Recommend ID document verification in accord with SP800-63A IAL3

[wszwerc]

All Fields Are Required

Organization Name (N/A, if individual): DHS

Organization Type (see below for codes): 1 - Federal

Reference (Include section/paragraph or pdf line number): Line 880-885

Comment (Include rationale for comment): "If the biometric verification decision is negative, or if no biometric data records are available, the cardholder SHALL provide two identity source documents (as specified in Section 2.7), and an attending operator SHALL inspect these and compare the cardholder with the electronic facial image retrieved from the enrollment data record and the photograph printed on the new PIV Card."

Suggested Change: §2.7 requirements, those of 842-845, and here, should line up. Recommend ID document verification in accord with SP800-63A IAL3, not just specifying the document types to use.

---

Organization Type: 1 = Federal, 2 = Industry, 3 = Academia, 4 = Self, 5 = Other

[hferraio]

This comment serves as representative of issue #402, #405, #396.

All comments " Recommend ID document verification in accord with SP800-63A IAL3, not just specifying the document types to use." Note while it is the same comment, they refer to different sections of the document. Issue #402 also suggest to use OCC language in line 1014-1015.

Suggest to

• discuss if we want to point to -63 for id verification mechanism. The PIV process is a profile of 800-63A so it does not make sense to point to 63 for id verification. Also, these steps have already been done as part of ID proofing and repeating them here is might be too much for D/A.
• accept in principal wrt language alignment as there are small differences in wording when it comes to comparing facial image to new Card or enrollment record or both? Note there is sometimes one ID document requests vs. 2. The reason for just one is that the PIV card that is brought in by cardholder counts as one as well.
• Decline using OCC, as the language in question is about cases where biometrics/fingerprints are not usable and manual process has to be used.

[regenscheid]

To align these sections, we will add "electronic facial image retrieved from the enrollment data record" to the bullets in 2.8.

Note that facial recognition algorithms could be considered a biometric comparison.

[gfiumara]

@regenscheid's comment may be reflected in PR #639, but this PR does nothing regarding 800-63 IAL3 for document review.