The most accurate way to verify someone’s identity is to request and validate multiple forms of identification, including at least one with a photo. Examples include a driver’s license, Social Security card, valid passport, or military ID. Some organizations may accept a non-government identification, such as a university ID.
Online identity verification, also known as identity “proofing” or “vetting”, involves confirming an individual's identity without a physical photo ID. Most organizations require a real-time process to verify the personal information provided by the individual.
Levels of identity verification depend on the needed level of assurance. Some instances may require more proof than others that someone is who they claim to be. Prior to choosing appropriate verification methods, perform a risk assessment to determine the level of needed assurance.
The level of assurance you can achieve depends on how much information you have to verify. If the information you have about an individual is limited to name, phone number, and address, that's the highest level of assurance you will be able to reach.
How can I verify an individual's identity?
Identity verification typically uses three factors:
Something you have: a swipe/proximity card, OTP token, etc.
Something you know: a password or information about yourself (mother's maiden name, security questions, etc.)
Something you are: a photo ID, hand/fingerprint readers, hand geometry, retina scanners, etc.
These factors are stronger when used together. Passwords can be hacked, cards and keys can be stolen, and biometric readers can be fooled. The chance of a successful attack is lessened when a combination of these factors are used.
Please remember to NEVER ask for a password, PIN, passphrase, or access code! Such codes are meant ONLY to be used by the individual they are assigned to, for logging into systems.
The most common way to verify identity in person is to see the individual and a government-issued photo ID card, such as a driver's license, state ID card, or passport. This method combines the “something you have” and “something you are” factors. Here are a few tips for verifying with a photo ID:
Document that you reviewed a photo ID and what kind of ID it was. Driver's license numbers are protected by privacy laws, so do NOT copy or write down the number unless it is absolutely required to provide the requested service.
Watch out for fake photo ID cards. Familiarize yourself with the format of the IDs you check and examine them closely. For example, most state driver's licenses have microprint, which is hard to fake. Do a quick online lookup for the correct ID number format to spot fake numbers. For more information, read How to Spot a Fake ID.
Consider asking for a second ID if the photo on the first ID is not clearly the person in front of you. Examples include Social Security cards, credit cards, utility bills with name and address, school ID card, etc. Again, do NOT copy or keep these numbers, unless you require them to provide the service. Social Security numbers and credit card numbers are protected by law.
Add a “something you know” verification method if you need more assurance. Keep your process private and secure from others nearby. For example, if you need to ask for such information, have the person write it on paper for you to check, and then shred the paper while the person sees you do it. This ensures no one else hears or finds the information.
Cards and biometric readers like fingerprint, handprint, or hand geometry scanners are common ways of providing automated, in-person identity verification. Cards are “something you have” and biometrics are “something you are”.
Verifying identity over the phone requires “something you know” methods. Ask standard questions like name, address, and phone number, but also ask something that only the individual would know. The person doing the verifying will need access to a record about the individual requesting access or information.
Check the phone number if you have caller ID. Is it one of the numbers in the record? If the call is from an organization, does the phone number start with the correct standard numbers for that organization?
Say you will call them back and then hang up if you need a higher level of assurance. Phone numbers can be “spoofed” or modified to trick a recipient into thinking a malicious call is legitimate. Dial the number in your records so that you control the phone number to which you are connected.
Use common sense and intuition to judge the authenticity of the call. For example, it could be a red flag if the voice of the caller does not match the age of the person in the records. Is the caller's behavior appropriate (for example, not rushing you to verify) and the reason for verifying by phone reasonable?
Verifying in email or chat can be challenging due to the need to avoid documenting protected data such as Social Security number, driver's license number, and other identifying information. Email and chat accounts are not as secure as other methods, so it is best to use another method to verify.
If you absolutely have to verify through email or chat, and you only need a minimum level of assurance that the person is who they say they are, use the following tips.
Ask the same questions outlined in the “Verifying via Phone” section, but avoid requesting sensitive information like passwords, passphrases, Social Security numbers, credit card numbers, or driver's license numbers.
Check the technical details of the communication. For example, does the email address match the one in the records? In chat, is the username familiar? It's important not to rely completely on the email address or chat username, though, because those can be easily spoofed. This only provides a hint that the person may be who they claim to be.
Consider initiating a new email or chat with the address you have in your records instead of replying to the message. This way you control the address you are sending to. Unfortunately, you still do not have a way to truly verify that the person responding to the messages is the person who owns the email or chat account.
For IU business, consider requiring the person use an IU service. email you from an IU email address, or use an IU chat service like Teams Chat. These are more trustworthy than free public email and chat accounts.
Ask the person to verify their identity via another method for a higher level of assurance. For example, if you are emailing, ask them to call you and use the phone verification methods.
When providing access to an online application or system, in addition to a password or passphrase (“something you know”) you can also require a token (“something you have”). The use of IU Login and Two-Step Login (Duo) make online logins more secure. If technically feasible, the central authentication service (CAS) must be used for all services that access limited-access data on university servers, and use password tokens for any update access to restricted data on university servers.
Verifying through social media is not recommended. It is too easy to create fake accounts and profiles, and, the information shared in these environments is meant to be shared! Thus, they are not good forums for sharing verification data protected by information security and privacy law, such as identification documents and numbers.
One method of having the individual provide “something you have” is to request a faxed photo ID, like a driver's license. Don't do this unless it is absolutely required for the service you are providing, because you will end up with a copy of sensitive data protected by privacy laws. Usually then you will also require the address on the faxed ID to match your existing records, or require multiple forms of verification to be provided.
A higher level of assurance is gained if you fax a test blank form or info page to the number you have, and asking the person to email or call you back, or to fill out the form and fax it back.
