“Perhaps the most visible change is the push for phishing-resistant authentication—methods like passkeys, hardware-backed authenticators, and device binding….This shift signals that yesterday’s non-phishing-resistant MFA (SMS codes, security questions, and email OTPs) is no longer enough because they are easily compromised through man-in-the-middle or social engineering attacks like SIM swapping.”
Many of us have been using Docusign for years to electronically sign documents. But how does Docusign know that the person applying John Bredehoft’s signature is really John Bredehoft?
Enter Docusign’s implementation of Identity Assurance Level 2 (IAL2).
“The Docusign ID Verification for IAL2 Compliance workflow is easy to add to workflows within eSignature and Maestro, part of the Docusign Intelligent Agreement Management (IAM) platform.
“Before a recipient can access an agreement, they will be required to verify their identity using their existing ID.me or CLEAR account. If needed, they can create a free account with either provider from within the same Docusign workflow. Once verified, they can securely sign and complete their agreement, all in a single, seamless experience.”
But I have one teeny quibble with whoever writes Docusign’s headlines. The November 6 announcement was entitled “Identity Verification at the Highest Level: Docusign ID Verification for IAL2 Compliance.”
Which naturally implies that IAL3 is better than IAL2, because it’s more secure.
So why doesn’t EVERYONE use IAL3?
For the same reason that childrens’ piggy banks aren’t protected with multiple biometric modalities AND driver’s license authentication.
Grok.
Kids don’t have driver’s licenses anyway.
In the same vein, in-person or remote supervised identity proofing isn’t always necessary. If your business would lose customers by insisting upon IAL3, and you’re OK with assuming the financial risk, don’t do it.
Grok.
Imagine if you had to get on a video chat and show your face and your driver’s license before EVERY Amazon purchase. Customers would go elsewhere. Amazon would go broke within days.
Which is why some identity firms promote IAL3, while others promote IAL2. (I won’t talk about the firms that promote IAL1.)
Grok.
Whatever identity assurance level your prospects need, Bredemarket can help you create the content. Let’s talk about your specific needs.
I’m preparing to promote four of my Identity Assurance Level 3 (IAL3) Bredemarket blog posts on my social media channels. You know, the posts that discuss in-person and remote supervised identity proofing. But I said to myself, “Self, why not re-promote them on the blog also?”
12/3/2020 IAL3 post
From the Bredemarket blog, December 2020:
“The U.S. National Institute of Standards and Technology has defined ‘identity assurance levels’ (IALs) that can be used when dealing with digital identities. It’s helpful to review how NIST has defined the IALs.”
“If we ignore IAL1 and concentrate on IAL2 and IAL3, we can see one difference between the two. IAL2 allows remote, unsupervised identity proofing, while IAL3 requires (in practice) that any remote identity proofing is supervised.”
“I’ve talked about Identity Assurance Levels 1, 2, and 3 on several occasions…..But as usually happens, IAL2 is yesterday’s news. Because biometric tech always gets harder better faster stronger.”
“Governments aren’t the only entities that need to definitively know identities in critically important situations.
“What about banks and other financial institutions, which are required by law to know their customers?
“Now the bank assumed a level of risk by [accepting a Bredemarket client check in a remote unsupervised manner] especially since the deposited check would not be in the bank’s physical possession after the deposit was completed.
“But guess what? The risk was acceptable for my transactions. I’m disclosing Bredemarket company secrets, but that client never wrote me a million dollar check.
“What about remote supervised transactions at financial institutions, where you are not physically present, but someone at the bank remotely sees you and everything you do?
“It turns out that the identity verification providers support video sessions between businesses (such as banks) and their customers.”
I was up bright and early to attend a Liminal Demo Day, and the second presenter was Proof. Lauren Furey and Kurt Ernst presented, with Lauren assuming the role of the agent verifying Kurt’s identity.
The mechanism to verify the identity was a video session. In this case, Agent Lauren used three methods:
Examining Kurt’s ID, which he presented on screen.
Examining Kurt’s face (selfie).
Examining a credit card presented by Kurt.
One important note: Agent Lauren had complete control over whether to verify Kurt’s identity or not. She was not a mere “human in the loop.” Even if Kurt passed all the checks, Lauren could fail the identity check if she suspected something was wrong (such as a potential fraudster prompting Kurt what to do).
“Another question for Proof: does you solution meet the requirements for supervised remote identity proofing (IAL3)?”
Lauren responded in the affirmative.
It’s important to note that Proof’s face authentication solution incorporates liveness detection, so there is reasonable assurance that the person’s fake is not a spoof or a synthetic identity.
My recent Substack post explains what Identity Assurance Level 3 (IAL3) is, and re-examines my doubts about the effectiveness of so-called “voter ID” laws. Because if voter ID proponents REALLY wanted to guarantee that voters are eligible, they would have to do a LOT more. Security theater is not security. But what is the cost of true security?
Who can provide remote supervised identity proofing?
“NextgenID Trusted Services Solution provides Supervised Remote Identity Proofing identity stations to collect, review, validate, proof, and package IAL-3 identity evidence and enrollment data for CSPs operating at IAL-3.”
And there are others who can provide the equivalent of IAL3, as we will see later.
How do you supervise a remote identity proofing session?
“The camera(s) a CSP [Credential Service Provider] employs to monitor the actions taken by a remote applicant during the identity proofing session should be positioned in such a way that the upper body, hands, and face of the applicant are visible at all times.”
But that doesn’t matter with me now. What matters to me is WHEN we need remote identity proofing sessions.
Governments aren’t the only entities that need to definitively know identities in critically important situations.
What about banks and other financial institutions, which are required by law to know their customers?
Now it’s one thing when one of my Bredemarket clients used to pay me by paper check. Rather than go to the bank and deposit it in person at a teller window (in person) or at an ATM (remote supervised), I would deposit the check with my smartphone app (remote unsupervised).
Now the bank assumed a level of risk by doing this, especially since the deposited check would not be in the bank’s physical possession after the deposit was completed.
But guess what? The risk was acceptable for my transactions. I’m disclosing Bredemarket company secrets, but that client never wrote me a million dollar check. Actually, none of my clients has ever written me a million dollar check. (Perhaps I should raise my rates. It’s been a while. If I charge an hourly rate of $100,000, I will get those million dollar checks!)
So how do financial institutions implement the two types of IAL3?
“If you need to initiate a funds transfer payment, an authorized signer for your account may also initiate funds (wire) transfers at any Chase branch.”
Note the use of the word “may.” However, if you don’t want to go to a branch to make a wire transfer, you have to set up an alternate method in advance.
Remote supervised
What about remote supervised transactions at financial institutions, where you are not physically present, but someone at the bank remotely sees you and everything you do? Every breath you take? And every move you make? Etcetera.
It turns out that the identity verification providers support video sessions between businesses (such as banks) and their customers. For example, Incode’s Developer Hub includes several references to a video conference capability.
To my knowledge, Incode has not publicly stated whether any of its financial identity customers are employing this video conference capability, but it’s certainly possible. And when done correctly, this can support the IAL3 specifications.
Why to use IAL3 for financial transactions
For high-risk transactions such as ones with high value and ones with particular countries, IAL3 protects both the financial institutions and their customers. It lessens the fraud risk and the possible harm to both parties.
Some customers may see IAL3 as an unnecessary bureaucratic hurdle…but they would feel differently if THEY were the ones getting ripped off.
This is why both financial institutions and identity verification vendors need to explain the benefits of IAL3 procedures for riskier transactions. And do it in such a way that the end customers DEMAND IAL3.
To create the content to influence customer perception, you need to answer the critically important questions, including why, how, and benefits. (There are others.)
And if your firm needs help creating that content, Underdog is here.
Visit https://bredemarket.com/mark/ and schedule a time to talk to me—for free. I won’t remotely verify your identity during our videoconference, but I will help you plan the content your firm needs.
If the subject of identity proofing is remote, how do you supervise it? Here’s what NIST says:
“The camera(s) a CSP [Credential Service Provider] employs to monitor the actions taken by a remote applicant during the identity proofing session should be positioned in such a way that the upper body, hands, and face of the applicant are visible at all times. Additionally, the components of the remote identity proofing station (including such things as keyboard, fingerprint capture device, signature pad, and scanner, as applicable) should be arranged such that all interactions with these devices is within the field of view. This may require more than one camera to view both the applicant and the room itself.”
Is the medical facility working with the right patient?
Hackensack Meridian Health in New Jersey claims that it knows who its patients are. It has partnered with CLEAR for patient identification, according to AInvest. Among the listed benefits of the partnership are enhanced security:
“CLEAR1 meets NIST’s Identity Assurance Level 2 (IAL2) standards, a rare feat in the healthcare sector, ensuring robust protection against fraud.”
Bredemarket 