4.2.2.1 RA Authentication
Each RA must authenticate to the IdMS using a credential that meets or exceed Silver requirements.
Communications between an RA and the IdMS shall be encrypted using an industry standard protocol that also authenticates the IdMS platform.
Management assertion:
4.2.2.1: The Identity Proofing and Registration process is outlined in the "Registration and Identity Proofing" document housed in the ID Office Business Practice Manual.
4.2.2.1: Connections to the Registration Authorities (Systems of Record) are made securely according to the "Registration and Identity Proofing" document housed in the ID Office Business Practice Manual.
4.2.2.2 Identity Verification Process
1. The identity proofing and registration process shall be performed according to written
policy or practice statements that specify the particular steps taken by IdPO staff or systems
to verify identities.
2. The above statement(s) shall address the primary objectives of registration and identity
proofing, including:
• Ensuring a person with the claimed identity information does exist, and that the
identity information is sufficient to uniquely identify a single person within the
IdPO’s range of foreseeable potential Subjects;
• Ensuring that the physical person requesting registration is entitled to the claimed
identity.
3. Personally identifiable information collected as part of the registration process must be
protected from unauthorized disclosure or modification.
Management assertion:
4.2.2.2: The Identity Proofing and Registration process is outlined in the "Registration and Identity Proofing" document housed in the ID Office Business Practice Manual.
4.2.2.3 Registration Records
1. A record of the facts of registration shall be maintained by the IdPO.
2. The record of the facts of registration, shall include:
• Identity proofing document types and issuers;
• Full name as shown on the documents;
• Date of birth;
• Current address of record.
3. Records also must include revocation or termination of registration.
Management assertion:
The records of full name, date of birth, and current address of record are maintained by the Human Resources department for employees, and exist in the human resources system, which is the data source for the identity management systems. The identity proofing information is kept by Human Resources in a separate physical file in conjunction with the I-9 process.
4.2.2.4 Identity Proofing
Prior to this process, the Subject supplies his or her full name, date of birth, and an Address of Record to be used for communication with the Subject, and may, subject to the policy of the IdPO, also supply other identifying information. For each Subject, the full name, date of birth and Address of Record must be verified using one or more of the following methods:
Management assertion:
Michigan State University only supports the In-Person Proofing mechanism as described in 4.2.2.4.2.
4.2.2.4.1 Existing Relationship
If the IdPO is a function of an enterprise, the identity proofing process may be able to leverage a pre-existing relationship, e.g., the Subject is an employee or student. Where some or all of the identity proofing done at the time the existing relationship was established is comparable to that required in 4.2.2.4.2 or 4.2.2.4.3 below, those results may be relied upon for this purpose. The IdPO's Registration Authority (RA) shall confirm that the Subject is a person with a current relationship to the organization, record the nature of that relationship and verify that the relationship is in good standing with the organization.
Management assertion:
Michigan State will use only in-person proofing for Silver Assurance.
4.2.2.4.2 In-Person Proofing
1. The RA shall establish the Subject’s IdMS registration identity based on possession of a
valid current government photo ID that contains the Subject’s picture (e.g., driver’s license or
passport), and either an address or nationality.
2. The RA inspects the photo ID and compares the image to the physical Subject.
The RA records the document type and issuer, the address given on the ID if
there is one, and the date of birth shown on the ID if there is one. If the ID
appears valid, the photo matches the physical Subject, and the ID confirms the
Subject’s date of birth, the RA authorizes issuance of Credentials.
3. If the address given on the ID does not confirm the Address of Record, it must be
confirmed as described in §4.2.2.5 below
1. The RA shall establish the Subject’s IdMS registration identity based on possession of a
valid current government photo ID that contains the Subject’s picture (e.g., driver’s license or
passport), and either an address or nationality.
2. The RA inspects the photo ID and compares the image to the physical Subject.
The RA records the document type and issuer, the address given on the ID if
there is one, and the date of birth shown on the ID if there is one. If the ID
appears valid, the photo matches the physical Subject, and the ID confirms the
Subject’s date of birth, the RA authorizes issuance of Credentials.
3. If the address given on the ID does not confirm the Address of Record, it must be
confirmed as described in §4.2.2.5 below
Management assertion:
Michigan State will use only in-person proofing for Silver Assurance.
The in-person proofing process is outlined in the "Registration and Identity Proofing" document housed in the ID Office Business Practice Manual.
4.2.2.4.3 Remote proofing
1. The RA shall establish the Subject’s IdMS registration identity based on possession of at
least one valid government ID number (e.g., a driver’s license or passport) and either a
second government ID number or financial account number (e.g., checking account, savings
account, loan or credit card) with confirmation via records of either number.
2. The RA verifies other information provided by the Subject using both of the ID numbers
above through record checks either with the applicable agency or institution or through credit
bureaus or similar databases, and confirms that: name, date of birth, and other personal
information in records are on balance consistent with the application and sufficient to identify
a unique individual. If this appears to be the case, the RA authorizes issuance of Credentials.
3. If the record checks do not confirm the Address of Record, it must be confirmed
as described in §4.2.2.5 below.
Management assertion:
Michigan State will use only in-person proofing for Silver Assurance.
4.2.2.5 Address of Record Confirmation
The Address of Record must be confirmed before the Subject’s record can be considered to
meet the requirements of this IAP. If the Address of Record was not confirmed as part of
Identity proofing, then it must be accomplished by one of the following methods:
1. The RA contacts the Subject at the Address of Record and receives a reply from the
Subject; or
2. The RA issues Credentials in a manner that confirms the Address of Record supplied
by the Subject.
a. For a physical Address of Record, the RA requires the Subject to enter online
a temporary Secret from a notice mailed to the Subject’s Address of Record.
b. For an electronic Address of Record, the RA confirms the ability of the Subject
to receive telephone communications at a telephone number or e-mail at an
e-mail address.
Any Secret not sent over a Protected Channel shall be invalidated upon first use.
Management assertion: