1 Off-campus In Person

Requirements

College University would like to identify its remote students before they register and has the following requirements:

  • Leverage identity proofing processes done by other organizations or recognized identity proofing professionals.
  • Require visual proofing of identity documents.
  • Perform process totally at distance.

Solution 1.1: Notary Identity Proofing

Using College University admissions portal, Sally gets an account and applies to be an undergraduate student. Information about her SAT and AP scores are sent to CU shortly thereafter and the information there validates the information on her application. CU accepts Sally and she pays her deposit.

CU then asks her to provide proof of her identity by visiting one of a list of pre-registered notaries listed on the CU Identity Site. Sally must first tell CU which one she will visit and then the institution sends the notary identity information/questions and a one-time password for Sally to use if her identity is verified. Sally sets up a time to visit the notary.

Once in their meeting, the notary asks Sally the questions in the packet and Sally answers them correctly, linking her physical person to the CU identity record. The notary also asks Sally to show two forms of picture identification and verifies the name and address, then hands Sally a password in a sealed envelope with a short-term, one-time URL so she can change her password and requests that she perform the action before she leaves the office. The notary then verifies that the individual changing the credential is the same one that answered the knowledge questions and sends information to CU about the identification used to verify Sally's identity.

Summary of Process
  • Subject submits an application and is accepted to the institution. There is third-party information on file.
  • Institution sends notary one-time password and identity information.
  • If subject provides convincing matching evidence to notary, subject is linked to identity record.
  • Notary hands sealed envelope with a one-time token/URL to the individual so he/she can claim the credential.
  • Individual uses kiosk to sign in to admitting institution site and claims credential.
  • Notary "notarizes" document issued to individual signifying they are the one claiming the credential.
  • Subject is linked to the credential.

Solution 1.2: Consortium Member Identity Proofing

Using CU's admissions portal, Sally gets and account and submits an application to be an undergraduate student. Information about her SAT and AP schools are sent to CU shortly thereafter and the information there validates the information on her application. CU accepts Sally and she pays her deposit.

CU then asks her to provide proof of her identity by visiting one of a list of Identity Registration sites hosted by organizations participating in a national consortium. CU then sends Sally a Claim Credential, and she sets up a time to visit the partner's Identity Registration Office.

Once there, Sally provides her Claim Credential to the Registration Agent. The Agent signs into a federated Identity Proofing service and Sally produces her identity documents which the Agent verifies and records information into the service. The Agent then redirects the kiosk in his office to a "claim credential" site at CU and Sally changes her password.

Once in their meeting, the campus Registration Agent asks Sally the questions in the packet and Sally answers them correctly, linking her physical person to the CU identity recorded. The Agent then gives Sally a sealed envelope containing a short-term, one-time URL that she can use to change her password and requests that she perform the action before she leaves the office. The Agent then verifies that the individual changing the credential is the same one that answered the knowledge questions.

Summary of Process
  • Subject submits an application and is accepted to the institution. There is third-party information on file.
  • Institution sends "claim credential" information to student with locations of Consortium Members
  • Student shows up at member location (by appointment or during business hours)
  • Proctor accesses Identity Proofing application and authenticates to their own institution
  • After showing government-issued photo ID to "proctor", verifying document (license, passport, visa) is recorded by proctor and student is redirected to "claim credential" site at admitting institution
  • Student enters one-time password and then goes through the claim credential process with might include selecting a username (NetID), setting a password, and entering password reset information (e.g. challenge-response questions and answers, mobile phone number, 3rd-party email address)
  • New credential is now in possession of student (and no one else)
  • Application records time of credential issuance and Level of Assurance if appropriate

Background Notes

2 Knowledge-based Identity Proofing

Requirements

College University would like to identify its remote students before they register and has the following requirements:

  • Leverage identity proofing processes done by other organizations.
  • Use third-party (not user supplied) information.
  • Automate identity proofing process as much as possible.
  • Perform process totally at a distance.
  • Require little or no interaction with the Admissions Staff.

Solution 2.1: Campus Data in Student or ERP System

Sara applied as a undergraduate to College University and submitted an online application through CU's website. As part of this process, she identified CU as a recipient for her AP and SAT test scores and sent those to CU as well as her high-school transcript. To access the application website, the University required her to set up a userid and password for authentication.

Several weeks later, Sara found out that she was accepted and then used her credit card to pay the deposit.

Sara's next step is to register, but because the University is interested in having a tighter binding between Sara and her identity record and authentication credentials to ensure that the right person is accessing her information, they ask Sara to go to their identity proofing website.

Sara accesses the URL and signs in with the userid/password she set up during the application process. Upon successful authentication, she is presented with 5 multiple choice questions using information obtained from her AP and SAT test scores and high-school transcript. This is information that Sara did not provide on the application, but instead is something that she would remember. Questions included the building location where she took the SAT test and date of the test, name of Sara's 10th grade English teacher, billing address for her credit card and the like. Sara must choose the right answer for at least 4 out of the 5 questions. If successful, she uses a one-time URL that she receives via text message on her cell phone. She uses that to change her password, using the password policy for the permanent account, and establishes questions/answers for future password reset if ever needed.

If not successful answering the required number of questions, Sara is presented with a online chat form to set up a session with an admissions counselor who will then review Sara's record and ask her questions to determine her identity.

Summary of Process
  • By phone/website/chat, ask prospect knowledge-based questions on identity information obtained from third parties that have done identity proofing, such as SAT, ACT, TOEFL, GRE, AP testing processes and transcript providers such as other higher ed institutions and K12. The person is given 2 chances to answer the questions correctly.
  • If the prospect answers the required number of questions correctly, provide him or her with a one-time token/URL via email/mailing address/cell phone number in the identity record. (Using an address in the identity record for delivery strengthens link between subject and identity record.)
  • Subject is linked to the identity record.
  • Subject then uses the token to establish permanent credentials and reset questions. 
  • Subject is linked to credential.
  • If the prospect does not answer the questions correctly, present an online chat form or request that the person contact the Admissions Office by phone to do the identity check using a new set of questions.

Solution 2.2: Vendor-supplied Service

Sara applied as a undergraduate to College U and submitted an online application through CU's website. As part of this process, she identified CU as a recipient for her AP and SAT test scores and sent those to CU as well as her high-school transcript. To access the application website, the University required her to set up a userid and password for authentication.

Several weeks later, Sara found out that she was accepted and then used her credit card to pay the deposit.

Sara's next step is to register, but because the University is interested in having a tighter binding between Sara and her identity record and authentication credentials to ensure that the right person is accessing her information, they ask Sara to go to their identity proofing website.

Sara accesses the URL and signs in with the userid/password she set up during the application process. Upon successful authentication, she is presented with 5 multiple choice questions using information obtained from a purchased vendor service. (The company gathers information from publicly available sources and constructs a database of possible questions to ask. When requested in the process, the company randomly choose a list of 5 questions.) Sara must answer at least 4 of the questions correctly to move to the next step.

If successful, she uses a one-time URL that she receives via text message on her cell phone. She uses the URL to access a webpage and change her password, using the password policy for the permanent account, and establishes questions/answers for future password reset if ever needed.

If not successful answering the required number of questions, Sara is presented with a online chat form to set up a session with an admissions counselor who will then review Sara's record and ask her questions to determine her identity.

Summary of Process
  • Ask a third-party identity verification service to present 5 questions randomly chosen from the predefined list and the subject must answer at least 4 correctly. The person is given 2 chances to answer the questions correctly.
  • Third-party returns a success or failure.
  • If the third-party returns success, provide subject with a one-time token/URL via email/mailing address/cell phone number in the identity record. (Using an address in the identity record for delivery strengthens link between subject and identity record.)
  • Subject is linked to the identity record.
  • Subject then uses the token to establish permanent credentials and reset questions. 
  • Subject is linked to credential.
  • If the third party returns failure, present an online chat form or request that the person contact the Admissions Office by phone to do the identity check using a new set of questions.

Analysis

Background Notes

Red Herring

  • Person submits an application and is accepted. There is third-party information on file. Application is self-asserted information.
  • Subject is not linked to third-party information.
  • Institution provides a one time token/URL to the subject to their email/mailing address on record.
  • Credential is linked to identity record.
  • Subject is not linked to identity record.

Vendors

  • No labels