In this topic I learned about the three components of identity guidelines and these include; IAL that refers to the identity proofing process, AAL that refers to the authentication process and FAL that refers to the strength of an assertion in a federated environment, used to communicate authentication and attribute information according to NIST. In reading this document I realized that “a digital identity is always unique in the context of a digital service but does not necessarily need to uniquely identify the subject in all contexts. In other words, accessing a digital service may not mean that the subject’s real-life identity is known.”
Yes, in June 2017, NIST made some updates by replacing the levels of assurance (LOAs) with different areas of assurance, each with level1-3, including Identity Assurance Level, Authenticator Assurance Level, and the Federation Assurance Level.
IAL has to do with identity proofing process, or how an organization can vet a person’s real-life identity against their digital identity. The Authenticator Assurance Level introduced additional factors (like MFA or U2F) and how it can impact risk mitigation. The Federation Assurance Level is used to communicate authentication and attribute information to a relying party. E.g. FAL3 – The user must be able to prove possession of a cryptographic key bound to the assertion.
According to this document, the digital identity guidelines describe the risk management processes for selecting appropriate digital identity services and the details for implementing identity assurance, authenticator assurance, and federation assurance levels based on risk. It is necessary to note that the risk assessment guidance in these guidelines supplements the NIST Risk Management Framework and its component special publications, so, it does not establish additional risk management processes for agencies. Also, the guidelines include privacy requirements and supports the mitigation of the negative impacts induced by an authentication error by separating the individual elements of identity assurance into discrete, components parts like the Identity Assurance level and Authenticator Assurance Level for non-federated systems, and Federated Assurance Level for the Federated systems.
Digital identity is a challenge for many companies today because many of them are just adopting to cloud services. However, your articulation on this matter is great because you show how companies can utilize this document to select appropriate digital identity controls.
NIST Special Publication 800-63 describes the risk management processes for selecting digital identity services and federation assurance levels based on risks. The risk assessment results are the primary factor in selecting the most appropriate assurance levels. This guideline addresses how to apply the risk assessment result to determine the most suitable assurance level, and selecting assurance levels is one the normative parts in this guideline.
Hey Zenep,
Yes, as technologies moves fast, the guidelines for securing digital identities are also moving in that direction with key updates from NIST. From the SP 800 -63- 3 guidelines, SMS is no longer recommended for multi-factor authentication. Authentication and Lifecycle management addresses the types of multi-factor authentication methods that are recommended by NIST. They include OTP (One-time password) device, MFA cryptographic software, MFA cryptographic device. Also, organizations can use secure methods, such as Universal 2nd Factor (U2F) and push notifications via authenticator apps to complete two-factor authentication.
I agree with you that risk assessment results are the primary factor in selecting the most appropriate assurance levels. Once assessments are made, then you can rely upon them to determine suitable controls and measures to be taken.
The NIST SP 800 63-3 (Digital Identity Guidelines) includes the overview of fundamental frameworks, applying authenticators credentials, and performing a risk-based process of selecting assurance level. Three significant factors to identify authentication comprise something you know, something you have, and something you are. The important key point which I pick from this standard is the digital identity risk management. Risk assessment is important to determine assurance level including IAL (identity proofing process), AAL (the authentication process), and FAL (an assertion in federated environment).
You have correctly pointed out that an organization’s RA process is the key driver behind implementation of any Access management technology. It is also important to note that the guidelines are applicable to not just the authority checking and granting access but also to the claimant to get an assurance that the correct CSP is authenticating the claimant. Another issue that I felt was important and touched upon was the collection of minimum privacy requirements by the CSP as unnecessary gathering of PII of claimants can be a huge risk for CSP, in case that information is lost or compromised.
Having spent some time reading the NIST 800-63-3 publication which focused on standardized technical requirements that all federal agencies must adhere to when introducing digital identity services to their information systems, I spent the majority of it learning about the different assurance levels and the considerations behind them. While the risk assessment performed on the information systems is a constant key player across all three assurance levels, the additional information included in each differs greatly. For example, Authentication Assurance Level (AAL) takes into consideration the risk assessment mentioned previously and some of the more common authentication methods and guidelines to better select “appropriate authentication requirements” for their digital identity services..
Hi Jordan,
Good point that you mentioned about risk assessment process. Risk assessment is the important key role to identify assurance level. Without risk assessment, it increases risks that companies might not be able to identify the level of assurance which causes the vulnerabilities.
NIST 800-63-3 provides technical requirements for federal agencies to implement digital identity services, identity proofing and authentication of users.
There are also technical requirements in each of these 3 areas :
IAL refers to the identity proofing process, AAL as the authentication process, FAL as the strength of an assertion in a federal environment.
Each of these components of identity assurance above has 3 levels: 1,2 and 3. The higher is more secure.
NIST 800-63-3 is a suite of 3 more volumes:
SP 800-63A Enrollment and Identity Proofing (provides a risk assessment methodology). SP 800-63B Authentication and Lifecycle Management (How applicant can prove their identity) and SP 800-63C Federation and Assertions (provides requirement on the use of federal identity architectures).
Hello,
After reading through your takeaway from the NIST 800-63-3 publication, I can tell you garnered a thorough and well-rounded understanding of the various types of assurance levels and their respective documentation, which are all included in the NIST 800-63 suite. I’m interested to learn more of your thoughts on each of individual documentation and their respective technical requirement areas, which we’ve been assigned to read,
The key takeaway in the the NIST SP 800 63-3 Digital Identity Guidelines are the three main factors for authentication, which include something you know, something you have, something you are. I always thought this was interesting because all three of these criteria can make it difficult for a hacker to try to falsify their identity, especially when biometrics can be used as a form of authentication.
NIST 800 63-3 overlaps some of what was covered in Boyle and Panko Chapter 5. The special publications covers the credentials and authentications that come with having a “digital identity”. The digital identity can be on commercial websites or on internal softwares and applications. One of the key aspects of having a digital account and identity is authenticating the user/account against the repository or usernames and passwords. The database of legitimate credentials must be kept secure to ensure the confidentiality, integrity, and accessibility of the applications/files/software that were meant to be used by the users who were granted access.
I agree that the database of legitimate credentials is kept secure as this is used to help ensure the validity of the data that users have access too.. Overall, the emphasis on authentication is so important, the proper measures must be put in place to ensure that this is always being done.
NIST SP 800 63-3 “Digital Identity Guidelines” Standards for Digital Certificate Authentication
IAL refers to the identification process.
AAL refers to the authentication process.
FAL refers to the strength of the joint environmental assertion.
And SP800 63-3 points out the role and indicators of 3A and 3B, and provides a risk assessment methodology and an overview of the general identity framework using authenticators, credentials, and claims combined in digital systems. IAL, AAL, and FAL are also divided into three levels, with the highest level of credit being the third level..
In NIST SP 800-63-3 I was most interested in the section regarding digital identity risk management. We saw in Chapter 5 how identity proofing and authentication errors may be common when utilizing biometrics, however what is most concerning to me is the potential compromise of a person’s identity. NIST 800-63-3 touches on the potential impact for excessive identity proofing and the potential failure of securing this information. In other words, having too many identity authenticators can potentially be bad because all of this uniquely identifying information needs to be stored, which means it can also be compromised.
Hi,Sarah Puffen
Yes, you are right. When the protection and use of identity information is not standardized, too much identity information has a higher probability of error in unique identification.
From NIST SP 800-63-3, the part that I was most interested in is that how assurance levels are selected. While risks like personal safety are not happening at a lower impact category, all kinds of risks are at the highest assurance level at the highest impact category. Also the whole process of selecting IAL is quite interesting.
One section of the Digital identity guideline I found interesting was the digital identity risk management section. This section deals with avoiding identity proofing errors, authentication errors, and federation errors. Each of these risks need to be assessed for the system that is being implemented so the impact is understood and the proper controls be put in place. If there is a proofing error than an attacker can again access as someone else or if there is too much proofing than there can be too much information stored about that person. each outcome has potential risks but using a proper risk management process those errors can be avoided.
SP 800-63 provides technical guidelines to federal agencies for the implementation of digital authentication. It provides an overview of general identity frameworks, using authenticators, credentials, and assertions together in a digital system, and a risk-based process of selecting assurance levels. Digital authentication is the process of determining the validity of one or more authenticators used to claim a digital identity. Successful authentication provides reasonable risk-based assurances that the subject accessing the service today is the same as that which previously accessed the service. Digital authentication involves authenticating individuals over an open network and hence multiple and hence presents multiple opportunities for impersonation and other attacks that fraudulently claim another subject’s digital identity. This document provides guidelines for mitigating the negative impacts induced by an authentication error by separating the individual elements of identity assurance into discrete, component parts. This document also provides guidelines for credential service providers (CSPs), verifiers, and relying parties (RPs).
In this topic I learned about the three components of identity guidelines and these include; IAL that refers to the identity proofing process, AAL that refers to the authentication process and FAL that refers to the strength of an assertion in a federated environment, used to communicate authentication and attribute information according to NIST. In reading this document I realized that “a digital identity is always unique in the context of a digital service but does not necessarily need to uniquely identify the subject in all contexts. In other words, accessing a digital service may not mean that the subject’s real-life identity is known.”
Yes, in June 2017, NIST made some updates by replacing the levels of assurance (LOAs) with different areas of assurance, each with level1-3, including Identity Assurance Level, Authenticator Assurance Level, and the Federation Assurance Level.
IAL has to do with identity proofing process, or how an organization can vet a person’s real-life identity against their digital identity. The Authenticator Assurance Level introduced additional factors (like MFA or U2F) and how it can impact risk mitigation. The Federation Assurance Level is used to communicate authentication and attribute information to a relying party. E.g. FAL3 – The user must be able to prove possession of a cryptographic key bound to the assertion.
According to this document, the digital identity guidelines describe the risk management processes for selecting appropriate digital identity services and the details for implementing identity assurance, authenticator assurance, and federation assurance levels based on risk. It is necessary to note that the risk assessment guidance in these guidelines supplements the NIST Risk Management Framework and its component special publications, so, it does not establish additional risk management processes for agencies. Also, the guidelines include privacy requirements and supports the mitigation of the negative impacts induced by an authentication error by separating the individual elements of identity assurance into discrete, components parts like the Identity Assurance level and Authenticator Assurance Level for non-federated systems, and Federated Assurance Level for the Federated systems.
Hi Innocent,
Digital identity is a challenge for many companies today because many of them are just adopting to cloud services. However, your articulation on this matter is great because you show how companies can utilize this document to select appropriate digital identity controls.
NIST Special Publication 800-63 describes the risk management processes for selecting digital identity services and federation assurance levels based on risks. The risk assessment results are the primary factor in selecting the most appropriate assurance levels. This guideline addresses how to apply the risk assessment result to determine the most suitable assurance level, and selecting assurance levels is one the normative parts in this guideline.
Hey Zenep,
Yes, as technologies moves fast, the guidelines for securing digital identities are also moving in that direction with key updates from NIST. From the SP 800 -63- 3 guidelines, SMS is no longer recommended for multi-factor authentication. Authentication and Lifecycle management addresses the types of multi-factor authentication methods that are recommended by NIST. They include OTP (One-time password) device, MFA cryptographic software, MFA cryptographic device. Also, organizations can use secure methods, such as Universal 2nd Factor (U2F) and push notifications via authenticator apps to complete two-factor authentication.
Hi Zeynep,
I agree with you that risk assessment results are the primary factor in selecting the most appropriate assurance levels. Once assessments are made, then you can rely upon them to determine suitable controls and measures to be taken.
The NIST SP 800 63-3 (Digital Identity Guidelines) includes the overview of fundamental frameworks, applying authenticators credentials, and performing a risk-based process of selecting assurance level. Three significant factors to identify authentication comprise something you know, something you have, and something you are. The important key point which I pick from this standard is the digital identity risk management. Risk assessment is important to determine assurance level including IAL (identity proofing process), AAL (the authentication process), and FAL (an assertion in federated environment).
Hello Num,
You have correctly pointed out that an organization’s RA process is the key driver behind implementation of any Access management technology. It is also important to note that the guidelines are applicable to not just the authority checking and granting access but also to the claimant to get an assurance that the correct CSP is authenticating the claimant. Another issue that I felt was important and touched upon was the collection of minimum privacy requirements by the CSP as unnecessary gathering of PII of claimants can be a huge risk for CSP, in case that information is lost or compromised.
Having spent some time reading the NIST 800-63-3 publication which focused on standardized technical requirements that all federal agencies must adhere to when introducing digital identity services to their information systems, I spent the majority of it learning about the different assurance levels and the considerations behind them. While the risk assessment performed on the information systems is a constant key player across all three assurance levels, the additional information included in each differs greatly. For example, Authentication Assurance Level (AAL) takes into consideration the risk assessment mentioned previously and some of the more common authentication methods and guidelines to better select “appropriate authentication requirements” for their digital identity services..
Hi Jordan,
Good point that you mentioned about risk assessment process. Risk assessment is the important key role to identify assurance level. Without risk assessment, it increases risks that companies might not be able to identify the level of assurance which causes the vulnerabilities.
NIST 800-63-3 provides technical requirements for federal agencies to implement digital identity services, identity proofing and authentication of users.
There are also technical requirements in each of these 3 areas :
IAL refers to the identity proofing process, AAL as the authentication process, FAL as the strength of an assertion in a federal environment.
Each of these components of identity assurance above has 3 levels: 1,2 and 3. The higher is more secure.
NIST 800-63-3 is a suite of 3 more volumes:
SP 800-63A Enrollment and Identity Proofing (provides a risk assessment methodology). SP 800-63B Authentication and Lifecycle Management (How applicant can prove their identity) and SP 800-63C Federation and Assertions (provides requirement on the use of federal identity architectures).
Hello,
After reading through your takeaway from the NIST 800-63-3 publication, I can tell you garnered a thorough and well-rounded understanding of the various types of assurance levels and their respective documentation, which are all included in the NIST 800-63 suite. I’m interested to learn more of your thoughts on each of individual documentation and their respective technical requirement areas, which we’ve been assigned to read,
The key takeaway in the the NIST SP 800 63-3 Digital Identity Guidelines are the three main factors for authentication, which include something you know, something you have, something you are. I always thought this was interesting because all three of these criteria can make it difficult for a hacker to try to falsify their identity, especially when biometrics can be used as a form of authentication.
NIST 800 63-3 overlaps some of what was covered in Boyle and Panko Chapter 5. The special publications covers the credentials and authentications that come with having a “digital identity”. The digital identity can be on commercial websites or on internal softwares and applications. One of the key aspects of having a digital account and identity is authenticating the user/account against the repository or usernames and passwords. The database of legitimate credentials must be kept secure to ensure the confidentiality, integrity, and accessibility of the applications/files/software that were meant to be used by the users who were granted access.
Hi Alexander,
I agree that the database of legitimate credentials is kept secure as this is used to help ensure the validity of the data that users have access too.. Overall, the emphasis on authentication is so important, the proper measures must be put in place to ensure that this is always being done.
Best,
Natalie Dorely
NIST SP 800 63-3 “Digital Identity Guidelines” Standards for Digital Certificate Authentication
IAL refers to the identification process.
AAL refers to the authentication process.
FAL refers to the strength of the joint environmental assertion.
And SP800 63-3 points out the role and indicators of 3A and 3B, and provides a risk assessment methodology and an overview of the general identity framework using authenticators, credentials, and claims combined in digital systems. IAL, AAL, and FAL are also divided into three levels, with the highest level of credit being the third level..
Hi Junjie,
Pointing out the difference between IAL,AAL and FAL is very informative, while the highest level of these have the highest risk of all.
In NIST SP 800-63-3 I was most interested in the section regarding digital identity risk management. We saw in Chapter 5 how identity proofing and authentication errors may be common when utilizing biometrics, however what is most concerning to me is the potential compromise of a person’s identity. NIST 800-63-3 touches on the potential impact for excessive identity proofing and the potential failure of securing this information. In other words, having too many identity authenticators can potentially be bad because all of this uniquely identifying information needs to be stored, which means it can also be compromised.
Hi,Sarah Puffen
Yes, you are right. When the protection and use of identity information is not standardized, too much identity information has a higher probability of error in unique identification.
From NIST SP 800-63-3, the part that I was most interested in is that how assurance levels are selected. While risks like personal safety are not happening at a lower impact category, all kinds of risks are at the highest assurance level at the highest impact category. Also the whole process of selecting IAL is quite interesting.
One section of the Digital identity guideline I found interesting was the digital identity risk management section. This section deals with avoiding identity proofing errors, authentication errors, and federation errors. Each of these risks need to be assessed for the system that is being implemented so the impact is understood and the proper controls be put in place. If there is a proofing error than an attacker can again access as someone else or if there is too much proofing than there can be too much information stored about that person. each outcome has potential risks but using a proper risk management process those errors can be avoided.
SP 800-63 provides technical guidelines to federal agencies for the implementation of digital authentication. It provides an overview of general identity frameworks, using authenticators, credentials, and assertions together in a digital system, and a risk-based process of selecting assurance levels. Digital authentication is the process of determining the validity of one or more authenticators used to claim a digital identity. Successful authentication provides reasonable risk-based assurances that the subject accessing the service today is the same as that which previously accessed the service. Digital authentication involves authenticating individuals over an open network and hence multiple and hence presents multiple opportunities for impersonation and other attacks that fraudulently claim another subject’s digital identity. This document provides guidelines for mitigating the negative impacts induced by an authentication error by separating the individual elements of identity assurance into discrete, component parts. This document also provides guidelines for credential service providers (CSPs), verifiers, and relying parties (RPs).