NIST IAL3 An Exploratory Solution Using Kiosks to Verify
Now that we have already done a deep dive into NIST IAL 2 (NIST IAL2 Identity Verification An Updated Review of Requirements), we will explore level 3. This will only be at a high level as a client requested it as an additional method for certain users. Similar to how the government added in-person help for Login.gov at the USPS, other businesses may require this feature. For example, if you are a bank and want to achieve IAL3 for wiring a large amount, then you could require proofing to be done onsite. In the use case requested, the client wished agents in a money transfer service could verify sender identities in the store. Another use case could be for visitors or employees onboarding for their first day. IAL3 is the highest level of assurance provided by NIST, which can cover more extreme security cases. A summary of the requirements by NIST is here (IAL3 Summary of Requirements) and follows many of the similar ones as IAL2. The first main difference is that the person must be onsite physically. This critical aspect reduces the available population due to the requirements it forces on the CSP. For the government, using USPS allows for national coverage, but most other businesses will never be able to have that much physical presence. The other difference is with the types of evidence, with Strong+ being the minimum with a fair document or superior. The biometric attributes must be validated, too, and any digital signatures are required for verification. Lastly, all the extra compliance steps and procedures for the onsite portion must be handled securely to meet the IAL3 requirements.
The first plan to achieve IAL3 would be through a proofing agent in a physical location, similar to how a security guard reviews your information prior to being admitted to some offices. One main difference you may think of between regular visitors and guards is that they already inspect some identity documents. These, however, are woefully inadequate as the processes are missing critical checks that can only be done with an internet connection and application. However, in this case, for IAL3, the steps would be much more stringent in requiring them to use a CSP device and capture through a tool like Trust Swiftly. The agent could have an app on a designated device to start each proofing session. Throughout the process, they could capture the face and evidence documents by monitoring each step taken by the person. It would be initially a cheaper and quicker deployment option than using full self-service kiosks. This roll-out process would be possible using an iOS or Android device that opens the Trust Swiftly no code page. From there, the agent follows the requirements we described for IAL2 but steps up a few steps to ensure IAL3 is met. The main benefit this would have is to prevent injection and other biometric attacks, as the recording should be done on a locked-down device owned by the CSP. There are no worries that they are using a rooted device or have another generated deepfake. The con is still going to be the costs of employing this agent to be physically present and only available at certain hours, as well as the risk that the agent may be socially engineered for a verification step. A realistic silicone mask could be worn, so AI models must be trained to detect this during the proofing process. If choosing the onsite, in-person attended IAL3 pathway; it is critical that processes are documented, audited, and agents trained well to prevent any bypasses.
The second future idea for businesses to roll out IAL3 would be to use kiosks that can be attended to. The proofing agent could be in person or remotely during the verification session. However, the actions of users being verified will need to be present and interact with a person through a kiosk or workstation. In the case of using a kiosk, it automates the process more as the agent can go through multiple proofing sessions that are sent to a central or distributed processing application. For example, if 100 kiosks are distributed nationwide, you may have a few agents to handle the proofing sessions in real time. The agent can be involved in key steps such as biometric collection and any issue handling. There would be a connection to the kiosk for a video and liveness check of the person. This would be time-saving as the agent doesn’t have to take possession of evidence to capture it physically; instead, the user can place the document in front of a camera in the kiosk. Again, the benefits are similar to the first plan but further improved with cost savings and scalability in the system. The main risk would still be the actual kiosk, as there is less protection from being physically tampered with. In a kiosk scenario, many security precautions, such as locks and secondary external cameras in the ceiling to detect tampering, can be added.
For example, in the steps for the kiosk building, we found various parts and tools needed to deploy a solution. There are some prebuilt solutions like IDEMIA and NextGenID, but the costs are often more expensive and limit your ability to customize. Also, taking a look at IDEMIA, the TSA uses it, but the kiosk is a Windows machine that is still prone to failure and, in their case, requires an external technician to resolve many issues in person. Instead, we wanted to provide the framework to build an IAL 3 where you own the hardware, but Trust Swiftly owns the portions of the software. This creates an environment of least privilege for the entire proofing process, putting more ownership on the business. This allows for a much more secure solution, as when building a kiosk onsite solution, the physical device is the top priority to lockdown. Our first requirement is for a reliable kiosk that can be managed remotely with easy deployment. In this choice, we will stick to Apple as many hardware options already exist and limit the need to create multiple custom parts. Similar kiosks with Android or Windows devices could be built, but they do not have as many options for prebuilt kiosk hardware. It also allows you to own the off-the-shelf supply chain process end to end for the kiosk build, so maintenance and repair are minimal.
Build List for an Identity Verification Kiosk
Latest iPad. The device camera is the most important as the higher pixel count improves the verification process. Adding a cellular or satellite connection via Starlink could be a backup but is unnecessary if your use case does not require redundancies.
An ethernet adapter for more secure use cases. – (USB-C to Ethernet Adapter + 60W Charge | Belkin | Belkin US or Redpark Gigabit + PoE Adapter for iPad | Heckler) The Internet should be more stable, and there is less risk of any external traffic capturing.
A physical device holder that can be bolted down and locked to ensure no tampering (i.e., Kiosk Builder – Lilitab or Alur Freestanding iPad & Tablet Kiosk | Armodilo or Secure Tablet & iPad Stands & Kiosks | Bouncepad)
A camera adapter to use the backside for higher resolution (iPad Drivers license and ID Scanner – Lilitab and ID Capture Accessory – Lilitab and Elite ID Holder | Bosstab)
An NFC extender to validate passports cryptographically RAM® NFC Extender – RAM Mounts
A device MDM solution and security setup (i.e., iPad Kiosk: How to Set Up and Manage or Kiosk Pro - Tablet Kiosk App & Best-Selling Browser Software for iOS - Kiosk Group)
After you customize a kiosk to support the identity verification, it can then be loaded with an app or single browser page to start a Trust Swiftly proofing process for IAL3. During the proofing, an agent will be able to connect live to the kiosk and review each piece of evidence. Having the ability to connect to the device and remotely control it through MDM or other means is important to ensure an applicant makes it through the proofing process. Furthermore, a solution like Trust Swiftly can allow for even more verifications, such as a device check, by transferring a session to do verifications beyond the IAL3 scope. In review, building out your own managed IAL 3 solution is possible when selecting the proper hardware and software. Combining these factors will create an extremely robust identity-proofing process that stays secure even against the latest fraud techniques. As we have written about in the past, device security and multi-modal biometrics will continue to be at the forefront of identity verifications.