IAM Online Speaker Spotlight: Beyond Authentication, When Secure Access Demands Identity Assurance 

Tom: RAF v2’s IAP High requires similar essential identity checks as IAL2, but being adapted to an international context, it’s less prescriptive. It also recognizes as a “trusted source” Principal Investigators and others already identity-proofed to vouch for the existence of a claimed identity. If an organization implements a commercially available IAL2-certified remote identity proofing service, many of the RAF v2 IAP High requirements will be automatically satisfied. 

Kyle: RAF is written to be a bit broader in interpretation than the NIST standards. 

It is an international framework, and different countries have different approaches to solving the identity assurance problem. The U.S.’s NIST requires combinations of evidences and different kinds of ID cards at different strengths of assurance. Other countries may have a national register in place, so ID cards aren’t required. 

RAF allows a common assurance language to communicate intent across various frameworks. This becomes particularly useful for U.S. institutions when service providers (SPs) want to increase their demand for identity assurance, but do not need to implement every detail of the NIST guidance when reasonable equivalence suffices.

Tom: First, there’s no certification. RAF v2 does not require an external audit by a recognized certification body. 

Typically, a government-issued document with a photo, such as a driver’s license or passport, is verified for authenticity by checking its physical and/or cryptographic security features. Then, some outside “trusted source” is used to confirm the existence of an identity with the same name, address, or birthdate. This can take several forms, like checking a bank statement or official educational record, getting a vouch from a trusted person, or using an online service designed to perform this function. Then, the person being proofed is visually checked against the photo on the ID, which is done either by staff who perform identity proofing, looking at the person and their ID photo face-to-face, or over a video session, or by using an unattended remote identity proofing service. 

That’s the essential identity-checking part. Appropriate records must be kept, the processes and procedures must be documented, and care must be taken when a person’s name is formally changed or when their assigned authentication credential is reissued or recovered to ensure the continued binding between the vetted person and their credential.

Kyle: As Tom said, RAF is self-asserted by the institution. Within InCommon, this doesn’t mean it’s blind trust on the SPs’ part, since we participate in a community having signed agreements to meet Baseline Expectations. Implied within Baseline Expectations is an agreement that if your identity provider (IdP) asserts a claim to the federation, the IdP is doing the thing being claimed. 

That being said, there is no ‘certification’ in the sense that there is no external assessor checking the IdP’s work, so to speak.

Tom: We’re hoping to learn about situations on campus where fraud is an elevated concern and for which identity proofing would be a suitable mitigation. 

For example, the Department of Education has added a requirement for colleges to vet the identity of some financial aid applicants, and some schools are reducing credential theft by using unattended remote identity proofing as an initial step in recovering a lost or stolen credential.

Kyle: I’m hoping we can get a better feel for how identity assurance is being implemented in the community or identify the areas of concern. Having a better view would help InCommon tailor support for helping IdPs on the path to identity assurance.

Tom: Increased identity-proofing is the natural path of escalation in the never-ending cycle of attackers fielding new approaches and defenders trying to maintain the integrity of our systems and data. 

As consequences of fraud increase (and phishing is one means of perpetrating fraud), the value of fraud mitigation also increases. 

As evidenced by the Department of Education’s efforts to reduce financial aid theft and a new identity proofing requirement to access sensitive data at the National Institutes of Health, related organizations are now feeling that pain. The higher education community is feeling similar pain, and the requirements of federal agencies often flow down to us.

Kyle: If I’m taking a step back from RAF and SP risk mitigation requirements, whether from the federal government or other campus SPs, I think we are collectively playing catch-up. RAF is a first step, but the scam and phishing attacks are becoming increasingly sophisticated. 

I know this is a little outside the scope of RAF implementation, but I think about artificial intelligence being used for malicious purposes, and large language models finding the right language to manipulate action from more people. I foresee a need to use such tools in defense as well, specifically for detecting indicators of identity fraud during the proofing process. 

I’m not an expert on this, but I foresee the need (and also challenges) to overcome in preserving individual privacy as well. Without having a crystal ball, I can only say that the sphere of identity assurance is going to get more stressed and more interesting in the years ahead. 

Bringing the topic back to RAF, however, I think universities need to implement RAF or something RAF-like as a minimum, but not stop there.

Tom: Read Recommendations for REFEDS Assurance Framework 2.0 Implementation for InCommon Identity Providers! That’s why we wrote it.

Kyle: We have written a resource to help organizations step through the framework to assess the claims they already qualify for and determine a way to implement the claims they want to achieve. I suspect more institutions are already doing more than they think, and there will be claims they can make today after having done a self-assessment. This presentation, along with a session this year at TechEX, will dive directly into this guide.