In this reading, below are some of the reading that captured my imagination, for instance
“For services in which return visits are applicable, a successful authentication provides reasonable risk-based assurances that the subscriber accessing the service today is the same as that which accessed the service previously.”
In my opinion, this is an interesting point because then, the CSP must capture some data from the customers habits during login and this must be within the guidelines of rules and regulations. The challenge here is to find the balance between getting enough data to identify the user and also not cross the line of collecting more data than what you need because then you break the law.
One key idea to remember from the National Institute of Standards and Technology’s Special Publication 800-63B – Digital Identity Guidelines: Authentication & Lifecycle Management is that a number of events can occur over the lifecycle of a subscriber’s authenticator that affect that authenticators’ use. These events include binding, loss, theft, unauthorized duplication, expiration, and revocation.
NIST Special Publication 800-63B, Digital Identity Guidelines, Authentication and Lifecycle Management” includes explanations of assurance levels and memorized secrets requirements. The Authenticator Assurance Levels are: AAL1 requires single-factor authentication, AAL2 requires two authentication factors for additional security, and AAL3 requires the use of a hardware-based authenticator and verifier impersonation resistance. Also, you can find the threats to the authenticator(s) used for digital authentication and threat mitigation mechanisms to mitigate these threats in this document.
NIST SP 800-63B “Digital Identity Guidelines Authentication and Lifecycle Management” covers a section on the use of biometrics. I found this interesting because I always thought that biometrics was an efficient tool to use as a form of authentication. The document mentions certain reasons why the use of biometrics should be limited. For example, the biometric False Match Rate isn’t completely accurate in the authentication of a specific individual. This was very eye-opening for me and sparked more intrigue about biometrics.
NIST SP 800 63B provides digital identity guidelines authentication and lifecycle management. One key point that I chose is authenticator threats. Attackers can compromise systems by pretending to be the authenticators owner. They can attack by several ways based on authentication factors including something you know (disclosed to hackers), something you have (lost or stolen), and something you are (replicated). There are many threats such as assertion modification, theft, duplication, eavesdropping, phishing, social engineering, and endpoint compromise. Organization should implement security controls to safeguard systems like multi-factor authentication, using strong authenticator, and avoiding use of non-trusted wireless networks.
When companies use authenticators, the security awareness training should also include teaching them to prevent losing their authenticators as it has become part of their security system. With good training, threat from lost or stolen should be eliminated and pretending shouldn’t be an option for hackers any more.
While studying the NIST 800-63B publication which provided more thorough detailing on the standardized digital identity guidelines and requirements for the authentication of previously registered system users over an open network, I found myself frequently having to go back and review three authenticator assurance levels. This is primarily because I was trying to figure out what authenticators were compatible across different assurance levels, since each level has its own security requirements that get stricter as it increases. For example, the first Authenticator Assurance Level requires only a single authenticator type such as single-factor cryptographic software and only provides a small amount of authenticator assurance due to only requiring proof that the person in question is in possession of the authenticator. The third Authenticator Assurance Level, however, provides a much higher amount of authenticator assurance due to requiring at least two unique authentication types which are meant to show proof of possession of a key and verifier impersonation resistance through secure and encrypted authentication protocols.
On main point that stood out to me in NIST 800-63B is how organizations manage the lifecycle of usernames/passwords of user accounts. It makes sense to me as for why I am prompted at Temple and my internship to reset my passwords and to verify email addresses and phone numbers. The core IT policy is inplace to prevent accounts and passwords that may be compromised from serving as a vulnerability for too long. Organizations will implement timeframes where users need to re-validate themselves through different methods. The validation process proves that the users are who they say they are and keeps the information assets confidential and accessible.
NIST 800-63-3B Digital Identity Guidelines Authentication and Lifecycle Management. Provides a description of Authenticator Threat/Attack and Threat Mitigation. It gives also a process of Authenticator Lifecycle Management include binding, loss, theft, unauthorized duplication, expiration, and revocation.
NIST 800-63-3b Digital Identity Guidelines Authentication and Lifecycle Management indicates the level of AAL and states that the main threat to guard against is Identity theft. AAL1 requires single-factor and multi-factor authentication. AAL2 requires both security authentication and two different authentication factors. The relevant hardware is bundled in AAL3 to help with authentication. For example, a bank U shield needs to be plugged into a specific USP to start online banking.
Yes Han, also the AAL 1 authentication shall occur by the use of any of the following authenticator types : memorized secrets, look-up secrets, Out-of-Band- Devices, Single Factor One Time Password (OTP) Device, Multi-Factor OTP Device, Single Factor Cryptographic Software, Single Factor Cryptographic Device, Multi Factor Cryptographic Software and Multi Factor Cryptographic Device .
NIST SP 800-63B addresses how an individual can securely authenticate to a CSP to access a digital service or set of digital services. The guidelines apply to digital authentication of subjects to systems over a network. This document also requires that federal systems and service providers participating in authentication protocols be authenticated to subscribers. This document also provides recommendations on types of authentication processes, including choices of authenticators, that may be used at various Authenticator Assurance Levels (AALs). It also provides recommendations on the lifecycle of authenticators, including revocation in the event of loss or theft.
One section I found interesting was re authentication. Re authentication can require the presentation of certain factors depending on the the level of the system. if the system is at AAL level 1 the any factor to re authenticate that was previously established will work. At AAL level 2 there must be a presentation of a memorized secret of a bio metric to establish the session. At AAL level three there must be a presentation of all factors to re authenticate the user. These level prevent anyone from using a session that a user has potentially left running or form trying to authenticate using some one else’s identity.
The key takeaway is about requirements by authenticator type. Memorized Secrets, Lookup Secrets, out of band devices, single factor OTP device, multi factor OTP devices, Single-Factor Cryptographic Software, Single-Factor Cryptographic Devices, Multi-Factor Cryptographic Software and Multi-Factor Cryptographic Devices are all included in this category. For example, Single-factor OTP authenticators contain two persistent values. The first is a symmetric key that persists for the device’s lifetime. The second is a nonce that is either changed each time the authenticator is used or is based on a real-time clock. If the authenticator output has less than 64 bits of entropy, the verifier SHALL implement a rate- limiting mechanism that effectively limits the number of failed authentication attempts that can be made on the subscriber’s account
Percy Jacob Rwandarugali says
In this reading, below are some of the reading that captured my imagination, for instance
“For services in which return visits are applicable, a successful authentication provides reasonable risk-based assurances that the subscriber accessing the service today is the same as that which accessed the service previously.”
In my opinion, this is an interesting point because then, the CSP must capture some data from the customers habits during login and this must be within the guidelines of rules and regulations. The challenge here is to find the balance between getting enough data to identify the user and also not cross the line of collecting more data than what you need because then you break the law.
Percy Jacob Rwandarugali says
What do you think provides more security as regards to access control and authentication, CSPs or physical systems?
Innocent says
One key idea to remember from the National Institute of Standards and Technology’s Special Publication 800-63B – Digital Identity Guidelines: Authentication & Lifecycle Management is that a number of events can occur over the lifecycle of a subscriber’s authenticator that affect that authenticators’ use. These events include binding, loss, theft, unauthorized duplication, expiration, and revocation.
Zeynep Sahin says
NIST Special Publication 800-63B, Digital Identity Guidelines, Authentication and Lifecycle Management” includes explanations of assurance levels and memorized secrets requirements. The Authenticator Assurance Levels are: AAL1 requires single-factor authentication, AAL2 requires two authentication factors for additional security, and AAL3 requires the use of a hardware-based authenticator and verifier impersonation resistance. Also, you can find the threats to the authenticator(s) used for digital authentication and threat mitigation mechanisms to mitigate these threats in this document.
Natalie Dorely says
NIST SP 800-63B “Digital Identity Guidelines Authentication and Lifecycle Management” covers a section on the use of biometrics. I found this interesting because I always thought that biometrics was an efficient tool to use as a form of authentication. The document mentions certain reasons why the use of biometrics should be limited. For example, the biometric False Match Rate isn’t completely accurate in the authentication of a specific individual. This was very eye-opening for me and sparked more intrigue about biometrics.
Numneung Koedkietpong says
NIST SP 800 63B provides digital identity guidelines authentication and lifecycle management. One key point that I chose is authenticator threats. Attackers can compromise systems by pretending to be the authenticators owner. They can attack by several ways based on authentication factors including something you know (disclosed to hackers), something you have (lost or stolen), and something you are (replicated). There are many threats such as assertion modification, theft, duplication, eavesdropping, phishing, social engineering, and endpoint compromise. Organization should implement security controls to safeguard systems like multi-factor authentication, using strong authenticator, and avoiding use of non-trusted wireless networks.
Peiran Liu says
Hi Numneung,
When companies use authenticators, the security awareness training should also include teaching them to prevent losing their authenticators as it has become part of their security system. With good training, threat from lost or stolen should be eliminated and pretending shouldn’t be an option for hackers any more.
Imran Jordan Kharabsheh says
While studying the NIST 800-63B publication which provided more thorough detailing on the standardized digital identity guidelines and requirements for the authentication of previously registered system users over an open network, I found myself frequently having to go back and review three authenticator assurance levels. This is primarily because I was trying to figure out what authenticators were compatible across different assurance levels, since each level has its own security requirements that get stricter as it increases. For example, the first Authenticator Assurance Level requires only a single authenticator type such as single-factor cryptographic software and only provides a small amount of authenticator assurance due to only requiring proof that the person in question is in possession of the authenticator. The third Authenticator Assurance Level, however, provides a much higher amount of authenticator assurance due to requiring at least two unique authentication types which are meant to show proof of possession of a key and verifier impersonation resistance through secure and encrypted authentication protocols.
Alexander Reichart-Anderson says
On main point that stood out to me in NIST 800-63B is how organizations manage the lifecycle of usernames/passwords of user accounts. It makes sense to me as for why I am prompted at Temple and my internship to reset my passwords and to verify email addresses and phone numbers. The core IT policy is inplace to prevent accounts and passwords that may be compromised from serving as a vulnerability for too long. Organizations will implement timeframes where users need to re-validate themselves through different methods. The validation process proves that the users are who they say they are and keeps the information assets confidential and accessible.
Joseph Nguyen says
NIST 800-63-3B Digital Identity Guidelines Authentication and Lifecycle Management. Provides a description of Authenticator Threat/Attack and Threat Mitigation. It gives also a process of Authenticator Lifecycle Management include binding, loss, theft, unauthorized duplication, expiration, and revocation.
Junjie Han says
NIST 800-63-3b Digital Identity Guidelines Authentication and Lifecycle Management indicates the level of AAL and states that the main threat to guard against is Identity theft. AAL1 requires single-factor and multi-factor authentication. AAL2 requires both security authentication and two different authentication factors. The relevant hardware is bundled in AAL3 to help with authentication. For example, a bank U shield needs to be plugged into a specific USP to start online banking.
Innocent says
Yes Han, also the AAL 1 authentication shall occur by the use of any of the following authenticator types : memorized secrets, look-up secrets, Out-of-Band- Devices, Single Factor One Time Password (OTP) Device, Multi-Factor OTP Device, Single Factor Cryptographic Software, Single Factor Cryptographic Device, Multi Factor Cryptographic Software and Multi Factor Cryptographic Device .
Akshay Shendarkar says
NIST SP 800-63B addresses how an individual can securely authenticate to a CSP to access a digital service or set of digital services. The guidelines apply to digital authentication of subjects to systems over a network. This document also requires that federal systems and service providers participating in authentication protocols be authenticated to subscribers. This document also provides recommendations on types of authentication processes, including choices of authenticators, that may be used at various Authenticator Assurance Levels (AALs). It also provides recommendations on the lifecycle of authenticators, including revocation in the event of loss or theft.
Christopher James Lukens says
One section I found interesting was re authentication. Re authentication can require the presentation of certain factors depending on the the level of the system. if the system is at AAL level 1 the any factor to re authenticate that was previously established will work. At AAL level 2 there must be a presentation of a memorized secret of a bio metric to establish the session. At AAL level three there must be a presentation of all factors to re authenticate the user. These level prevent anyone from using a session that a user has potentially left running or form trying to authenticate using some one else’s identity.
Peiran Liu says
The key takeaway is about requirements by authenticator type. Memorized Secrets, Lookup Secrets, out of band devices, single factor OTP device, multi factor OTP devices, Single-Factor Cryptographic Software, Single-Factor Cryptographic Devices, Multi-Factor Cryptographic Software and Multi-Factor Cryptographic Devices are all included in this category. For example, Single-factor OTP authenticators contain two persistent values. The first is a symmetric key that persists for the device’s lifetime. The second is a nonce that is either changed each time the authenticator is used or is based on a real-time clock. If the authenticator output has less than 64 bits of entropy, the verifier SHALL implement a rate- limiting mechanism that effectively limits the number of failed authentication attempts that can be made on the subscriber’s account