In NIST SP 800 63 3 they discuss how identity assurance is divided into three categories. Identity Assurance Level (IAL) Authenticator Assurance Level (AAL) and Federation Assurance Level (FAL). This gives organizations the flexibility to choose the right assurance levels, for each area based on their services risk assessment, of being limited to a single LOA as, in previous editions.
This chapter highlights the three elements of identity assurance: Identity Assurance Level , Authentication Assurance Level, and Federation Assurance Level. IAL concerns identity verification, AAL deals with the reliability of authentication, and FAL assesses assertion strength in federal contexts. The inclusion of visual aids and detailed descriptions, alongside a decision tree, proved useful in evaluating an organization’s tolerance for risk.
NIST SP 800-63-3 “Digital Identity Guidelines” emphasizes the importance of separating identity proofing and authentication processes. Identity proofing is the initial verification of an individual’s identity, while authentication is the ongoing process of confirming that identity during access or transactions. This separation ensures a secure and reliable digital identity system.
Identity proofing ensures the identities involve the verification of the identities stored to have guaranteed access to the applications/systems. The authentication process involves validating the identities for authorization (permissions) in the applications/systems.
NIST SP 800 63. These guidelines talk about MFA and how the authentication method should use at least 2 of the following:
A. something you know.
b. Something you have
c. something you are.
It also discusses the potential failures of identity proofing. These could be caused by accidentally providing access to the wrong person (e.g., a hacker successfully getting into a system by authenticating as someone else) or by excessive identity proofing, which occurs when more data is stored than necessary to authenticate someone.
MFA aims at providing a defence-in-depth in the authentication process, security professionals need to ensure the different levels are different factors and not duplicating factors across each level of the MFA.
NIST SP 800-63 digital identify risk management talks about proofing, proofing, an authenticator, and federal requirements. We want to avoid identity proofing errors, authentication errors, and federation errors because with these errors someone could take advantage of these errors to spoof someone’s identity to steal or damage company information. There is even an excessive amount of identity proofing which stores more information than what needs to be stored. Risk management goes through all of these and determines the extent each risk is mitigated by identity proofing, authentication, and federation processes.
As expected in every technology, errors, flaws and false positives are generated and the function of security professionals is the continuous process of improving these errors towards achieving the acceptable risk defined and approved by management.
You highlight the key aspects of NIST SP 800-63 regarding digital identity risk management, emphasizing the importance of minimizing errors in identity proofing, authentication, and federation to protect against identity spoofing and data breaches. Good point for the potential risks of excessive identity proofing and underscores the role of risk management in evaluating and mitigating these risks.
Hi Jon,
Your observation about the potential for identity-proofing errors to result in the storage of excessive information is particularly noteworthy. Striking the right balance between obtaining the necessary information for identity verification and minimizing the data stored is crucial. Over-collection of data not only poses privacy concerns but also increases the attack surface for potential cyber threats.
Digital identity is the unique representation of a subject engaged in an online transaction. The process used to verify a subject’s association with their real-world identity is called identity proofing. The party to be authenticated is called a claimant and the party verifying that identity is called a verifier.
The digital identity model describes the enrollment and identity-proofing system which involves credential issuance, lifecycle management activities, and various states of an identity-proofing and authentication process.
I noticed the focus on confirming identities stood out to me. It’s not about validating someones identity but also ensuring their online persona aligns with who they’re in real life. That verification step appears essential, for establishing trust.
I noticed the focus on confirming identities stood out to me. It’s not about validating someone’s identity but also ensuring their online persona aligns with who they’re in real life. That verification step appears essential, for establishing trust.
Yannick Rugamba says
In NIST SP 800 63 3 they discuss how identity assurance is divided into three categories. Identity Assurance Level (IAL) Authenticator Assurance Level (AAL) and Federation Assurance Level (FAL). This gives organizations the flexibility to choose the right assurance levels, for each area based on their services risk assessment, of being limited to a single LOA as, in previous editions.
Eyup Aslanbay says
This chapter highlights the three elements of identity assurance: Identity Assurance Level , Authentication Assurance Level, and Federation Assurance Level. IAL concerns identity verification, AAL deals with the reliability of authentication, and FAL assesses assertion strength in federal contexts. The inclusion of visual aids and detailed descriptions, alongside a decision tree, proved useful in evaluating an organization’s tolerance for risk.
Bo Wang says
NIST SP 800-63-3 “Digital Identity Guidelines” emphasizes the importance of separating identity proofing and authentication processes. Identity proofing is the initial verification of an individual’s identity, while authentication is the ongoing process of confirming that identity during access or transactions. This separation ensures a secure and reliable digital identity system.
Ooreofeoluwa Koyejo says
Identity proofing ensures the identities involve the verification of the identities stored to have guaranteed access to the applications/systems. The authentication process involves validating the identities for authorization (permissions) in the applications/systems.
Celinemary Turner says
NIST SP 800 63. These guidelines talk about MFA and how the authentication method should use at least 2 of the following:
A. something you know.
b. Something you have
c. something you are.
It also discusses the potential failures of identity proofing. These could be caused by accidentally providing access to the wrong person (e.g., a hacker successfully getting into a system by authenticating as someone else) or by excessive identity proofing, which occurs when more data is stored than necessary to authenticate someone.
Ooreofeoluwa Koyejo says
MFA aims at providing a defence-in-depth in the authentication process, security professionals need to ensure the different levels are different factors and not duplicating factors across each level of the MFA.
Bo Wang says
I agree with you that fingerprints and passwords should be used together.
Jon Stillwagon says
NIST SP 800-63 digital identify risk management talks about proofing, proofing, an authenticator, and federal requirements. We want to avoid identity proofing errors, authentication errors, and federation errors because with these errors someone could take advantage of these errors to spoof someone’s identity to steal or damage company information. There is even an excessive amount of identity proofing which stores more information than what needs to be stored. Risk management goes through all of these and determines the extent each risk is mitigated by identity proofing, authentication, and federation processes.
Ooreofeoluwa Koyejo says
As expected in every technology, errors, flaws and false positives are generated and the function of security professionals is the continuous process of improving these errors towards achieving the acceptable risk defined and approved by management.
Eyup Aslanbay says
You highlight the key aspects of NIST SP 800-63 regarding digital identity risk management, emphasizing the importance of minimizing errors in identity proofing, authentication, and federation to protect against identity spoofing and data breaches. Good point for the potential risks of excessive identity proofing and underscores the role of risk management in evaluating and mitigating these risks.
Edge Kroll says
Hi Jon,
Your observation about the potential for identity-proofing errors to result in the storage of excessive information is particularly noteworthy. Striking the right balance between obtaining the necessary information for identity verification and minimizing the data stored is crucial. Over-collection of data not only poses privacy concerns but also increases the attack surface for potential cyber threats.
Ooreofeoluwa Koyejo says
Digital identity is the unique representation of a subject engaged in an online transaction. The process used to verify a subject’s association with their real-world identity is called identity proofing. The party to be authenticated is called a claimant and the party verifying that identity is called a verifier.
The digital identity model describes the enrollment and identity-proofing system which involves credential issuance, lifecycle management activities, and various states of an identity-proofing and authentication process.
Yannick Rugamba says
I noticed the focus on confirming identities stood out to me. It’s not about validating someones identity but also ensuring their online persona aligns with who they’re in real life. That verification step appears essential, for establishing trust.
Yannick Rugamba says
I noticed the focus on confirming identities stood out to me. It’s not about validating someone’s identity but also ensuring their online persona aligns with who they’re in real life. That verification step appears essential, for establishing trust.
Yannick Rugamba says
Erratum, this is should a reply on Oore post,