NIST has released the Public Draft of NIST SP 800-63-3, now called Digital Identity Guidelines, for public comment. Over the summer, the ‘public preview phase’ resulted in hundreds of comments, many of which were incorporated into this official draft. In the process to finalize the specification, this public comment period will run until the end or March 2017.
SP 800-63 is the doc that defined the four levels of identity assurance (LOA) — LOA 1, 2, 3 and 4 — as specified by OMB’s M-04-04, E-Authentication Guidance for Federal Agencies, way back in 2003.
A major goal of this new version of 800-63, its third iteration, is to fix the LOAs to make the concept more meaningful with modern identity processes for both government and the private sector.
Specifically, this new draft makes the following key changes:
It decoupled the LOAs into component parts, so that instead of a blanket number (e.g. LOA 3) an authentication initiative can be ranked as a one, two or three for one facet and a different level for another facet. In essence the new draft is breaking out the grading scheme into three sections:
- Enrollment and Identity Proofing (SP 800-63A)
- Authentication and Lifecycle Management (SP 800-63B)
- Federation and Assertions (SP 800-63C)
Under 800-63-3 as proposed, three scores would be given: Identity Assurance Level (IAL), Authentication Assurance Level (AAL) and Federation Assurance Level (FAL).
Identity Assurance Level (IAL):
- IAL1 – Self-asserted; no requirement to link the applicant to a specific real-life identity.
- IAL2 – Evidence supports the real-world existence of the claimed identity; either remote or physically-present identity proofing.
- IAL3 – Physical presence is required for identity proofing. Identifying attributes must be verified by an authorized and trained representatives.
Authentication Assurance Level (AAL):
- AAL1 – Provides some assurance that the claimant controls the authenticator; requires at least single-factor authentication.
- AAL2 – Provides high confidence that the claimant controls authenticators; two different authentication factors are required; approved cryptographic techniques are required.
- AAL3 – Provides very high confidence that the claimant controls the authenticator; authentication based on proof of possession of a key through a cryptographic protocol; requires a “hard” cryptographic authenticator.
Federation Assurance Level (FAL):
- FAL1 – Allows for the subscriber to enable the RP to receive a bearer assertion.
- FAL2 – Adds the requirement that the assertion be encrypted such that the RP is the only party that can decrypt it.
- FAL3 – Requires the subscriber to present proof of possession of a cryptographic key referenced in the assertion in addition to the assertion artifact itself.
Key changes related to SP 800-63A:
- Overhauls allowable identity proofing processes
- Expands options for in-person proofing
- Revamps password guidance
- Removes insecure authenticators (aka OTP tokens)
- Expands allowable use of biometrics
- Adds new federation requirements and recommendations
- Removes cookies as an assertion type
Last summer, SecureIDNews reported that the revision was likely to take some significant steps to modernize the LOA process, and it appears these changes have made it into the final draft:
- Eliminates level two (LOA 2)
- Deprecates over the air one-time passcodes
- Defines acceptable use of knowledge-based verification
- Specifies acceptable password policies
- Ends visual-only document inspection for identity proofing at higher levels
Its time to get back to work, reading and commenting on this important document.