UDAP Identity Assurance Levels
DRAFT 2022-10-24
The table below indicates Levels of Identity Assurance with context on the rationale for various levels.
|
IAL |
Short Desc |
Name, DOB collected & verified? |
Address also collected & verified? |
Evidence Strength |
Photo match/liveness check |
Confirmation of Control or Notice |
Where in use today? |
|
1 |
Self-asserted/no verification |
- |
- |
- |
- |
- |
800-63-3 and included in vaccine credential standard |
|
1.2 |
No Photo ID In Person |
Yes |
- |
1 Strong or Fair evidence but not a US state-issued photo ID or nationally-issued photo ID (e.g. one of the other two items in IAL1.8) |
- |
- |
Included in vaccine credentials standard |
|
1.4 |
Fair Gov't Issued Photo ID In Person |
Yes |
- |
US state-issued photo ID or nationally-issued photo ID |
Yes |
None, but name and DOB are recorded. Note this evidence leads to a low level of assurance due to lack of other actions, not evidence strength. |
Included in vaccine credentials standard |
|
1.4 (phase out?) |
LoA-3 Remote via KBV (see below for without KBV) |
Yes |
Yes |
1 gov't ID + 1 financial or utility account; SSN may be one of the two |
- |
Both confirmed per 800-63-2. KBV/antecedent->no notice |
Direct messaging user or admin |
|
1.5 |
Fair Photo ID In Person + Verified Address; 2 Fairs if Remote |
Yes |
Yes |
US state-issued photo ID or nationally-issued photo ID (or other photo ID that is at least Fair) |
Yes |
No notice mailed |
Similar to common legacy patient registration practices but adds address verification step, for improved patient matching; ID verify via credit bureau type records OK (visual match not required) |
|
1.6 |
LoA-2 In Person |
Yes |
Yes |
Gov't-issued photo ID |
Yes |
Notice sent -- or equivalent via email or telephone |
Some patient portal accounts today |
|
1.8 |
Photo ID + Mobile Phone (+ confirm email address) |
Yes |
Yes |
1 Strong or Fair photo ID + Mobile Phone billed to person's name or otherwise verified + some other Fair (but not SSN) |
Yes |
Confirm control of mobile # and email but no notice. IAL1.9 when notice sent by US Mail to verified Address of Record |
Some non-healthcare CSPs are supporting this strong identity assurance level as equivalent to IAL2 |
|
Between IAL1.8 and IAL2 |
LoA-3 Remote or In Person, without KBV |
Yes |
Yes |
1 gov't ID + 1 financial or utility account; SSN may be one of the two |
Yes, photo compare required when In Person |
Both confirmed per 800-63-2 (includes control of any electronic account + electronic verification using credit bureau type records). Notice by US mail to confirmed Address of Record when no electronic confirmation |
Direct messaging user or admin |
|
TEFCA DRAFT IAL2 Patient |
Two of: Photo ID + Insurance Card + Medical Record |
Not necessarily (?) |
Two of the following (a) physical comparison to legal photographic identification cards such as driver's licenses or passports, or employee school identification badges; (b) comparison to information from an insurance card that has been validated with the issuer (e.g., in an eligibility check within two days fo the proofing event); and (c) comparison to information from an electronic health record (EHR) containing information from prior encounters |
Yes IF photo ID is one of the two items used |
Not necessarily (?) |
Proposed for patient access to own records in TEFCA Individual Access Requests (+ consents/meaningful choice) |
|
|
2 |
IAL2 In Person or unsupervised remote without liveness check |
Yes |
Yes |
1 Superior; 2 Strong; or 1 Strong and 2 Fair pieces of evidence (and Social Security Number--without the card--is not permitted as one piece of Fair, only a Social Security Card may be one Fair) |
Yes, without liveness check |
Yes (should be clarified in 800-63-3) |
TEFCA (non-patient) |
|
2.1 |
IAL2 + liveness check |
Yes |
Yes |
1 Superior; 2 Strong; or 1 Strong plus 2 Fair pieces of evidence (and Social Security Number--without the card--is not permitted as one piece of Fair, only a Social Security Card may be one Fair) |
Yes, with liveness check |
Yes (should be clarified in 800-63-3) |
Guidance published separately from 800-63-3A indicates liveness check should occur |
At some level, likely IAL1.5, a declaration of identity becomes required and explicit, such that a claim of false identity is fraudulent.
2 References
Grassi, Paul A. et al., “NIST Special Publication 800-63A Digital Identity Guidelines Enrollment and Identity Proofing Requirements”, National Institute of Standards and Technology, U.S. Department of Commerce, June 2017.
3 Authors
Julie Maas, EMR Direct
4 Notices
Copyright ©2016-2024 UDAP.org and the persons identified as the document authors. All rights reserved.
UDAP.org grants to any interested party a non-exclusive, royalty-free, worldwide right and license to reproduce, publish, distribute and display this Draft Specification, in full and without modification, solely for the purpose of implementing the technology described in this Draft Specification, provided that attribution is made to UDAP.org as the source of the material and that such attribution does not indicate an endorsement by UDAP.org.
All Draft Specifications and Final Specifications, and the information contained therein, are provided on an “AS IS” basis and the authors, the organizations they represent, and UDAP.org make no (and hereby expressly disclaim any) warranties, express, implied, or otherwise, including but not limited to any warranty that the use of the information therein will not infringe any rights or any implied warranties of merchantability or fitness for a particular purpose, and the entire risk as to implementing this specification is assumed by the implementer. Additionally, UDAP.org takes no position regarding the validity or scope of any intellectual property or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available, nor does it represent that it has made any independent effort to identify any such rights.