End of life for fed’s four levels of assurance?
Kill them? Revise them? Industry ponders options
05 January, 2015
category: Corporate, Digital ID, Financial, Government, Health
The request will be released before the end of 2014. “Hopefully we can use this to accelerate and catalyze the market to create a public, open standard that we adopt instead of different markets, including the U.S. government, having their own types of standards,” Grassi adds.
The biggest knock against the four levels, as outlined in 800-63, is that they don’t scale to other industries. Finding authentication and risk management that works across all industries is the dream but is it possible?
Andrew Nash, now CEO at identity alerting company Confyrm, previously ran consumer identity at PayPal and uses that company as an example. The company was driving billions of dollars in transactions and had to meet federally mandated “Know Your Customer” regulations that required assurance level three. But since only usernames and passwords were used for login – a level one authentication – the higher level of attained assurance was downgraded through the weaker authentication technique.
“They don’t match how businesses run,” says Nash. “There’s a disconnect between the real world and how government works.”
Creating a system that would compare authentication modalities and correlate them with risk assurance could help solve this problem, says Glazer. For example, user names and passwords alone would be ranked low but using an OTP with some risk-based system running in the background checking the device and IP address would receive a higher score. “There’s no cookbook where it says I need these modalities and it gives me this score,” he adds.
Glazer would like to see NIST, or another group, do lab testing on the different authentication modalities when deployed according to best practices. “It would be great to have a rough estimation of the relative strength of modalities and how they work,” he adds.
Level 2.5
Flexibility is something the four levels are lacking. For example, from almost the moment the four levels were released, people were clamoring for level 2.5. “It’s where you need to know who a consumer is but it’s not sensitive enough to where they’re going to drain a bank account,” says Mary Ruddy, research director at the Gartner Group.
When discussing how to change the levels of assurance and authentication, two ideas frequently arise: step-up authentication and a modular/vector based system, which often go hand in hand.
Ruddy favors a step-up authentication system, wherein a consumer would use an existing account, such as Facebook, Google or Twitter. If the user wanted to access a bank account or other secure site there would be a mechanism to step up the authentication, answering some out-of-wallet questions or maybe an OTP to a mobile device.
Identity vetting and issuing credentials can be an expensive proposition, but if consumers can use credentials they already have and step up the authentication it can make a system more usable. “The big challenge is getting credentials out there that are interoperable and reusable,” Ruddy says.
The technology exists to have a higher level of assurance in customers with little to no effort from the customers themselves. Depending on what level of assurance a company wants to have it could be something as simple as sending an email to validate a pre-registered address or as complicated as an OTP, geo-location or device recognition, Ruddy says. “There’s a lot of innovation in mobile phone authentication,” she adds.
This also goes along with a vector-based authentication. If a user has a Facebook login, and is accessing it from a typical device and IP address, those vectors point to him being whom he claims so less of a step-up authentication would be required. “Someday it will all be under the hood and invisible to the user,” says Kantara’s Brennan.
The Kantara Initiative is talking about vector of trust, Brennan says. The group is looking at a framework that would be put together in a modular way to enable different levels of trust. “We’re trying to address as many communities as possible in order to avoid having multiple discussions in multiple places,” she says.
But who pays for this extra authentication? Nash says it should be the relying parties because they are the ones who get something out of it. The identity providers don’t realize any benefit from having assurance behind the identity while the relying parties do, he explains.
This has been a fundamental flaw with the original four levels. In order to be certified to issue credentials that meet level three, an identity provider has to spend hundreds of thousands of dollars and that’s just for certification not issuing credentials, Nash says. The business model was set up to fail.
