Yes. There are several levels of identity verification based on the level of assurance you need. For example, you may just want to confirm that an identity is real and there are no signs or records of fraud associated with it. Or, in some instances you need higher assurance that someone is who they say they are.
Prior to determining what methods are appropriate for the verification situation, perform a risk assessment to determine the level of assurance needed. Typically, identity verification is performed using three factors:
- something you have -- typically a swipe/proximity card, OTP token, etc.
- something you know -- typically a password or information about yourself (mother's maiden name, security questions, etc.)
- something you are -- typically comparing a photo to a person standing in front of you, or, biometric readers (hand/finger print readers, hand geometry, retina scanners, etc.)
It's important to note that the strength of these factors only truly increases when used together. Passwords can be hacked or discovered, cards and keys can be stolen, and sophisticated attacks can be perpetrated against biometric readers. The odds of a successful attack severely lessens when a combination of two or more of these three factors is used. Keep in mind that the level of assurance you can achieve is almost always dictated by the amount of information available to you to verify. So, if the information you have about an individual is limited to name, phone number, and address, that's the highest level of assurance you will be able to reach.
Also keep in mind that some names are quite common - if you are making changes to internal records, double check that you are doing so to the correct record. This might require asking a few additional questions to identify which of multiple records with the same name belongs to the person you are verifying.
Once you identify what level of assurance you require, you can use these tips below to plan a method of verification, depending on the type of interaction.
Please remember NEVER to ask for a password, PIN, passphrase, or access code! Such codes are meant ONLY to be used by the individual they are assigned to, for logging into systems.
Verifying in person
Usually, verifying the person standing in front of you is the quickest, easiest, and most effective means of verifying identity. The most common method is to require at least one government-issued, photo ID card (e.g., driver's license, state ID card, or Passport) to be presented. This is something that the person has, so you meet the "something you have" category. If you take the time to compare the photo against the person, this method is also something the person is, so you meet the "something you are" category. A few tips on verifying with a photo ID:
- Document that you viewed a photo ID and what kind of ID it was, but because driver's license numbers are protected by information security and privacy laws, do NOT make a copy of the ID or write down the number, unless it is absolutely required to have a copy of such information to provide the service requested.
- Keep in mind that fake photo ID cards exist. Become familiar with the format of the government IDs you use for verification, and check the ID carefully. For example, almost all state driver's licenses have microprint on them, which is very hard to fake. Do a quick lookup online for the correct format of the ID number (for example, to check a state driver's license number format for a state you are not familiar with) to help spot fake numbers. For more information, read this article on How to Spot a Fake ID.
- If the photo on the ID is not clearly the person standing in front of you, or if you require more assurance that this is the person they say they are, consider requiring the individual to present a second ID, which may or may not include a photo. Examples include a Social Security card, credit card, utility bill with correct name and address on it, school ID card, etc. - but remember these are "something you have" means of verification, if they do not contain a photo. And again, do not make a copy of these documents or the identification numbers to retain, unless it is absolutely required to have a copy of such information to provide the service requested. Social Security numbers and credit card numbers are protected by information security and privacy laws.
- If you need a higher level of assurance you can add a "something you know" method to your process. Be careful to ensure, though, that what you ask in person is kept private and secure from others nearby. For example, if you need to ask for such information, consider having the person write it on a piece of paper for you to verify against the record, and then be sure to stick that paper in the shredder while the person is still there with you to see you do that. This way no one else will hear the information, or find it on the paper afterwards.
Cards and biometric readers
Proximity or swipe cards and biometric readers, usually fingerprint, handprint, or hand geometry scanners, are commonplace mechanical ways of providing automated, in-person identity verification. Note that the cards fall into the "something you have" category, while the biometrics fall into the "something you are" category.
Verifying via phone
Verifying identity over the phone requires "something you know" methods. The person doing the verifying will need access to a record about the individual requesting access or information.
- First, if you have caller ID, check that the phone number would be appropriate to the person calling - is it one of the numbers in the existing record you have about them? Is it the appropriate area code? If the call is from an organization, does the phone number begin with the correct standard numbers for that organization?
- If you need a higher level of assurance, tell the person you will call them back, then hang up and dial the number you have in your records. This way you know you are in control of the phone number you are connected to.
- Next, ask questions until you are satisfied the person is who they say they are. Ask a few standard questions such as name, address, and telephone number, but also be sure to ask for something that another person (including family members) is not likely to know. For example, in a higher education setting, consider asking the name of the instructor for a particular class the individual's records show the person took, or, ask what semester they took a certain class. Ask about any breaks in their attendance or classes they dropped which can be verified on the record with grades of “W.” In essence, ask questions from the record likely to be known only by the student and not likely to be known by someone else.
- Listen carefully to the voice and use common sense and intuition to help determine the validity and authenticity of the call - for example if the records show the person to be elderly but the voice sounds young, this could be a red flag. Is the caller's demeanor appropriate (for example, not pressuring you to respond too quickly to properly verify) and the justification for needing to verify over the phone reasonable?
- Be creative when choosing these "something you know" questions, using the data available to you about the person, and be sure to ask enough that you are reasonably certain this is the person he or she claims to be.
Verifying online, in email or chat
Verifying in email or chat is challenging, due to the need to avoid documenting protected data such as Social Security number, driver's license number, and other identifying information, and due to the lack of strong controls on who can establish and use email and chat accounts. It is best to find another method to verify.
If you absolutely have to verify through email or chat, and you only need a minimum level of assurance that the person is who they say they are, use the following tips.
- Try asking the same sorts of questions outlined in the "Verifying via Phone" section, but don't ask for passwords, passphrases, Social Security numbers, credit card numbers, or driver's license numbers.
- You can also check the technical information supporting the communication. For example, in email, is the email address the message is coming from a legit address, and following a format you recognize as appropriate for the system they are sending from? In chat, is the username one you recognize? It's important not to rely completely on the email address or chat username, though, because those can be easily spoofed. This only provides a hint that the person may be who they claim to be.
- Consider initiating a new email or new chat thread by typing in the email or chat address you have in your records for the person, rather than replying to a message you received. This way you know you are in control of the address you are sending to. Unfortunately, you still do not have a way to truly verify that the person responding to the messages is the person who owns the email or chat account.
- For IU business, can you require that they email you from an IU email address, or use an IU chat service, for example, Teams Chat? These are more reliable than free public email and chat accounts.
- A higher level of assurance is gained if you ask the person to verify via a second method - for example, if you are communicating in email, ask them to give you a phone call, then use the methods above to verify that communication. Or, ask them to fax you the reply to a question you asked in email.
When logging in to an application or system
When providing access to an online application or system, in addition to the standard "something you know" method of using a password or passphrase, you can also require a token, which is "something you have." At IU, the use of IU Login helps with vetting online logins, and the use of Duo adds a higher layer of assurance. Where technically feasible, the central authentication service (CAS) must be used for all services that facilitate update or inquiry access to limited-access data on university servers, and password tokens must be required for any update access to restricted institutional data on university servers.
Through social media (Facebook, Google+, Twitter, LinkedIn, etc.)
Verifying through social media is not recommended. It is too easy to create fake accounts and profiles, and, the information shared in these environments is meant to be shared! Thus, they are not good forums for sharing verification data protected by information security and privacy law, such as identification documents and numbers.
Verifying via fax machine
One method of having the individual provide "something you have" is to request that he or she fax you a copy of a photo ID, such as a driver's license; however, avoid doing this unless you have no other means to verify because you will end up with a copy of data protected by information security and privacy laws. If it is absolutely required to obtain and retain a copy of the ID for the service being provided, then this can be a useful method. Usually then you will also require the address on the faxed ID to match your existing records, or require multiple forms of verification to be provided.
A higher level of assurance is gained if you run a test first, by faxing a blank form or general information page to the number in your existing records, and asking the individual to email or call you back to let you know that the fax was received, or to fill out the form and fax it back.