IA-12(5): Address Confirmation
Control is new to this version of the control set.
Require that a [Assignment: registration code, notice of proofing] be delivered through an out-of-band channel to verify the users address (physical or digital) of record.
To make it more difficult for adversaries to pose as legitimate users during the identity proofing process, organizations can use out-of-band methods to ensure that the individual associated with an address of record is the same individual that participated in the registration. Confirmation can take the form of a temporary enrollment code or a notice of proofing. The delivery address for these artifacts is obtained from records and not self-asserted by the user. The address can include a physical or digital address. A home address is an example of a physical address. Email addresses and telephone numbers are examples of digital addresses.