What is Identity Proofing?
So what is identity proofing? There are three components that need to be tied together to ensure the right person has the right credential.
- Physical Person - This is the actual person who will be using the credential online to authenticate or prove they are the individual represented by the identity record (see below).
- Credential - In most higher ed organizations, this is a share secret like a password that used in conjunction with the userid (or netid) enables authentication.
- Identity Record - The collection of identity information you have about a person. In the admissions process, this could include test scores, address, transcript etc. This constitutes the things we know about a person. Throughout the admissions process we "vett" or verify this information is true, using methods such as sending paper mail to their physical address or email to their email address. We're verifying that such a person exists (but don't yet know if the physical person on the other end is one represented in the identity record).
How Do These Relate to Each Other?
These three things must be linked together successfully for you to trust that the person authenticating is the one you think he or she is. If any of these links are broken, then your authentication process is compromised.
A broken link between the physical person and the credential indicates that the person using the credential is not the person to whom it was issued and so you cannot know who is using the credential to access services. This would happen when the password associated with the credential is known by someone other than the person to whom it was assigned.
A broken link between the physical person and the identity record indicates that the physical person is not who the identity record indicates he/she is. You may know the person using the credential is the person to whom it was assigned, but you do not know the identity of that person. This would happen when a person provides false identity information and that information is not properly confirmed.
A broken link between the credential and the identity record indicates that the credential is not properly recorded in the identity management system. In this case you cannot know to whom the credential has been assigned nor if it should be expired or terminated due to changing information about the individual.
How do we do this now on campus?
Do we want to include a section here that explains this graphic? Or leave it out?
I don't mind the graphics, but I have to say that it is not at all universal. At USC we don't issue an account until someone has paid something (or in the case of professional programs confirmed they are coming). Even at registration/orientation though there is no connection between the person and the account. We never know with certainty to whom we gave the credential. I doubt we are alone in this. - Brendan
