| |
|
| Issued Under Authority of |
UM Information Security Policy |
| Responsible Office |
UM Information Security Office |
| Category |
Identity and User Security |
IN PLAIN LANGUAGE
Before granting access to University systems or resetting account credentials, the University needs to be confident that a person is who they say they are. This standard establishes how that identity verification works, scaling the level of scrutiny to the sensitivity of what's being accessed. Routine account changes require basic verification, while access to sensitive data, privileged accounts, or MFA resets require stronger proof of identity — including government-issued ID or in-person verification in some cases. These requirements protect against account takeover, fraud, and unauthorized access to University data.
1. Purpose
The purpose of this Standard is to establish minimum, risk-based requirements for verifying and proofing the identity of individuals who request access to University of Montana information systems or digital University Data. Effective identity verification and proofing reduces the risk of account compromise, fraud, and unauthorized access.
This Standard implements identity assurance requirements under the University's Information Security Program and aligns with the National Institute of Standards and Technology (NIST) Digital Identity Guidelines (SP 800-63).
2. Scope
This Standard applies to:
- Identity verification and proofing activities associated with University user accounts
- Requests for account creation, password resets, MFA enrollment or bypass, and changes to authentication factors
- Employees, students, affiliates, contractors, and third parties acting on behalf of the University
This Standard applies to digital identities used to access University systems and does not govern physical access credentials or non-digital identity processes.
3. Identity Assurance Framework
The University adopts the NIST SP 800-63 framework, which defines three complementary assurance dimensions:
Identity Assurance Level (IAL) — Confidence that an individual's claimed identity is their real-world identity.
Authentication Assurance Level (AAL) — Confidence that the individual accessing a system is the legitimate account holder.
Federation Assurance Level (FAL) — Confidence in the secure transmission of identity assertions between systems.
Assurance levels must be selected based on risk, data sensitivity, and system criticality.
4. Identity Assurance Levels (IAL)
4.1 IAL1 — Low Assurance
IAL1 applies to requests involving non-sensitive information, public or directory-level data, and no access to Restricted (Moderate Risk) or Confidential (High Risk) Data. IAL1 requests do not require identity proofing beyond basic account validation.
4.2 IAL2 — Moderate Assurance
IAL2 applies to requests involving access to Restricted (Moderate Risk) Data, changes to standard user accounts, and routine identity verification scenarios.
IAL2 requirements may be satisfied by:
- Use of an active UM NetID or University identity
- Verification of a minimum set of personal attributes already on file
4.3 IAL3 — High Assurance
IAL3 applies to high-risk scenarios, including access to Confidential (High Risk) Data, privileged account access, and password resets, MFA bypass, or changes to MFA factors.
IAL3 requires strong identity proofing, which may include:
- In-person verification, or supervised remote verification using trusted channels
- Validation of government-issued photo identification
5. Authentication Assurance Levels (AAL)
Authentication mechanisms must meet assurance levels appropriate to the risk:
AAL1 — Single-factor authentication (low-risk use cases only).
AAL2 — Multi-factor authentication combining two different factors.
AAL3 — Phishing-resistant MFA using hardware-backed or cryptographic authenticators.
University systems handling Restricted (Moderate Risk) or Confidential (High Risk) Data must meet at least AAL2 requirements.
6. Federation Assurance Levels (FAL)
Federated identity assertions must be protected according to risk:
FAL1 — Basic, secured assertions.
FAL2 — Encrypted assertions with stronger binding.
FAL3 — Cryptographically bound assertions with high assurance.
Federation level selection must align with system risk and data sensitivity.
7. Identity Proofing Requirements
7.1 Authorized Verification
Identity proofing must be performed by authorized and trained University personnel or approved service providers.
7.2 Physical or Supervised Presence
For IAL3 scenarios:
- Physical presence or supervised remote identity proofing is required
- Proofing must achieve confidence comparable to in-person verification
8. Privacy and Equity Considerations
Identity verification and proofing processes must:
- Minimize collection of personal information
- Protect privacy and confidentiality of identity data
- Consider accessibility, equity, and usability impacts
9. Continuous Improvement
The University must periodically review and refine identity verification practices to address emerging threats, technological changes, regulatory updates, and community feedback.
10. Exceptions
Exceptions to this Standard must:
- Be documented with risk justification
- Identify compensating controls where applicable
- Be approved by the CISO or designee
- Be reviewed periodically
11. Review and Maintenance
This Standard must be reviewed at least annually and updated as necessary to reflect changes in risk, technology, or institutional needs.
12. References
- UM Information Security Policy
- UM Account Security Standard
- UM User Security Awareness & Responsibilities Standard
- UM Audit Log Management Standard
- NIST SP 800-63 (Digital Identity Guidelines)