IAL3 verification provides additional rigor to validation and verification processes to protect against impersonation attacks and other types of fraud. It requires on-site attended identity proofing as well as visual inspection by an impartial referee who compares evidence provided with what has been claimed from applicants.

The source following the claim follows a set of written procedures to associate their claimed identity with that of the subject. Core attributes are verified against authoritative sources, while steps are taken to confirm physical existence of said subject.

Authentication of the Relying Party

Relying Parties (RPs) are online services or applications which delegate authentication and authorization tasks to another entity, usually an Identity Provider. Relying Parties usually do not possess direct knowledge of subscribers' private keys but instead utilize a federated identity system to confirm whether an end-user holds valid credentials.

Authenticating a Responsible Party (RP) may take various forms, including verification of evidence presented against an applicant and comparison with evidence or use of an Assurance Services provider. An RP can also vouch for the authenticity of IdP's confirmation code sent out to subscribers (known as Continuation Code). These should be generated using algorithms or hash functions approved or recommended by Federal Information Processing Standards (FIPS) or National Institute of Standards and Technology (NIST).

Authentication of the Applicant

Authentication is the process of verifying that an identity digitally represents and verifies against an identifiable real-world individual. This NIST IAL3 verification can be accomplished using various techniques ranging from visual comparisons to automated biometric ones; this level of assurance (LOA) process forms one of three components of NIST 800-63A IAL3.

Verification pathways should be deployed in accordance with the use cases, populations and threat environments associated with the online service being protected. CSPs SHOULD employ multiple pathways leading to IAL2 for protection and may combine them in order to reach desired results.

At the conclusion of an IAL2 verification pathway, an applicant is enrolled into a subscriber account with their CSP, with one or more authenticators tied back to his or her proven identity in their database. Once complete, this enables their RP to use these authenticators to confirm who it is that was verified as well as provide evidence as to which pathway (such as assertion or API) they used for risk-based decision making processes.

Authentication of the Evidence

As opposed to Identity Assured Location 1 (IAL1) where identity can be self-asserted, Identification Verification Level 2 and 3 require identification verification that links claimed identity to real world personhood using various means such as advanced documents or biometrics.

IAL3 identity proofing on-site often results in the creation of individual subscriber accounts for each verified person and linking one or more authenticators to this record. This prevents stand-in fraud by linking credentials directly with identity records that cannot be misused by another to gain entry. By visiting the site, you'll gain insights into IAL3 identity proofing in no time.

Businesses should explore using kiosks attended by live agents as an innovative option for faster deployment than traditional solutions such as flying people for costly onsite sessions that are logistically challenging and susceptible to social engineering. TrustSwiftly agents can connect live to a kiosk via TrustSwiftly app or no code page and monitor actions taken during an IAL3 proofing session - much faster deployment compared to flying in people for costly onboarding sessions requiring flying hours and days of logistics planning and social engineering risks.

Authentication of the Confirmation Code

Proofing codes (continuation or proofing codes) are used to confirm ownership of evidence, such as an authenticator. This process typically includes either remote or on-site attended interactions with a proofing agent and ultimately presented in either digital format (digital evidence bundle) or machine readable form (QR code) to the Responding Party for verification against images collected during identity proofing.

A CSP shall include in their practice statement all steps they have taken to protect the disassociability, predictability, manageability, confidentiality and integrity of personal information they collect and process as part of providing their identity service. 

The CSP shall also conduct and update regularly a privacy risk analysis in order to reflect any risks to information security and the privacy of individuals. Assessing any changes to IAL2 outcomes or requirements which would necessitate upgrading to higher IAL3 grades is necessary for future planning purposes. IAL3 goes one step further to address impersonation attacks more complex than those addressed at IAL2, with additional evidence, validation and verification steps. Furthermore, its Non-Biometric Pathway provides alternative verification methods suitable for these applications as well as those requiring Biometric Pathways.