NIST SP 800‑63A‑4 Identity Proofing & Enrollment

Document Background

SP 800‑63A is the “A” volume of the four‑part SP 800‑63 suite. The parent document (SP 800‑63) provides the risk‑management framework. The A volume covers identity proofing and enrollment. The B volume (SP 800‑63B, covered in a separate reference on this site) addresses authentication and authenticator management. The C volume (SP 800‑63C) handles federation and assertions (NIST, 2025a).

Identity proofing answers a deceptively simple question: Is this person really who they say they are? This question must be answered before any credentials are issued. If the proofing process fails, everything built on top of it—passwords, MFA tokens, access permissions—is compromised from the start because you have given the right credentials to the wrong person.

What Is Identity Proofing?

Identity proofing is the process of collecting, validating, and verifying information about a person to establish that they are a real individual and that the identity they claim is genuinely theirs. NIST breaks this process into three distinct steps (NIST, 2025a, Section 4).

Resolution

Resolution is the first step. The applicant provides identity information (name, date of birth, address) and evidence (a driver’s license, passport, or other document). The goal of resolution is to distinguish the applicant from all other individuals and arrive at a single claimed identity. If two applicants share the same name and birthdate, resolution uses additional attributes or evidence to tell them apart.

Validation

Validation confirms that the identity evidence itself is genuine and not counterfeit, expired, or revoked. For a physical document, this might mean checking security features (holograms, microprinting, UV features). For an electronic document, it could mean querying the issuing authority’s database to confirm the document number is valid and has not been reported lost or stolen.

Verification

Verification confirms that the applicant is the person described by the validated evidence. This is where the process connects the document to the living person standing in front of you (or appearing on a video call). Verification might involve comparing a photograph on the document to the applicant’s face, confirming a biometric sample, or verifying knowledge that only the true holder of that identity would possess.

The Three IALs

SP 800‑63A defines three Identity Assurance Levels (IALs) that describe how much confidence an organization has that the person using a system is who they claim to be. The appropriate IAL depends on the risk associated with getting it wrong (NIST, 2025a, Section 3).

A key principle in Rev. 4 is that organizations should select the lowest IAL that adequately addresses their risk. Requiring IAL3 for a low‑risk service creates unnecessary barriers and costs without proportional security benefit. Conversely, using IAL1 for a system that controls access to sensitive personal data leaves the system vulnerable to impersonation (NIST, 2025a).

Evidence and Verification

SP 800‑63A categorizes identity evidence by its strength, which depends on how difficult the evidence is to forge and how reliably it can be verified against an authoritative source (NIST, 2025a, Section 4.3).

Evidence Strength Tiers

1. Unacceptable evidence

   Documents that are easily obtained without any identity verification, such as a library card or a store loyalty card. These provide essentially no assurance that the bearer is who they claim to be.

2. Fair evidence

   Documents issued by a recognized authority that required some identity verification at issuance. A utility bill, bank statement, or employer ID card falls into this category. Fair evidence is useful as supplementary proof but is not strong enough on its own for IAL2.

3. Strong evidence

   Government‑issued documents with robust security features that are difficult to forge, such as a driver’s license, state ID card, or passport. Strong evidence was issued through a process that itself required identity proofing, creating a chain of trust back to authoritative records.

4. Superior evidence

   Documents issued under a highly controlled process that includes in‑person appearance and multi‑step verification, such as a U.S. passport issued with the applicant’s in‑person appearance, or a Real ID‑compliant driver’s license. Superior evidence provides the highest level of confidence.

Verification Methods

Once evidence is collected and validated, the applicant must be connected to that evidence. Rev. 4 recognizes several verification methods (NIST, 2025a, Section 4.4):

Physical comparison: A trained operator compares the photograph on the evidence to the applicant’s physical appearance. This is the traditional method used at bank branches, DMV offices, and government service centers.

Biometric comparison: An automated system compares a biometric sample (typically a facial image) captured from the applicant to the image on the evidence or in an authoritative database. Rev. 4 includes detailed requirements for biometric system performance, including presentation attack detection (anti‑spoofing measures).

Address confirmation: An enrollment code is sent to an address of record (physical mail or validated phone number) to confirm the applicant has access to that address. This provides weaker verification than biometric or physical comparison but can supplement other methods.

Equity Considerations in Rev. 4

One of the most significant changes in Rev. 4 is the addition of explicit requirements around equity, inclusion, and accessibility in the identity proofing process. This was a major focus of the public comment period and reflects a growing recognition that identity systems can inadvertently exclude vulnerable populations (NIST, 2025a, Section 5).

The Problem Rev. 4 Addresses

Traditional identity proofing processes often assume that every applicant has a driver’s license, a fixed home address, a smartphone, reliable internet access, and a face that matches their government ID photograph. These assumptions exclude many legitimate users: people experiencing homelessness, individuals in the process of legal name or gender changes, people in rural areas with limited internet connectivity, elderly individuals unfamiliar with video‑based proofing, and people with disabilities that affect biometric capture.

What Rev. 4 Requires

1. Multiple proofing pathways

   Organizations should offer both remote and in‑person proofing options wherever feasible. A system that only accepts video‑based proofing excludes people without webcams or reliable internet. A system that requires in‑person visits excludes people with mobility limitations or those far from service centers.

2. Diverse evidence acceptance

   Not everyone has a passport or a Real ID‑compliant driver’s license. Rev. 4 encourages organizations to accept a broader range of evidence types and combinations, as long as the overall strength of the evidence meets the required IAL.

3. Biometric performance across demographics

   Facial recognition systems have well‑documented disparities in accuracy across different skin tones, ages, and genders. Rev. 4 requires that organizations evaluate the performance of their biometric systems across demographic groups and take steps to mitigate disparities.

4. Accessible processes

   Proofing interfaces must be accessible to people with disabilities, consistent with Section 508 requirements. This includes providing alternatives when a step in the process cannot be completed using assistive technology.

Relationship to SP 800‑63B

SP 800‑63A and SP 800‑63B are designed to work together. The A volume establishes who the person is (identity proofing), and the B volume determines how the system will recognize that person on subsequent visits (authentication). The two volumes are connected through the concept of assurance levels (NIST, 2025a; NIST, 2025b).

IAL and AAL: Two Sides of the Same Coin

Identity Assurance Level (IAL) measures the confidence in the identity proofing process. Authenticator Assurance Level (AAL) measures the confidence in the authentication process. A system that requires high confidence in both dimensions will pair a high IAL with a high AAL. However, the two levels do not have to match.

The last row in the table illustrates an important point: you can have strong authentication without strong identity proofing. A system that collects sensitive data from anonymous users still needs to protect those accounts from unauthorized access, even though it never verified the user’s real‑world identity. IAL and AAL are independent dimensions, and organizations should set each one based on the specific risks involved.

Citing This Document (APA 7)

SP 800‑63A‑4 follows the same APA 7 citation pattern as other NIST Special Publications. The issuing agency is the author, the publication number is the report identifier, and the parent department is the publisher.

When citing multiple volumes of SP 800‑63 in the same paper, distinguish them in the reference list by their subtitles and publication numbers. In‑text, you can use letter suffixes in the year if needed for clarity (e.g., NIST, 2025a for the A volume and NIST, 2025b for the B volume).