What Is Identity Assurance and Why Is It Needed
Michael Rothschild, HYPR
8 Min. Read | October 3, 2023
In today's perpetually changing digital landscape, the importance of identity within the enterprise has taken center stage. As both workforce and consumer demands grow, there's a critical need for robust solutions that can manage the entire identity lifecycle, securely linking an individual's identity with who they claim to be.
Identity Assurance provides a comprehensive framework for managing and securing the modern user lifecycle. It ensures that organizations have the confidence that the identity of each individual aligns with who they claim to be, providing seamless validation and protection at every stage of the identity lifecycle.
Why Is There an Increasing Need for Identity Assurance?
Organizations typically use point-in-time and ad-hoc processes to establish an individual’s identity and then assert this identity through authentication. This does not meaningfully address the continuous changes that occur in terms of attack vector, methods or risk factors. Key moments in time such as changes in the individual’s status, high-risk events like resetting credentials, or changes to the threat landscape, challenge the legacy process to establish an individual’s identity. Nearly half of organizations lack a user verification policy for password reset calls to IT service desks. Identity assurance takes a comprehensive, integrated approach to address these limitations and weaknesses.
Identity and authentication attacks impact a wide range of industries, but some are more frequently targeted due to the potential for financial gain or access to sensitive information. Industries most affected include:
- Financial Services: Banks, credit card companies, and fintech firms are prime targets for identity theft and authentication attacks. Cybercriminals aim to gain access to financial accounts, steal funds, or commit fraud.
- Critical Infrastructure: Including energy and utility companies, oil & gas, supply chain and 13 other critical infrastructure verticals as defined by CISA are susceptible to attacks that can disrupt critical services, compromise sensitive data, and potentially lead to widespread blackouts or damage.
- Hospitality Industry: Hotels and restaurants make attractive targets because of the valuable guest data they collect and maintain, including payment details, addresses, phone numbers, and other sensitive information.
- E-commerce and Online Marketplaces: Online marketplaces are frequently targeted by attackers aiming to compromise user accounts, engage in fraudulent transactions, and steal personal information.
What Is the Difference Between Identity Assurance and Authentication?
Authentication is primarily concerned with verifying identity at the point of access, typically for a specific session or transaction. It is the daily or multi-daily process of verifying the credentials of an entity based on the presented information, such as biometric data (e.g., fingerprints or facial recognition), smart cards or tokens. It answers the question, "Is this user who they claim to be right now?"
Identity Assurance goes beyond authentication. It incorporates authentication as one of its components but also includes key complementary identity technologies and processes that together create a comprehensive and continuous trust framework. Identity Assurance involves a comprehensive assessment of identity, often incorporating factors like identity verification (also referred to as identity proofing), continuous monitoring, and risk assessment. It is not limited to a single transaction or access request, but extends to the overall trustworthiness of an identity over time, and is invoked at specific “moments in time” such as onboarding a new employee or completion of a high risk transaction.
What Are the NIST Identity Assurance Levels (IALs)?
The National Institute of Standards and Technology (NIST) defines identity assurance levels as part of its Digital Identity Guidelines, NIST 800-63-3. Other countries and industries may have their own frameworks and terminology for categorizing identity assurance.
Identity assurance level 1 (IAL1): There is no requirement to link the applicant to a specific real-life identity. Any attributes provided in conjunction with the subject’s activities are self-asserted or should be treated as self-asserted (including attributes a CSP asserts to an RP). Self asserted attributes are neither validated nor verified.
Identity assurance level 2 (IAL2): Evidence supports the real-world existence of the claimed identity and verifies that the applicant is appropriately associated with this real-world identity. IAL2 introduces the need for either remote or physically-present identity proofing. Attributes could be asserted by CSPs to RPs in support of pseudonymous identity with verified attributes. A CSP that supports IAL2 can support IAL1 transactions if the user consents.
Identity assurance level 3 (IAL3): Physical presence is required for identity proofing. Identifying attributes must be verified by an authorized and trained CSP representative. As with IAL2, attributes could be asserted by CSPs to RPs in support of pseudonymous identity with verified attributes. A CSP that supports IAL3 can support IAL1 and IAL2 identity attributes if the user consents.
The NIST IALs specifically apply to identity at a single point in time, and do not address ongoing authentication, risk monitoring, and other critical aspects of a broader Identity Assurance strategy.
How Does Identity Assurance Work?
A systematic Identity Assurance approach is built on a foundation of strong, phishing-resistant authentication, which completely eliminates passwords across populations, applications and locations. Passwordless authentication that is based on FIDO2 standards replaces passwords with passkeys and is considered the gold standard for phishing-resistant authentication by CISA, the OMB and other industry bodies. This strong authentication is used for daily access to organizational systems and resources.
Before any type of access can be provisioned, the person’s identity needs to be established and verified. Under an Identity Assurance model, identity verification is an automated and ongoing process that is integrated into manager and help desk workflows. The verification process generally leverages multiple techniques, such as document proofing, biometrics and database verification and ideally includes additional measures such as video verification through a live video feed and manager attestation. It’s critical that the process does not use passwords or knowledge-based factors at any point.
Complete assurance is maintained throughout the employee or customer lifecycle by monitoring for risky or unusual behavior on a per-user basis through the use of a risk and policy engine. Risks can be determined based on either the user behavior or changes in the overall threat landscape. Upon detecting an increased level of risk, the system can alert or invoke a re-authentication or re-verification based on defined policies.
Comprehensive Identity Assurance unifies all elements of the user lifecycle from the first point of contact with the user through offboarding. This eliminates security gaps caused by manual or disconnected processes.
What Are the Benefits?
Identity Assurance takes a holistic view toward identity security, uniting a currently fragmented landscape. This creates many improvements for organizations implementing this approach, including:
- Preventing credential-based attacks: Weak authentication accounts for more than 60% of all breaches but many organizations struggle to even implement legacy MFA due to the challenges with the user experience. Identity Assurance is built on the foundation of strong authentication, eliminating one of the largest attack vectors while improving user experience and accelerating adoption.
- Continuous assurance: With identity as the new perimeter and a strategic imperative for the business, organizations need to know which of their employees and customers are accessing what resources and that the identity presented truly matches the individual providing it. The risk associated with an individual continuously changes as they perform new actions or take on new responsibilities and as the threat landscape continues to evolve. Identity Assurance complements the strongest authentication with continuous monitoring that utilizes risk signals from endpoint, cloud, and mobile sources. Risky behavior can be mitigated by forcing the user to reauthenticate or even reverify their identity.
- Business acceleration: Identity Assurance reduces risk and accelerates the business across all parts of the employee lifecycle. For employers, it directly improves the employee onboarding experience and the interactions that the employee has with the help desk and other identity-related interactions. For consumers, it eliminates processes where the consumer needs to physically interact with an organization (ie: speaking with a teller at a bank to get verified). By substantially reducing identity risk to the organization, it also enables organizations to securely and confidently make changes that save on costs.
Identity Assurance Best Practices
Here are some guidelines to get you started in building your own Identity Assurance approach.1. Start with the strongest authentication
Make sure you deploy strong, phishing-resistant authentication based on the FIDO passkey standard.2. Enhance security with integrated identity verification/proofing
Identity proofing should be integrated with ongoing authentication processes and risk-based analysis, rather than performed only at specific points in time.3. Create a password-free employee or customer lifecycle
Integrate proofing and provisioning into the onboarding process such that people never have to use a password.4. Take steps to prevent pre-employment fraud
Develop a profile on interviewees and contractors to ensure that the person who interviews for the job is the person who shows up.5. Delegate control to managers
Empower managers to control the verification of their employees for critical tasks such as onboarding, aided by intelligent tools and AI.6. Enable end to end visibility
Make sure your risk engine leverages real-time data from multiple sources, including mobile devices, endpoints and browsers.
Identity Assurance With HYPR
HYPR tackles Identity Assurance on all fronts so that organizations can secure the identity lifecycle for their workforce and customers from end to end.
Our industry-leading passwordless authentication, HYPR Authenticate, fully eliminates breachable credentials from your authentication and verification processes. Our powerful risk monitoring solution, HYPR Adapt, collects and analyzes extensive, diverse data to intelligently adjust IAM security processes in real time. Our identity verification offering, HYPR Affirm, uses multiple layered technologies to verify identity. It goes beyond traditional point-in-time verification by utilizing AI-driven analysis to proactively and automatically prompt reverification at critical moments defined by high-impact events or times of elevated risk from new threat vectors or detection of suspicious behavior.
Together they form a comprehensive Identity Assurance platform that seamlessly integrates into your existing identity and security ecosystem. To learn more about Identity Assurance, speak to one of our experts or arrange a demo.