09
March
2026

InCommon

From Ghost Students to Federal Requirements: Internet2 Helps the Community With Identity Proofing As We Sail Towards 2027

Subscribe for more like this

Share

By Kenneth Lewis - Communications Specialist

Estimated reading time: 5 minutes

Ask any chief information officer (CIO), and they’ll agree: if you can’t trust who’s logging into your institution’s systems, nothing else you secure really counts. And right now, that trust feels under more strain.

That’s why Internet2 and InCommon are bringing community-backed guidance, shared pathways, and hands-on support to help campuses strengthen identity proofing and identity assurance.

A person’s hand giving a thumbs-up, with a glowing teal fingerprint icon superimposed over the thumb

As fraud grows more frequent, research and education (R&E) is paying the price. From ghost students to sophisticated actors exploiting students’ inexperience at help desks, the problem has become both a headache and a significant financial burden. According to “Fighting Financial Aid Fraud in Higher Education,” a 2025 article in EDUCAUSE Review, fraud can cost institutions more than $100 million annually, with each incident averaging nearly $7,400.

Internet2’s fall 2025 identity proofing survey makes clear that of the fraud and security concerns occurring on college campuses, the three of utmost concern are federal research access, financial aid integrity, and credential issuance and recovery. Factor in the 2027 federal deadline to meet the new federal identity assurance requirements, and it makes for a busy 2026.  

The National Institutes of Health (NIH), the Department of Education, and other federal agencies are increasingly requiring institutions to increase the rigor of their identity proofing processes to access key data and services. A recent example is NIH requiring researchers to have verified identities by January 2027 to continue access to Controlled Access Data Repositories (CADRs).

When asked about the importance of identity proofing in lieu of the new federal requirements,  Ann West, senior director of Strategic Partnerships & Research at InCommon, says identity proofing is one of the most powerful strategies institutions have to mitigate fraud. 

“But it’s not an IT problem,” West stated. “It’s a business problem that touches admissions, HR, the registrar, financial aid, and research administration all at once.”

Ann West speaking at Technology Exchange 2025.

Multi-factor authentication (MFA) was once the golden practice, but even it is no longer enough. Its effectiveness depends on the strength of the identity being authenticated. Attackers know this, so they target enrollment, onboarding, and account recovery, posing as incoming students to obtain a “real” credential in the first place.

“Strengthening identity and security is fundamentally an institutional process challenge, and that’s what makes it both complicated and consequential,” West said. 

For many campuses, the hard part is not agreeing if identity proofing is needed. The truly hard part is figuring out where identity proofing actually happens across campuses, who owns those processes, where current security gaps lie, and turning loose practices into a robust approach that keeps faculty, staff, and student data safe. 

“Identity fraud in higher education is no longer an edge case. It’s a systemic risk that costs institutions hard dollars, compromises institutional brand, and undermines the integrity of research,” said West. 

Because it can seem like a major undertaking to implement identity proofing systems while juggling the day-to-day, Internet2 and InCommon are making it easier by providing resources and opportunities to meet you at any point of your identity proofing journey.

These resources will help you get aligned, get specific, and get moving by enabling you to:

  • Build a stronger understanding of identity proofing through key terminology, frameworks, NIH guidance, and community-shared resources.
  • Identify meaningful use cases on your campus and better understand the operational and financial implications of identity proofing.
  • Take practical steps through hands-on workshops, assessments, and an 8-week accelerator focused on creating a roadmap for identity proofing readiness.
  • Apply community-informed guidance to better support researchers, institutional systems, and long-term strategy.

“Acting now means campuses can build toward prevention rather than scrambling to meet a hard deadline while managing a breach or an audit,” West explained, speaking about this community-driven support offered through both InCommon and Internet2. 

West’s point underscores the challenge facing higher education: this is not simply about checking a box on a federal requirement by 2027. It’s about building a stronger, more coordinated approach to identity proofing that protects institutional operations, research, and trust before pressure turns into crisis.

Get Ahead of 2027

With 2027 approaching, institutions don’t have time to start from scratch or work in isolation. Explore the resources, guidance, and community support available now to assess your readiness and start building a smarter path toward compliance.

Learn More

FAQs

In case you missed the January 2026  IAM Online, “Making it Easier for Researchers: NIH’s use of InCommon for Controlled-Access Data,” here are three questions from our session to help shape your understanding of the NIH and federal compliance.

Q: Can campuses still use campus credentials for researcher access under the new NIH model?

A: Yes. NIH’s federation model now includes the InCommon Federation as an approved identity provider, meaning researchers can use their home institution as long as it meets the stronger assurance requirements.

Q: Does NIH offer any tools to help campuses check readiness?

A: Yes. NIH has developed a compliance check tool that campuses can use to verify their identity provider’s signaling the required proofing, MFA, and attribute release.

Q: What’s the difference between identity proofing and identity assurance?

A: Identity proofing is the process of verifying someone’s real-world identity (“Who are you really?”). Identity assurance is the confidence level resulting from that proofing. It tells relying parties how confident they are of that person’s identity. In other words, proofing is the work done to verify identities, and assurance is the score or level of confidence.

About the Author(s)

View Author Articles
Kenneth Lewis klewis@internet2.edu

Communications Specialist

Kenneth Lewis is a Communications Specialist at Internet2 with diverse experiences in educational contexts and environments. With a B.A. in English and an M.A. in Teaching, Kenneth's focus is increasing the engagement, relevancy, and retention of large, diverse audiences by creating copy and messaging that communicates the intrinsic and extrinsic value of programs, experiences, and educational products.