Skip to main content
  • DEPT OR DIVISION: ITS Information Security and Identity Management
  • CHANGE MANAGER:  Jackie Treschl
  • Project Theme: Serving Our Communities

The National Institutes of Health (NIH) is requiring stronger proof that a person logging into their system is who they say they are. Starting in September 2021 multifactor authentication will be required when logging in to their system, and by December 2022, appropriate levels of identity assurance will also be required.

The National Institute of Health (NIH) is increasing security for their systems. The University met the first of their requirements last September, when the NIH began requiring multi-factor authentication for those logging in to their systems. For the next phase, the NIH will require identity assurance, which means stronger proof that a person is who they say they are.

The NIH uses the criteria defined in the REFEDS Assurance Framework to define levels of assurance. REFEDS, which stands for “Research and Education FEDerations,” is an organization that represents the requirements of research and education related to access and identity management.

REFEDS defines four levels of identity proofing assurance: low, medium, high, and “enterprise equivalency.”  Each level answers the question, “How well does your identity proofing process let you be sure that the person is actually who they claim to be?”

Project Phases

  • September 2021: Multifactor Authentication
  • June 30, 2022: Local Enterprise Equivalency
  • December 31, 2022: Low, Medium, High Level of Assurance

Identity Assurance Key Points 

Visit the New NIH – Identity Requirements for Identity Assurance website to learn more about phase requirements, next steps and links to resources.

NIH: New Requirements for logins – September 2021


Project Website for New NIH Requirements for Identity Assurance