1.1 Overview
1. The purpose of this Credentialing Practice Statement (CrPS) is to describe the operational framework, relevant policies, and identity proofing and management processes for CLEAR's High Assurance Enrollment and Verification (CLEAR Verified) service, in order to demonstrate that these services meet AAL2 and IAL2 requirements.
2. High Assurance Mobile Enrollment is an Unsupervisedenrollment. Enrollment in this service can be completed by using the CLEAR native mobile app on Android and iOS or the mobile web enrollment flow. The High Assurance Mobile Enrollment service is distinct from the CLEAR+ paid service that CLEAR offers in airports and elsewhere, as well as CLEAR’s other mobile identity proofing options, such as CLEAR's Health Pass COVID screening service.
3. CLEAR's High Assurance Mobile Enrollment provides CLEAR’s partners in the healthcare, travel, sports, and other industries confidence in user identity information to enable frictionless experiences for a variety of use cases.
1.2.1 CLEAR Member
CLEAR members at the High Assurance Mobile Enrollment level can participate in use cases that require an increased level of assurance, such as health care onboarding, aviation use cases as well as other CLEAR use cases at lower required assurance levels, such as car rental and digital onboarding.
1.2.2 CLEAR Partner
CLEAR’s partners are vendors, venues, and businesses that work with CLEAR to create frictionless identity verification experiences for CLEAR members. Partners rely on CLEAR’s High Assurance Mobile Enrollment identity proofing and verification processes so as to have increased confidence in the information they receive from users.
1.3.1 Organization administering the document
Secure Identity, LLC
85 10th Ave; 10th Floor
New York, NY 10011
1.3.2 CrPS approval
The CrPS is reviewed annually by CLEAR’s product team, information security, and Technology to confirm changes are adequately reflected. Once reviews and updates have been addressed, the CrPS is approved by the CLEAR Chief Technical Officer (CTO).
1.3.3 Jurisdictions
CLEAR operates in the United States, Canada, and Mexico. Our AL2 flows are only operable in the United States.
CLEAR shall publish its CrP/CrPS regarding the CLEAR Verify service, as well as other terms of service as may be required to fully advise all necessary and appropriate parties, in its Terms of Use, Member Terms and Privacy Policy. These publications shall be maintained such that they always reflect the service as it is operated at any given time.
CLEAR shall maintain an internal repository of information relating to individual credentials, their statuses and a member’s characteristic attributes and eligibilities as necessary to provide the High Assurance Mobile Enrollment service and comply with applicable obligations, including legislative and policy obligations and obligations arising under CLEAR's Terms of Use, Member Terms and Privacy Policy.
CLEAR’s Member Terms and Privacy Policy govern the circumstances under which member data may be shared.
3.1 Overview
1. CLEAR High Assurance Mobile Enrollment is a remote Unsupervised (unwitnessed) enrollment
2. Multi-factor authentication is needed to prove the CLEAR member’s identity for the purposes of a partner transaction, as outlined in section 3.3
CLEAR’s Privacy Policy and Member Terms are invoked by this document.
3.2.1 Enrollment
Users enroll for the CLEAR High Assurance Mobile Enrollment using a web flow via a mobile browser.
3.2.2 Account Creation
3.2.2.1 CLEAR Verified Availability
The CLEAR Verified service has a goal availability SLA of at least 99%.
3.2.3 Identity Proofing and Verification
3.2.3.1 Minors
CLEAR’s High Assurance Mobile Enrollment is available only to users that are 18+ years old, any other users will be blocked from enrolling via this service.
3.2.3.2 Minimum Collection of PII
Information collected in CLEAR’s identity proofing process is the minimum required to complete CLEAR’s identity checks for the High Assurance Mobile Enrollment service. This information may include:
Member information is retained until the member requests a purge of their data (or as required by applicable law), as are the results of the validation checks on the information described below.
3.2.3.3 Evidence Collected from User
CLEAR establishes user identity for the High Assurance Mobile Enrollment using the following pieces of evidence:
The government-issued ID is confirmed to be genuine by using third party vendor software to evaluate its authenticity, check for security features, review for signs of tampering, and confirm that it is unexpired.
Government-issued IDs that CLEAR accepts for High Assurance Enrollments are:
In the case of applicable ePassports, an additional check of the contactless chip via NFC may be performed further confirming document authenticity and corroborating the biographics.
A biometric check is performed to compare the user's image on the ID document with a high-quality biometric face capture the applicant provides using their mobile device. The mobile flow will permit 10 capture attempts of the face. If the 10th capture fails for any reason, the flow will impose a 30 second wait before the next attempt or will give the user the option to quit the enrollment and restart later when conditions improve.
The face comparison to the document is performed primarily by a face match algorithm that CLEAR hosts, and operates with an FMR better than 1 in 10,000.
A liveness check confirms that the applicant enrolling is physically present. The liveness check is certified to PAD level 2 attack protection in accordance with ISO/IEC 30107-3.
The applicant’s name, DOB and physical address are extracted from their ID document. In cases where the address is not available on the government-issued ID (e.g. passport), the applicant address will be requested of the user via a form for input and confirmation. The data from the document, plus the address, is validated using biographic data corroboration.
Document Corroboration by Type
Passports: Extracted biographic data is checked against consumer records databases as an authoritative source.
Drivers Licenses and State IDs: Extracted biographic data is checked against Department of Motor Vehicle (DMV) records as an issuing source or credit bureaus as an authoritative source.
Phone number corroboration is used to check the applicant’s information against customer records from mobile phone carriers and consumer reporting agencies to provide additional proof of validity of the information.
All of these checks must confirm the veracity of the information for the enrollment to be successfully completed.
CLEAR retains logs with unique identifiers for each of these pieces of evidence received back from the biographic data and phone number corroboration processes that include all details related to the attempted enrollment for the High Assurance Mobile Enrollment service.
3.2.3.4 Enrollment Code Address of Record
CLEAR uses the applicant's phone number as their address of record for submitting their enrollment code. First, applicants receive a text message with a 6 character alphanumeric enrollment code that they must present in the CLEAR app to continue their enrollment for the High Assurance Mobile Enrollment service. This enrollment code is valid for up to 10 minutes when sent to a telephone number of record via SMS. The enrollment codes are not reusable after the first use nor after expiry.
This phone number is confirmed to belong to the applicant using phone number corroboration, as described above. This validation assures that the applicant whose identity document has been supplied owns the phone number that was submitted to receive the code. This is done by matching against phone subscriber records and consumer reporting agency data. If discovered records do not match the information the applicant has submitted, this check will fail and they will be unable to successfully enroll at the High Assurance Mobile Enrollment level of assurance.
3.2.3.5 Additional security details
All PII collected as part of the enrollment process including information from validation and verification sources are protected with safeguards that comply with NIST 800-53 moderate and high baselines.
This is to ensure the integrity of the enrollment process for the High Assurance Mobile Enrollment service.
CLEAR communicates with the mobile devices being used for enrollment only via SSL/HTTPS. The mobile device utilizes certificate pinning when connecting to the verifier to eliminate any possible man-in-the-middle or spoofing attacks.
Member authentication details and member data are transmitted only to vendors or partners through secured, authenticated means (TLS), from CLEAR's back end systems to the partner’s backend systems.
3.2.3.6 Errors and redress
CLEAR provides a direct means to contact customer service in-line as part of the enrollment flow for applicants who have problems with identity proofing. When an applicant cannot successfully validate their identity at the High Assurance Mobile Enrollment level of assurance, they are given the option to contact CLEAR customer service for help directly via the text channel using their mobile device. The text channel has lowest average response times of all CLEAR support channels (nearly real-time).
CLEAR customer service agents can help applicants navigate the enrollment process upon their re-attempt, and offer tips on how to address common issues (e.g, how to take a suitable photo of their document, or take an acceptable "selfie").
Customer service records applicant feedback and pain points to be shared with CLEAR's product team for ongoing product quality improvements.
Applicants can also contact CLEAR customer service via a variety of other channels for assistance. CLEAR customer service support is available Monday - Sunday from 8:00 am - 9:00 pm ET. CLEAR aims to handle all requests in a timely manner through the different mediums that we support including phone and email. Our SLAs are:
Full information can be found by going to CLEAR Support & FAQs.
3.2.3.7 Quality Management
CLEAR's product team and customer service leadership meet monthly to review feedback received from applicants and members about the mobile identity proofing experience. This process is aimed at creating the smoothest experience for our users, while ensuring the integrity of the identity proofing process.
In addition, regular reporting on enrollment pass rates helps identify areas for improvement and underlying issues, which are monitored on a continuous basis.
CLEAR is working towards a long-term goal of minimizing applicants being incorrectly rejected in identity proofing, and numerous efforts are underway to support this effort, including continued evaluation of authoritative sources, face match algorithms and document validation providers.
3.2.3.8 Notification of proofing
Notification that the user has started the enrollment for a High Assurance Mobile Enrollment is delivered by email once a profile has been created.
3.2.3.9 Ceasing Identity Verification
In the event CLEAR ceases to conduct identity proofing and enrollment processes for the High Assurance Enrollment service, CLEAR will fully dispose of or destroy any sensitive data including PII, or protect such data from unauthorized access for the duration of retention.
3.2.4 Credential Activation
CLEAR’s High Assurance Enrollment services become available for use when:
3.2.5 Credential ‘Step-up’
3.2.6 Credential Re-issuance and Renewal
CLEAR members can change their password by logging into CLEAR’s account portal (my.clearme.com) selecting the password reset and then selecting a new password that meets the requirements outlined in 3.2.2.
Password resets can be requested by members following the methods described in 4.4.4
3.2.7 Registration Records
3.2.7.1 Successful enrollments
For successful enrollments, a copy of the member’s ID document may be retained, and the full responses from validation vendors are also retained unless a purge is requested by the member. Authorized stakeholders from business, customer service, and product management are able to review the outcome of each identity validation step and the final identity proofing result (i.e. assurance level achieved) in CLEAR's business intelligence tool.
3.2.7.2 Unsuccessful IAL-2 enrollment attempts
Users who successfully create a profile (provide basic contact info and accept Member Terms) but fail to pass all the checks to create an IAL-2 level of assurance are retained by the CLEAR system. These enrollments are not eligible for workflows that require IAL-2 assurance. However, these users can opt to use other CLEAR workflows, attempt to “step up” their enrollment (see 3.2.5 above) or request a purge.
3.3.1 End User Authentication
CLEAR shall only authenticate a user at the specified authentication assurance level requested by the Partner.
For members who have enrolled on a mobile device that they are using to authenticate, the member will navigate the desired workflow and authenticate via password and SMS OTP.
For the OTP step, members have up to 10 minutes to enter the active OTP code before it times out and the member has to request a new code. Issued OTP codes can only be used once by the user. CLEAR allows a maximum of 100 attempts to be authenticated before the user’s account is locked.
For members who authenticate on a handset different from that on which they enrolled, or who are authenticating after their authorization token has expired, the member will need to re-enroll.
With regards to Partner (Relying Party) configurations, CLEAR’s Solution Engineers record the following as part of the implementation process:
Assurance level for Identity Proofing
Assurance level for Authentication
Authentication Factors
3.3.1.1 Authenticator Binding
CLEAR binds authenticators to a user’s account upon a successful proofing event. Authenticators are provided by the user and CLEAR does not issue any authenticators.CLEAR supports memorized secrets via passwords (something you know) and mobile devices (something you have). For the latter, we use OTPs (One-Time-Passcodes) on mobile devices as methods of authentication. In the event that a user has a new authenticator device or would like to change the memorized secret after having been proofed at IAL2, the user will have to re-proof themselves at the level of IAL2 to add the new authenticator.
3.3.2 Consent for data sharing in connection with specific transactions
Members who have successfully proofed in the AL2 flows may be asked to share biographic and other personal information with partners to facilitate the transaction at issue. Any such information sharing must comply with CLEAR’s Privacy Policy and Member Terms, and the member may be presented with an in-time consent related to the specific transaction prior to any data sharing. Member consents regarding data sharing are recorded in CLEAR’s systems in a manner that complies with applicable laws.
Members are only asked to consent to sharing biographic or personal information with Partners after they have been successfully identity proofed. CLEAR does not exercise any additional logic to determine suitability for services or benefits once an identity proofing transaction has been performed.
3.3.3 Protection
Member authentication details and member data are transmitted to partners only through secured, authenticated means (TLS), from CLEAR’s backend systems to the partner’s backend systems.
CLEAR maintains administrative, technical and physical safeguards to protect personal information against accidental, unlawful or unauthorized: destruction, alteration, access, disclosure or use. To safeguard certain sensitive information (such as biometric data and government-issued identification information), CLEAR implements security measures such as encryption, firewalls, and intrusion detection and prevention systems. Our customer service call centers do not have access to biometric data.
Examples of our security measures we use to safeguard personal information include:
Data is disposed of and destroyed using methods in accordance with the NIST-800-88 guidelines for data disposal. This includes ensuring secure deletion or destruction of PII including originals, copies, and archived records from all of CLEAR’s databases.
3.3.3.1 Retention of User Data
CLEAR will retain a user’s data including authentication data and the PII listed in Section 3.2.3.2 for the duration of the contract that CLEAR has with the Partner that the user has consented to share their data with, or until the user has requested a purge of their data. For instructions on how to purge data, please refer to section 4.4.5.1.1 Revocation by Member.
In accordance with our retention policy, CLEAR maintains records on authenticators that have been associated with an account and the maintenance performed on the authenticators including the time at which authenticators were added or updated.
3.3.4 Authentication Request Lifetime
Authentication requests will fail if the user does not successfully authenticate within 30 minutes of the start of the transaction. Users who exceed this request lifetime will need to re-authenticate.
3.3.5 Single Use
Each authentication applies only to a specific transaction and is not reusable.
3.3.6 Reliability
If there is a system failure in any part of CLEAR’s systems facilitating the High Assurance Mobile Enrollment service, CLEAR will not authenticate the user and will instead report an error to the partner requesting authentication.
3.3.7 Re-Authentication
Users are required to re-authenticate each time they complete a transaction with a partner to confirm their identity or transfer user data.
3.3.8 Loss of Authenticators
If a User has lost all authenticators needed to access their account, the User may contact CLEAR’s support and request a purge of their account. The User will need to create a new account and re-verify themselves at the IAL2 level of assurance to establish a new identity with CLEAR.
As per our Terms of Use, it is the responsibility of the user to inform CLEAR in the event that any authenticator including password and mobile device has been compromised, lost, or stolen.
3.3.8.1 Compromised Passwords
If CLEAR has evidence that a user’s password has been compromised, CLEAR will require the user to update their password that conforms with CLEAR’s requirements for passwords.
4.1 Credential Validity Period
CLEAR Members’ High Assurance In-Person Enrollments will have the following periods of validity:
CLEAR Members’ High Assurance Mobile Enrollments will have the following periods of validity:
4.2 Authentication Process
CLEAR members are authenticated on behalf of partners for High Assurance use cases using the process described in 3.3.1
4.3 Credential Status Availability
If a CLEAR member’s account is no longer valid, it becomes unusable immediately for partner or CLEAR transactions.
4.4.1 Credential Activation/Re-Activation
CLEAR High Assurance members are considered active unless they cancel their membership and request to purge their data from CLEAR systems, or their account is revoked by CLEAR, or suspended in anticipation of re-signing terms every 5 years.
4.4.2 Failed Authentication
Members who are unable to authenticate will receive an error message with a call to action to contact customer support.
4.4.3 Modify Account Information
4.4.3.1 Email or phone number
Members may modify the email or phone number associated with their account by logging into their CLEAR account portal online via my.clearme.com using their username and password. They may also do so by contacting CLEAR customer service, and confirming their identity with at least three pieces of their personal information.
4.4.3.2 Name, DOB or address
Members must provide a new identity document in order to update their name or address information. This can be done via CLEAR mobile via document collection process which is also used in the mobile enrollment itself. This can also be provided at CLEAR’s airport kiosks, where the document is validated using vendor software, and the process is overseen by a trained, SIDA-badged and background-checked CLEAR employee. Any changes to these document-sourced biographics will trigger new checks as these Members use workflows that require IAL-2 assurance.
4.3.3.3 Password
CLEAR members can change their password by logging into CLEAR’s account portal (my.clearme.com) and resetting password before selecting a new password that meets the requirements outlined in 3.2.2.
4.4.4 Password Reset
4.4.5 Revocation
If a CLEAR member or a user who has applied for a CLEAR membership desires to terminate their membership or have CLEAR remove their information, they may request that we remove the personal information that CLEAR maintains about them.
4.4.5.1 Circumstances for Revocation
4.4.5.1.1 Revocation by Member
A CLEAR member can request a purge of their CLEAR account, including all PII and biometric data, by contacting CLEAR’s customer service team, who will verify ownership of the account by confirming their personal information. The user can take one of the following steps:
CLEAR
Attention: Chief Privacy Officer
85 10th Avenue, 9th Floor
New York, New York 10011
Our Member Services team can delete member data individually or en masse from our data repositories with explicit approval from our Compliance and Privacy teams. Member data is purged from our accounts directory and all identity evidence is purged as well. Paying members of the CLEAR+ service will receive a refund for their services.
4.4.5.1.2 Revocation by CLEAR
CLEAR may revoke any credential in order to address instances of false representation, failure to comply with Member Terms, or for any other reason, at its sole discretion.
4.4.5.1.3 Revocation by Other Means
In the event of a user’s passing (death) or other legal concern around a user’s account, CLEAR Customer Support and CLEAR’s Legal Team shall handle any and all actions with regards to closing down the account.
4.4.5.2 Revocation Response Time
Once a revocation request is received and executed by CLEAR’s team, the user will immediately lose their ability to authenticate their identity and complete CLEAR transactions via the High Assurance Mobile Enrollment service.
4.4.5.3 Revocation Notification
Members receive a reference number to confirm the revocation of their CLEAR account and the purging of their personal data. This confirmation is provided by CLEAR customer service upon processing a member purge request, or within 24 hours where an account is revoked by CLEAR.
Partners (Registered Parties) can leverage the CLEAR Verified service after contracting has been completed between the Partner’s legal teams and CLEAR’s legal teams. CLEAR Verified Partners are paired with a dedicated Solutions Engineer and Account Management team to assist with the technical and operational implementation of the CLEAR Verified product in their organization.
To ensure early success for the Partner’s developers who are implementing the CLEAR Verified product, we have published our developer documentation that goes over fundamental set up and features of the product. The Developer Documentation can be found at: https://partner.clearme.com/docs.
5.1.1 Solutions Engineering
All CLEAR Verified partners have a dedicated Solutions Engineer to assist with the technical implementation of the CLEAR Verified SDK. Partner requests are logged in Salesforce to ensure implementation details are accurately recorded and transparent to the relevant CLEAR Verified internal team members.
CLEAR conducts activities to validate continuous compliance with NIST 800-53 and will annually conduct an audit for the effective provision of the High Assurance Mobile Enrollment service and High Assurance In-Person Enrollment .
The third party technology that CLEAR utilizes for audit management retains audit records for greater than 36 months. The safeguards to protect the security of the audit records management system are evaluated as part of CLEAR’s third-party risk management process and validated that these safeguards are in conformance with CLEAR’s information security policies and standards. The safeguards are evaluated as part of CLEAR’s controls for risk management to ensure that they are consistent with CLEAR’s internal policies and standards for securing confidential information.
Stipulations relating to fees, insurances, warranties, disclaimers, limitations of liability, indemnities, terms of supply, termination, confidentiality, privacy, notices, amendments, dispute resolution, governing law and other representation and legal matters are set forth in the CLEAR Terms of Use, Member Terms, Privacy Policy and other documents, all of which shall be brought explicitly to the member’s attention (see also §3.2.2).
The Comparable Alternative or ‘CompAlt’ is CLEAR’s alternative to presenting a second piece of FAIR evidence in IAL2 flows. The CompAlt will achieve this by a) confirming that the phone line itself does not present fraud risk, b) ensure that the document is live and c) confirm that the identity being presented does not show signs of excessive use.
This alternative aligns with the 800-53 Moderate controls for Identity Evidence and Identity Evidence Validation and Verification (e.g. 800-53 IA-12 (2) and (3)).
Further details about the Comparable Alternative including its componentry, alignment to the 800-53 Moderate controls, and risk assessment will be provided to CLEAR Partners upon request.
