Identity proofing

Identity Proofing – SSCP Access Controls Guide

What is Identity Proofing?

Identity proofing is the process of verifying that a person is who they claim to be before granting them credentials, accounts, or access to systems and resources. It is the critical first step in the identity management lifecycle, occurring before authentication or authorization can take place. Think of it as the gatekeeper that ensures only legitimate individuals are enrolled into a system.

Identity proofing answers the fundamental question: "Are you really who you say you are?"

Why is Identity Proofing Important?

Identity proofing is the foundation upon which all other access controls rest. If an organization fails to properly verify someone's identity at the enrollment stage, every subsequent security measure — passwords, multi-factor authentication, role-based access — becomes meaningless. Here's why it matters:

1. Prevents Unauthorized Access: If a malicious actor can fraudulently establish an identity, they gain legitimate credentials and can bypass security controls entirely.

2. Supports Non-Repudiation: Proper identity proofing ensures that actions performed under a given account can be reliably traced back to a real individual.

3. Regulatory Compliance: Many regulations (HIPAA, SOX, PCI-DSS, GDPR) require organizations to verify identities before granting access to sensitive data.

4. Protects Organizational Assets: Weak identity proofing can lead to data breaches, insider threats, and fraud, all of which carry financial and reputational consequences.

5. Establishes Trust: It forms the root of trust in any identity and access management (IAM) system.

How Does Identity Proofing Work?

Identity proofing typically involves three core phases, as outlined by NIST SP 800-63A:

1. Resolution
The process of collecting and distinguishing a claimed identity from other identities. The individual provides identity evidence such as:
- Government-issued photo ID (passport, driver's license)
- Birth certificate
- Social Security Number
- Employee ID or organizational documentation

2. Validation
The evidence provided is checked for authenticity and accuracy. This may involve:
- Verifying the document is genuine and has not been tampered with
- Cross-referencing information against authoritative databases
- Checking that documents are current and not expired
- Using electronic verification services

3. Verification
Confirming that the claimed identity actually belongs to the person presenting the evidence. Methods include:
- In-person verification: A face-to-face meeting where a trusted agent compares the individual to a photo ID
- Remote verification: Video calls, knowledge-based verification (KBV), biometric comparison
- Supervised remote verification: A trained operator guides the process via a real-time digital session

NIST Identity Assurance Levels (IALs)

NIST SP 800-63A defines three Identity Assurance Levels:

- IAL1: No identity proofing is required. The system does not need to know the real-world identity of the user. Self-assertion is accepted.
- IAL2: Evidence supports the real-world existence of the claimed identity and verifies that the applicant is appropriately associated with it. Can be done remotely or in person.
- IAL3: Requires physical presence for identity proofing. A trained representative must verify identifying documents in person. This is the highest level of assurance.

Common Identity Proofing Methods

- Knowledge-Based Verification (KBV): Asking questions that only the real person should know (e.g., previous addresses, loan amounts). Note: KBV alone is considered weak due to data breaches making personal information widely available.
- Document Verification: Validating government-issued documents through visual inspection or electronic means.
- Biometric Verification: Comparing a live biometric sample (fingerprint, facial scan) to one on record or embedded in a document.
- Credit Bureau Checks: Cross-referencing identity claims against credit history databases.
- Trusted Referees/Sponsors: An existing trusted employee or member vouches for the new individual's identity.

Identity Proofing in the Access Control Lifecycle

The access control lifecycle follows this sequence:

1. Identity Proofing → Verify who the person is
2. Provisioning/Registration → Create their account and credentials
3. Authentication → Confirm identity each time they access the system
4. Authorization → Grant appropriate permissions
5. Accountability/Auditing → Monitor and log activities
6. De-provisioning → Revoke access when no longer needed

Identity proofing is step one — it must happen before any credentials are issued.

Key Distinctions to Understand

- Identity Proofing vs. Authentication: Identity proofing happens once during enrollment. Authentication happens every time a user logs in. Proofing establishes who you are; authentication confirms you are the same person who was proofed.
- Identity Proofing vs. Identification: Identification is the act of claiming an identity (e.g., entering a username). Identity proofing is the act of proving that claim is legitimate.
- Identity Proofing vs. Authorization: Authorization determines what a verified user is allowed to do. It comes after proofing and authentication.

Real-World Examples

- A new employee presenting a passport and completing background checks before receiving network credentials
- A bank customer showing two forms of ID before opening an account
- A government contractor undergoing an in-person identity verification to receive a PIV (Personal Identity Verification) card
- A user submitting a photo of their driver's license and a live selfie to verify identity for an online service

Threats to Identity Proofing

- Social Engineering: Attackers impersonating legitimate individuals to trick enrollment staff
- Forged Documents: Counterfeit IDs or altered identity evidence
- Synthetic Identity Fraud: Combining real and fake information to create a fictitious identity
- Insider Threats: Trusted employees who bypass proofing procedures
- Compromised Databases: Stolen personal data used to answer knowledge-based questions

---

Exam Tips: Answering Questions on Identity Proofing

1. Remember the Lifecycle Order: Identity proofing always comes first — before provisioning, authentication, and authorization. If a question asks what must happen before a user receives credentials, the answer is identity proofing.

2. Distinguish Proofing from Authentication: This is the most commonly tested distinction. Proofing is a one-time enrollment activity. Authentication is an ongoing, repeated process. If the question involves initial enrollment or first-time credential issuance, think identity proofing.

3. Know the NIST IAL Levels: IAL1 = no proofing needed, IAL2 = remote or in-person proofing, IAL3 = must be in-person with the highest rigor. Questions may present scenarios and ask which IAL is appropriate.

4. Focus on the Three Phases: Resolution (collect evidence), Validation (check evidence is genuine), Verification (confirm the person matches the evidence). If an exam question describes one of these activities, identify which phase it represents.

5. KBV Is Considered Weak: If a question asks about the most reliable proofing method, knowledge-based verification is typically the weakest option. Biometric comparison and in-person document checks are stronger.

6. In-Person Is Strongest: When questions ask about the highest assurance level of identity proofing, the answer typically involves face-to-face, in-person verification with trained personnel.

7. Watch for Scenario Questions: The SSCP exam often presents real-world scenarios. If a scenario describes a new hire, a contractor onboarding, or a first-time account creation, the relevant concept is identity proofing.

8. Think About What Could Go Wrong: If a question discusses a breach that occurred because a fraudulent identity was accepted, the root cause is a failure in identity proofing — not authentication or authorization.

9. Link to Accountability: Proper identity proofing supports accountability and non-repudiation. If actions cannot be tied to a real individual, identity proofing was likely inadequate.

10. Eliminate Distractors: On multiple-choice questions, options involving password resets, login failures, or session management are related to authentication, not identity proofing. Narrow your choices to those involving initial identity verification and enrollment.