Implementing identity proofing use cases in the ForgeRock Identity Platform

Overview

Identity proofing is used to verify an individual’s identity so that you can be confident that the real-world identity exists and that the individual claiming the identity really owns that identity. This involves providing sufficient information to establish an identity during user registration and authentication flows.

NIST (National Institute of Standards and Technology) Special Publication 800-63A defines technical requirements for identity proofing. Identity Assurance Level 2 (IAL2) requires proof that the user is properly associated with the real-world existence of the claimed identity through the use of remote or physically-present identity proofing.

Use cases for identity proofing

ForgeRock can help you address many identity proofing use cases across all sectors, including Financial Services, Retail, Healthcare and Government.

The following are examples of some of the identity proofing use cases seen by ForgeRock:

  • Self-registration with identity proofing as an additional step. An organization wants to include an identity verification step in a customer self-service flow. For example, prompting the customer to enter details that can be validated against an existing database before continuing with the registration.

  • Identity proofing using government-issued photo identification. Instead of customers having to go to a branch to acquire an insurance policy physically, an insurance company wants to provide the option for customers to complete the process online and to verify their identity using a government-issued photo ID and a selfie for comparison.

  • Document verification with asynchronous requests. When authenticating a user, a financial services organization wants to call out to a document verification service such as Socure. Since the document verification may take a while to complete, a separate request will be sent to the external service awaiting a response before setting an account to active.

  • Identity proofing with third-party fraud detection. During registration, a financial services organization wants to gather some basic customer information (like unique identifier, phone, email, address, and mother’s maiden name) and then perform identity proofing against an eCommerce fraud protection platform such as Kount.

  • Identity proofing based on knowledge. An organization wants to check that an identity really belongs to another organization, by including questions based on knowledge during the registration or authentication process. For example, “what is the company registration number?".

Identity proofing use cases and the ForgeRock Identity Platform

Identity proofing will be unique to your business so should be defined and built as part of your ForgeRock implementation. Identity proofing may call out to external services or may include manual tasks to allow the user to present physical documentation to a member of staff.

For many use cases, identity proofing can be achieved by adding a custom step in the user self-registration configuration. For example, prompting a customer to enter details that can be validated against an existing database or third-party identity proofing service before continuing a registration flow. You do this by adding a verification step to a registration tree, typically leveraging a Scripted Decision node for identity proofing.


A simple user self-registration tree with identity proofing step

The following resources provide a good overview of trees and how they are configured in the ForgeRock platform:

Third-party identity proofing services

Many ForgeRock customers consider using external identity proofing services as part of their validation processes. Access to such third-party services during registration or login can be done using standard integration options. Registration capabilities are exposed through REST APIs.

While the ForgeRock platform provides attribute validation capabilities for email addresses and phone numbers through one-time password delivery and verification, many third-party services meet NIST IAL2 requirements for remote identity proofing by applying a combination of biometrics, fraud scores, KYC field verification, risk scores, correlation scores, and document verification.

ForgeRock offers numerous external identity proofing options provided by Technology Partners in the ForgeRock Trust Network. These are among the strong authentication vendors that have developed authenticators for use with our identity platform for identity proofing purposes:

Many of the authenticators provided by our Technology Partners are available as nodes on the ForgeRock Marketplace.

See ForgeRock Trust Network Partners for further details of each of our Technology Partners offering identity profofing.

Progressive profiling

To create an easy registration experience, ForgeRock supports minimal form input during sign-up, known as progressive profiling. This allows you to just ask for what’s needed to identity proof the person and then employ the progressive profiling capabilities to prompt the user for more information during subsequent logins for a minimal friction experience.

The following resources provide further information on progressive profiling in the Identity platform:

Continuous authentication

By including identity proofing in your login journeys, you can continue to check the user’s identity beyond their initial registration in order to minimize risk.

For example, a user who logs in from an unusual location may be prompted to take a selfie that can be compared to one they took when they created the account to ensure that they are the same person. By including third-party identity proofing services in your user journeys, you can also ensure that your customers remain legitimate, for example through watchlist screening.

Further reading

1 Like