Verifying Identity and LOA

Before you provide any service to your users, you must properly verify their identification. Below are two methods.

Face-to-Face Requirements

The UC Trust policy states: "A government or University issued ID with a picture must be presented to and verified by an officer of the credential provider as belonging to the registrant."

Simply put, you must look at a user’s Federal or State-issued photo ID, such as a driver license, to confirm the user’s identity in person before providing the person information from their record or performing a deputy action. Your doing so ensures that UC Berkeley complies with UC Trust standards.

So please remember: NEVER perform a deputy action or provide account information to a user before you have verified the user's identity! The best way to verify a user’s identity is to check the federal or state-issued ID in person.

Remote Identification Requirements

The UC Trust federation has specific guidelines for establishing "face-to-face" level of assurance when a user cannot be physically present.

If you do not have access to any campus systems that hold identity data, you cannot verify that the information a user provides is correct, and you therefore cannot verify identity remotely. In this case, you may only verify identity in person via a photo ID (see above).

  • Ask your user for least two identifying attributes that belong only to them. The attributes should be relatively accessible to your user, but not to others. Here are commonly-used identifying attributes:

    • Employee ID number

    • Student ID

    • Day and month of birth

    • Full name

  • Confirm one additional identifier that is contained in official University records, and is not easily available to others. Here are some examples of acceptable identifiers:

    • Email address

    • Phone number

    • Postal address

Identity Federations

UC Berkeley is a member of two identity federations: InCommon and UCTrust. InCommon is the largest federation of higher education institutions in the United States. UCTrust is a federation for the UC system that is managed through UC Office of the President (UCOP).

In order to belong to InCommon and UCTrust federations, UC Berkeley has to comply to very high standards, including requirements for how user identity is verified, how authentication credentials are asserted, and how credentials are handled by service providers.

Identity federations consist of "identity providers" (such as CalNet) and "service providers" (such as bConnected or CalTime). Service providers trust the identity information provided by CalNet, and CalNet must trust that service providers adequately protect that information.

Shibboleth is the software used by InCommon and UCTrust to manage the communication between CalNet and service providers, including authentication requests.

Click here to go to CalNet Deputy Training Part III.