One important point emphasized in NIST SP 800 63B is the suggestion to permit users to create passwords of any desired length (, within limits) without enforcing composition requirements (, like mandating mixtures of various character types). This adjustment stems from studies demonstrating the security advantage of composition rules and the annoyance they frequently provoke among users potentially resulting in workarounds.
I believe that the principle of password protection and length as a control to prevent compromised access to systems and applications should be properly communicated in user security awareness training. When users understand why they need to do it, it gets easier and simpler for them to maintain.
Learning about threats to authenticators and their mitigations is crucial, especially when dealing with data in government systems. Common threats include phishing, theft, social engineering, and side-channel attacks. Key mitigations involve endpoint security, multi-factor authentication, and using authenticators resistant to impersonation and social engineering. These strategies help lower the risk of attackers compromising authenticators and posing as their owners.
It focuses on authentication and lifecycle management, emphasizing the use of multi-factor authentication (MFA) to enhance security. It suggests that for higher security applications, relying on multiple forms of authentication (something you know, something you have, and something you are) significantly reduces the risk of unauthorized access.
While MFA works as a major part of authentication and lifecycle management, it is very important that attention also goes to user-level security which is achieved by continuous user security awareness training. The social engineering threats and attacks can potentially destroy the efforts put in place by enhanced by authentication processes.
NIST Digital Identity Guidelines 800-63B provides a more prescribed approach to the AAL process and each level’s requirements. For example, 800-63B outlines a permitted authenticator type, reauthentication, security controls, and record retention policy required by each AAL process. Required security controls can be found in NIST SP 800-53, which assigns controls based on low, moderate, or high baselines and their subsequent resistance requirements (NIST 800-63A), furthering our understanding of how these documents support one another.
In NIST SP 800-63B There are its own assurance levels like authenticator assurance levels 1, 2, and 3. It also has a authenticator lifecycle management which include binding, loss, theft, unauthorized duplication, expiration, and revocation. There is session binding and it occurs between the software that a subscriber is running like a browse, application, or operating system. Then you have access tokens, device authentication, and reauthentication. When an access token is found it will allow and application to access a set of services on a subscribers behalf. Device authentication is including but not limited to mutual token binding. Reauthentication is based upon the possession of a session secret which is issued by the verifier during the time of authentication and later refreshed during the session.
Hi Jon,
The authenticator lifecycle management you highlighted is crucial for maintaining the integrity and security of authentication processes. Addressing issues such as binding, loss, theft, unauthorized duplication, expiration, and revocation showcases a comprehensive understanding of the potential threats at various stages of the authenticator lifecycle. This lifecycle management framework is essential for organizations to proactively manage and mitigate risks associated with identity authentication.
Identity proofing’s sole objective is to ensure the applicant is who they claim to be to a stated level of certitude which includes presentation, validation, and verification of the minimum attributes necessary to accomplish identity proofing.
The basic flow for identity proofing and enrollment involves 3 steps:
– Resolution: core attributes/characteristics collected as evidence which should be distinguished among other user attributes for integrity.
– Validation: evidence is validated, authenticated, and checked for accuracy to determine if it is related to a real-life subject.
– Verification: the evidence is verified.
One important point emphasized in NIST SP 800 63B is the suggestion to permit users to create passwords of any desired length (, within limits) without enforcing composition requirements (, like mandating mixtures of various character types). This adjustment stems from studies demonstrating the security advantage of composition rules and the annoyance they frequently provoke among users potentially resulting in workarounds.
I believe that the principle of password protection and length as a control to prevent compromised access to systems and applications should be properly communicated in user security awareness training. When users understand why they need to do it, it gets easier and simpler for them to maintain.
Learning about threats to authenticators and their mitigations is crucial, especially when dealing with data in government systems. Common threats include phishing, theft, social engineering, and side-channel attacks. Key mitigations involve endpoint security, multi-factor authentication, and using authenticators resistant to impersonation and social engineering. These strategies help lower the risk of attackers compromising authenticators and posing as their owners.
It focuses on authentication and lifecycle management, emphasizing the use of multi-factor authentication (MFA) to enhance security. It suggests that for higher security applications, relying on multiple forms of authentication (something you know, something you have, and something you are) significantly reduces the risk of unauthorized access.
While MFA works as a major part of authentication and lifecycle management, it is very important that attention also goes to user-level security which is achieved by continuous user security awareness training. The social engineering threats and attacks can potentially destroy the efforts put in place by enhanced by authentication processes.
NIST Digital Identity Guidelines 800-63B provides a more prescribed approach to the AAL process and each level’s requirements. For example, 800-63B outlines a permitted authenticator type, reauthentication, security controls, and record retention policy required by each AAL process. Required security controls can be found in NIST SP 800-53, which assigns controls based on low, moderate, or high baselines and their subsequent resistance requirements (NIST 800-63A), furthering our understanding of how these documents support one another.
Yes, these standardized processes can reduce the incidence of identity theft to some extent.
In NIST SP 800-63B There are its own assurance levels like authenticator assurance levels 1, 2, and 3. It also has a authenticator lifecycle management which include binding, loss, theft, unauthorized duplication, expiration, and revocation. There is session binding and it occurs between the software that a subscriber is running like a browse, application, or operating system. Then you have access tokens, device authentication, and reauthentication. When an access token is found it will allow and application to access a set of services on a subscribers behalf. Device authentication is including but not limited to mutual token binding. Reauthentication is based upon the possession of a session secret which is issued by the verifier during the time of authentication and later refreshed during the session.
Hi Jon,
The authenticator lifecycle management you highlighted is crucial for maintaining the integrity and security of authentication processes. Addressing issues such as binding, loss, theft, unauthorized duplication, expiration, and revocation showcases a comprehensive understanding of the potential threats at various stages of the authenticator lifecycle. This lifecycle management framework is essential for organizations to proactively manage and mitigate risks associated with identity authentication.
Identity proofing’s sole objective is to ensure the applicant is who they claim to be to a stated level of certitude which includes presentation, validation, and verification of the minimum attributes necessary to accomplish identity proofing.
The basic flow for identity proofing and enrollment involves 3 steps:
– Resolution: core attributes/characteristics collected as evidence which should be distinguished among other user attributes for integrity.
– Validation: evidence is validated, authenticated, and checked for accuracy to determine if it is related to a real-life subject.
– Verification: the evidence is verified.