The present invention relates generally to the systems and methods used to confirm the asserted identity of an individual to a high level of confidence remotely over the Web. The same method can also be used in a face-to-face transaction when the individual asserting their identity has no other identifying information.
Identity proofing extends across multiple levels of risk. Identity proofing is usually the first step in a process associated with issuing credentials to an individual. The credential can be reused over-and-over again as an assertion of the initial identity proofing. The process of using the credential to conduct a transaction is authentication. Further, the risk associated with identity proofing is independent of the risk associated with authentication. As an example, there are some transactions where the user may be anonymous, but the information provided must remain confidential and associated only with that unique user. In such a case, the identity proofing may be weak or non-existent, while the credential and authentication is strong. These identity proofing, credential, and authentication principals apply in both physical and logical contexts.
In the logical context (and in physical too), the identity proofing may be conducted face-to-face, by reference, or by self-assertion. Each of these types of identity proofing can then leverage a series of steps to prove identity and the steps implemented define the rigor and strength of the identity proofing. As an example, face-to-face identity proofing can require a single government-issued picture ID or it could require two plus a verification of address.
In accordance with NIST Special Publication 800-63, the basis of remote identity proofing at a high confidence of the individuals identity is defined as, “Possession of a valid Government ID (e.g. a driver's license or Passport) number and a financial account number (e.g., checking account, savings account, loan or credit card) with confirmation via records of both numbers.” This document continues by defining the actions necessary to achieve these actions. NIST Special Publication 800-63 states that the registration authority (RA) first, “Verifies information provided by Applicant including ID number AND account number through record checks either with the applicable agency or institution or through credit bureaus or similar databases, and confirms that: name, [date of birth], address and other personal information in records are consistent with the application and sufficient to identify a unique individual.” The RA must also either provide address confirmation by performing either of these actions, “a) Issues credentials in a manner that confirms the address of record supplied by the Applicant; or b) Issues credentials in a manner that confirms the ability of the Applicant to receive telephone communications at a number associated with the Applicant in records, while recording the Applicant's voice or using equivalent alternative means to establish non-repudiation.”
Institutions seek a capability to implement the requirements in the NIST standards while also allowing for the remote identity proofing of an individual via a Web transaction such that there is no delay and the user can then immediately conduct transactions with that identity. The process of confirming an account number or government issued identity along with an address confirmation usually requires a delay while performing these process steps. This embodiment describes a method and a process for conducting this above described transaction remotely while doing so such that the transaction can be processed in real-time and allow the subsequent transactions if the identity proofing transaction is successful.