Verification of identity?


Part 11 requires verification of identity. How is this being done in
distributed applications (for example at a clinical site when the
application is ‘owned’ by the sponsor, not the clinical site)?

The impression I have always had of this is that it has to be a
procedure. You have to verify the identity of a user before you give
them a userid and password. How you do this is probably going to vary
from place to place, maybe a picture id of some sort that is recognized
by the general public?

Isn’t it adding more unnecessary work? I mean, if there is an employee on the
company with company provided ID, and the supervisor, or manager signs a formal
access request (hand delivered by the requestor), doesn’t that qualify as ID
verification? Also, if the system validates against active directory, that
means the person requesting the access is a user in the LAN which makes him/her
already verified. Adding more verification to something alredy verified seems
to me that is duplicating efforts. My 2 cents.