streetDetails": {
25                "streetLines": [
26                    "1 MAIN STREET"
27                ]
28            },
29            "postcode": "111110000",
30            "city": "ANYTOWN",
31            "state": "MA",
32            "country": "USA"
33    },
34    "contactDetails": {
35        "mobile": {
36             "value": "123456789"
37            }
38    }
39}'

Note: The address is not mandatory if it was already extracted from the DRIVING LICENSE.

Step 4-b: Submit a phone OTP code

An example of how to submit the OTP received for verification is shown in the snippet:

Shell
1curl -X POST https://[URL_MAIN_PART]/gips/v1/identities/[IDENTITY_ID]/contact-details/mobile/otp \
2  -H 'apikey: [APIKEY_VALUE]' \
3  -H 'Content-Type: application/json' \
4  -d ' {
5	 "value": "8965712347"
6	   }'

Step 4-c: Check the Identity Result

An example of how to check the identity result is shown in the snippet:

Shell
1curl -X GET \
2https://[URL_MAIN_PART]/gips/v1/identities/[IDENTITY_ID] \
3-H 'Content-Type: application/json' \
4    -H 'apikey: [APIKEY_VALUE]'

Verify the following:

• The ID_CLAIM status="VERIFIED"
• The evidence score should be "LEVEL3"
• Data from the Id Claim should populate the Identity attributes

Step 5-a: Start Liveness Session

The purpose of this step is to capture a liveness-tested image of the mobile device holder. The IDEMIA Biometric Liveness Verification SDK is used to capture images from a mobile device video stream, or to supply ID&V with data from a third-party system.

As described earlier in this document, IDEMIA Biometric Liveness Verification SDK is the recommended option.

Note: In order for an application to go fully through this step, refer to the IDEMIA Biometric Liveness Verification SDK documentation.

Step 6: Check the Identity Result

An example of how to check the identity result is shown in the snippet:

Shell
1curl -X GET \
2https://[URL_MAIN_PART]/gips/v1/identities/[IDENTITY_ID] \
3-H 'Content-Type: application/json' \
4    -H 'apikey: [APIKEY_VALUE]'

There should be an LOA5 if everything went properly.

It is advised to get the status after each piece of evidence is submitted to make sure it was processed properly.

Other ID&V Scenario Workflow Diagrams for IAL2

The following diagrams show other ID&V workflows that allow the user to reach an LOA level compatible with NIST IAL2.

Scenario 1: NIST IAL2 Using NFC+ ID Claim + Portrait

Scenario 2: NIST IAL2 Using NFC + Doc. Auth + Portrait

References 

Idemia's ID&V Proofing Services OID is 1.3.6.1.4.1.54916.1.2.1.