Comments:

  1. IAL1 will involve proofing.  There will be more guidance to agencies about how to assign the right IAL. My comment:  My guess is IAL1 will be checking documents only.  No face.  IAL2 will be IAL1 plus face.  IAL3 is in-person.  Here is also another item I see of importance: a new Digital Identity Risk Assessment will need to be performed to determine what IAL to be at based on the new guidance NIST will provide in revision 4.  Here’s where it gets messy.  The credential service provider or identity provider must include as a passed attribute not only the IAL that person was identity proofed at but also what revision of 800-63 was used for that identity proofing process!  I hope there’s some guidance here…it’s going to be messy for a while….

  2. Agencies are going to need to demonstrate that they have addressed “equity considerations” in selection or use of any technology. (I don’t think it will be as formal as a Privacy Impact Assessment but it will be in that direction.) My comment: I think a PIA is worth while doing.

  3. There is going to be guidance on data handling and retention for “subscriber accounts” (i.e., ID.me/login.gov)

  4. They are making accommodations for “credible sources” vs. issuing/authoritative sources.  These can be things that can be cross-checked for consistency. (Comment from my friend: I see this strongly favoring data brokers, but it’s not clear to me what strength of evidence will be put on “credible sources”.  My comment:  I think this is to data brokers such as LexisNexis and Socure.  I don’t know if a “credible source” will include AAMVA.  Also unsure if this will cover checking credit headers vice going direct to the credit bureaus.

  5. They put a challenge out to industry that “show us something that performs as well as biometrics and we’ll consider moving off of them…but there will be a very high bar.” Comment from my friend: What that tells me is that they haven’t seen anything that can replace biometrics yet and they want to e able to go back to the White House and say “See…we asked, and no one in industry can do it.”