Actor = Person to be Identity-Proofed
Proofer = Doh! Could be any full-time CMU staff person appropriately authorized? Could be Help Center staff?
It is assumed the Actor has already been issued an Andrew ID - or must we define this process too?
- Actor and Proofer agree upon method of Video Conference (FaceTime, Google Voice Video, Skype, others?)
- Actor independently obtains physical FOB or downloads soft FOB
- Proofer independently accesses ID-Proof Web App in a "Proofer" role
- Proofer establishes VC with Actor.
- It is most optimal if someone the Proofer knows is with the Actor as a "chain of custody".
- Actor presents to Proofer Official Photo ID - holding it up to the camera.
- Proofer verifies photo matches actor's face
- Proofer records ID Type, Issuer, ID number into ID-Proof Web App
- Actor provides AndrewID - Proofer validates AndrewID matches Actor
- Possibility of obtaining digital photo capture of Actor in VC
- If a "custodian" (see 3a) is present, record custodian AndrewID.
- Process FOB
- Proofer records Actor's FOB # and AndrewID into ID-Proof Web App
- Proofer enables Actor's FOB
- Proofer sends email (AoR) to Actor with ID-Proof Web App URL and other info
- Actor verifies authentication and access
- Actor accesses ID-Proof Web App and login as normal user
- Actor authenticates using Shib SSO and then uses FOB authN on ID-Proof page.
- Actor is presented with a 6 character KEY
- Actor reads KEY to Proofer
- Proofer validates the Actor's KEY with KEY on Proofer's ID-Proof page.
- repeat a-d until success
- Proofer approves Actor in ID-Proof Web App
- End Video Conference
- Proofer authorization
- If Proofer has privilege to authorize then modify accordingly.
- If not (9a) then Proofer notifies official authorizers ID-Proof steps completed and provides AndrewID and Name to Authorizers. Authorizers modify accordingly.