Identity verification

The most accurate way to verify someone’s identity is to request and validate more than one form of identification, one with a photo. Examples include a driver’s license, a Social Security card, a valid passport, or military ID. Some organizations may accept a university ID or other non-government ID for one of them.

Identity verification online, also known as identity “proofing” or “vetting”, is when you confirm an identity without seeing a picture ID. Most organizations need a real-time process that checks the personal information given by the individual.

Note: IU’s policies and procedures for giving and taking away access to resources are in the Information Security and Privacy Program, primarily in Domain 8: Identity and Access Control.

Are there different levels of identity verification?

Yes. Levels of identity verification depend on the needed level of assurance. You may only need to confirm that an identity is not fraudulent, or you may need more proof that someone is who they claim to be.

Prior to choosing appropriate verification methods, perform a risk assessment to determine the level of needed assurance. Identity verification typically uses three factors:

Something you have. Typically, a swipe/proximity card, OTP token, etc.
Something you know. Typically, a password or information about yourself (mother's maiden name, security questions, etc.)
Something you are. Typically comparing a photo to a person standing in front of you, or, biometric readers (hand/fingerprint readers, hand geometry, retina scanners, etc.)

These factors are stronger when used together. Passwords can be hacked, cards and keys can be stolen, and biometric readers can be fooled. The chance of a successful attack is lessened when a combination of these factors are used. The level of assurance you can achieve depends on how much information you have to verify. If the information you have about an individual is limited to name, phone number, and address, that's the highest level of assurance you will be able to reach.

Also, some names are very common. If you are changing internal records, ensure you have the correct one. You may need to ask additional questions to identify which record belongs to the person you are verifying.

How can I verify an individual's identity?

Once you identify what level of assurance you require, you can use these tips below to plan a method of verification, depending on the type of interaction.

Please remember NEVER to ask for a password, PIN, passphrase, or access code! Such codes are meant ONLY to be used by the individual they are assigned to, for logging into systems.

The most common way to verify identity is to see the person and a government-issued, photo ID card (e.g., driver's license, state ID card, or Passport). This is “something you have” and “something you are” factors. A few tips on verifying with a photo ID:

Document that you reviewed a photo ID and what kind of ID it was. Driver's license numbers are protected by privacy laws, so do NOT copy or write down the number unless it is absolutely required to provide the requested service.
Watch out for fake photo ID cards. Become familiar with the format of the IDs you check, and look carefully. For example, most state driver's licenses have microprint, which is hard to fake. Do a quick online lookup for the correct ID number format to spot fake numbers. For more information, read How to Spot a Fake ID.
If the photo on the ID is not clearly the person in front of you, or if you need more proof, consider asking for a second ID. Examples include Social Security cards, credit cards, utility bills with name and address, school ID card, etc. Again, do NOT copy or keep these numbers, unless you require them to provide the service. Social Security numbers and credit card numbers are protected by law.
If you need more assurance, add a “something you know” method. Keep your process private and secure from others nearby. For example, if you need to ask for such information, have the person write it on paper for you to check, and then shred the paper while the person sees you do it. This way no one else will hear or find the information.

Cards and biometric readers like fingerprint, handprint, or hand geometry scanners are common ways of providing automated, in-person identity verification. Cards are “something you have” and biometrics are “something you are”.

Verifying identity over the phone requires "something you know" methods. The person doing the verifying will need access to a record about the individual requesting access or information.

First, check the phone number if you have caller ID. Is it one of the numbers in the record? If the call is from an organization, does the phone number start with the correct standard numbers for that organization?
Phone numbers can be “spoofed” or modified to trick a recipient into thinking a malicious call is legitimate. If you need a higher level of assurance, say you will call them back and then hang up. Dial the number in your records so that you control the phone number to which you are connected.
Ask standard questions like name, address, and phone number, but also ask something that only the individual would know. For example, in a higher education setting, consider asking the instructor's name for a class the person took, or what semester they took a certain class.
Use common sense and intuition to judge the authenticity of the call. For example, it could be a red flag if the voice of the caller does not match the age of the person in the records. Is the caller's behavior appropriate (for example, not rushing you to verify) and the reason for verifying by phone reasonable?

Verifying in email or chat can be challenging, due to the need to avoid documenting protected data such as Social Security number, driver's license number, and other identifying information, and because email and chat accounts are not very secure. It is best to use another method to verify.

If you absolutely have to verify through email or chat, and you only need a minimum level of assurance that the person is who they say they are, use the following tips.

Ask the same questions outlined in the “Verifying via Phone” section, but don't ask for sensitive information such as passwords, passphrases, Social Security numbers, credit card numbers, or driver's license numbers.
You can also check the technical details of the communication. For example, does the email address match the one in the records? In chat, is the username familiar? It's important not to rely completely on the email address or chat username, though, because those can be easily spoofed. This only provides a hint that the person may be who they claim to be.
Instead of replying to the message, consider initiating a new email or chat thread by typing the email or chat address you have in your records. This way you control the address you are sending to. Unfortunately, you still do not have a way to truly verify that the person responding to the messages is the person who owns the email or chat account.
For IU business, can you require they email you from an IU email address, or use an IU chat service like Teams Chat? These are more trustworthy than free public email and chat accounts.
A higher level of assurance is possible if you ask the person to verify via another method. For example, if you are emailing, ask them to call you and use the phone verification methods.

When providing access to an online application or system, in addition to a password or passphrase (“something you know”) you can also require a token (“something you have”). The use of IU Login and Two-Step Login (Duo) make online logins more secure. If technically feasible, the central authentication service (CAS) must be used for all services that access limited-access data on university servers, and use password tokens for any update access to restricted data on university servers.

Verifying through social media is not recommended. It is too easy to create fake accounts and profiles, and, the information shared in these environments is meant to be shared! Thus, they are not good forums for sharing verification data protected by information security and privacy law, such as identification documents and numbers.

One method of having the individual provide “something you have” is to request a faxed photo ID, like a driver's license. Don't do this unless it is absolutely required for the service you are providing, because you will end up with a copy of sensitive data protected by privacy laws. Usually then you will also require the address on the faxed ID to match your existing records, or require multiple forms of verification to be provided.

A higher level of assurance is gained if you fax a test blank form or info page to the number you have, and asking the person to email or call you back, or to fill out the form and fax it back.

Other resources

Social Security number verification service (SSNVS) | The Social Security Administration

Identity verification