End of life for fed’s four levels of assurance?
Kill them? Revise them? Industry ponders options
05 January, 2015
category:
What’s going to happen?
“My guess is we’re going to move toward three levels because level one doesn’t require any effort,” says Safe-BioPharma’s Alterman. The International Standards Organization and the Europeans are starting to align around three instead of four levels.
These three levels will serve as a baseline with the ability to add specific risk-based factors. “Banks, credit card companies and hospitals might do their own thing but their efforts will be able to align with the baseline,” Alterman explains.
It has been eleven years since the four levels made an appearance within the U.S. federal government, and change is on the horizon. The results will most likely be assurance levels that aren’t as coarse and are able to accommodate a range of industries and authentication mechanisms that will hopefully afford consumers the ability to reuse identities across relying parties.
SP 800-63 and the four levels of assurance
In Special Publication 800-63 NIST gives guidance for identity assurance and the authentication technologies that meet each of the four levels it establishes in the document.
Level One: A level one identity has little or no confidence in the asserted identity. This typically self-asserted identity is used for low value online transactions and relies on usernames and passwords as the authentication mechanism.
Level Two: A level two identity has some confidence that the asserted identity is accurate and is used frequently for self-service applications. Proofing requirements are introduced that require presentation of identifying materials or information. A range of authentication technologies can be employed at level two, including single factor authentication, pre-registered knowledge tokens, out of band tokens and one-time password devices.
Level Three: Level three identities have high confidence in the asserted identity’s accuracy and are used to access restricted data. At least two authentication factors are required including software-based cryptographic tokens.
Level Four: A level four identity has very high level of confidence in the asserted identity’s accuracy and is used to access highly restricted data. Level four is intended to provide the highest practical remote authentication assurance and is based on possession of a cryptographic key. At this level, in-person identity proofing is required. Level four is similar to level three except that only hardware-based cryptographic tokens are allowed. The PIV is a level four credential.
Sidebar: InCommon’s Assurance Program
InCommon has launched an assurance program for higher education that offers two levels: bronze and silver.
The bronze level is comparable to NIST Level of Assurance One and provides reasonable assurance that a particular credential represents the same person each time it is used. Bronze is roughly the same confidence associated with common Internet identity.
Silver is the equivalent to NIST Level of Assurance Two. It has identity-proofing requirements that provide reasonable assurance of individual identity. Silver provides a security level roughly appropriate for basic financial transactions.
While InCommon’s profiles are based on the four levels of identity assurance from NIST’s SP 800-63 they are tailed for the higher education audience. Virginia Tech is using the InCommon program for some employees and issues 64K USB keys with x.509 digital certificates.
The university is using bronze and silver assurance profiles to access external services that require those levels and Virginia Tech services also have the option to require bronze or silver from local users.
A few Virginia Tech research faculty members have already federated, and the Office of Sponsored Programs anticipates further use for grant submissions.
Virginia Tech hopes that financial aid officers will be able to use their silver credentials to access services offered by the Department of Education and National Student Clearinghouse.