Digital identity faces risks that other widely used digital technologies have exposed, such as a series of potential risks in the digital ecosystem, such as data leakage, technical vulnerabilities, malfunctions, and personal data misuse.
As the foundation of many applications such as personal life, work, and social interaction, digital identity creates important economic and social value. However, digital identity is not without the possibility of abuse, so it requires reasonable control and strong governance and legislative regulation.
All stakeholders can use a common framework to prioritize digital identity risks when formulating policies, implementing management, and system design.
Digital Identity is a huge topic. In trying to wrap my head around it, I wonder hoe biometrics and its uses in authentication are impacted by our established digital identities. Especially in government where biometrics is used in some of the most classified areas. If I can log into my phone with a fingerprint then someone already has a scan of my print and could use it against me at my government job. It’s definitely an interesting topic!
Digital identity is the unique representation of a subject engaged in an online transaction, is an online or networked identity adopted or claimed in cyberspace by an individual, organization or electronic device. The information contained in a digital identity allows for assessment and authentication of a user interacting with a business system on the web, without the involvement of human operators. And usually in the digital services, the organization will combining proofing, authenticator, and federation requirements into a single bundle, the digital identity risk management will help to identify the risk and impact level of digital authentication, decrease the security and privacy risk. After risk assessments, one of the important step is selected individual assurance levels for identity proofing, authentication, and federation. The individual assurance levels includes, IAL (The robustness of the identity proofing process to confidently determine the identity of an individual); AAL (The robustness of the authentication process itself, and the binding between an authenticator and a specific individual’s identifier), and FAL (The robustness of the assertion protocol the federation uses to communicate authentication and attribute information to an RP).
Hi Xinyi,
I agree with your opinion. The strength of authentication is described by a sequential measure called identity assurance level (IAL). Any attribute information that the applicant needs to provide is self-declared and does not need to be verified, because identification is not required in ial1. Ial2 and ial3 require authentication. The claimant needs evidence to prove the existence of the claimed identity in the real world and to verify that he has an appropriate connection with the real world identity in ial2. The applicant’s identification must be physical and its identity attributes must be verified in ial3 by an authorized and trained CSP representative.
As per the NIST SP 800 63-3, digital identity is the unique representation of a subject engaged in an online transaction. One point to note is that accessing a digital service does not mean that the subject’s real-life identity is known. The risk management section caught my attention as it determines the extent to which risk must be mitigated by the identity proofing, authentication, and federation processes. After risk management the next step is individual assurance levels. The assurance levels are IAL, AAL, and FAL. IAL is selected to mitigate potential identity proofing errors. AAL is selected to mitigate potential authentication errors. FAL is optional and is selected to mitigate potential federation errors.
Hi Priyanka, digital identity is important these days, especially that when engaging in online activity, the subject does not have to reveal its real identity in the real life, but it can be verified and authenticated through two factor or multi-factor authentication process to make sure they are the owner and user of that digital identity.
Hi Priyanka,
NIST made some updates, replacing the level of assurance (LOA) with a different range of assurance, and each level was changed to levels 1-3, including the identity assurance level, the identity verifier assurance level, and the federal assurance level. IAL is related to the identification process, or how the organization examines a person’s true identity based on their digital identity. The Authenticator assurance level introduces other factors and how it affects the mitigation of risks. The federation level is used to convey identity verification and attribute information to the relying party.
This publication provides guidelines for avoiding authentication errors, authentication errors, and Federation errors. In particular, with regard to authentication errors (i.e., a false applicant claims an identity that does not belong to them), there are two errors that need to be avoided; one attacker successfully proves as someone else and safely stores more information about one person than is necessary to successfully provide digital services. One of the particularly interesting parts I find is the potential impact of each injury. There are six categories, including the following potential impacts: inconvenience, distress or damage to reputation or reputation, financial loss, damage to institutional plans or public interests, unauthorized release of sensitive information, personal safety, civil or criminal violations.
Nice summary of the risks of errors in the authentication and federation spaces. I found this interesting in how credential service providers are to protect the information provided by users to prove their identity before their authentication credentials are provided . The steps that a CSP goes through to verify identities should help mitigate the risks of these errors.
In this document, the chapter six talks about the selecting assurance level. The risk assessment results are the primary factor in selecting the most appropriate levels. First, compare the risk assessment impact profile to the impact profile associated with each assurance level. To determine the required assurance, find the lowest level whose impact profile meets or exceeds the potential impact for every category analyzed in the risk assessment. There is table shoeing six categories, which include inconvenience, distress or damage to standing or reputation, financial loss or agency liability, harm to agency program or public interests, unauthorized release of sensitive information, personal safety and civil or criminal violations. Each of them ca rated as low, mod or high. This table allows companies and organizations accessing its application or its information technology system, and make a policy or plane to enhance its security.
Digital identity refers to the identifiable characterization of an individual through digital information. It can also be understood as the public/private key that condenses the real identity information into the form of digital code, so as to bind, query and verify the real-time behavior information of an individual. Digital identity not only includes birth information, individual description, biological characteristics and other identity coding information, but also involves a variety of attributes of personal behavior information. With the rapid development of the Internet and digitization, the importance of digital identity is also increasing dramatically. One of the characteristics of both the Internet age and the blockchain age is that they are “digital”. And the basis of digital activities is the user’s digital identity. Only when the user’s digital identity is true and effective can the information data of a series of activities and transactions associated with it be true and effective. Therefore, the development of digital identity system is inevitable.
SP 800-63 Digital Identity Guidelines: Provides the risk assessment methodology and an overview of general identity frameworks. It also includes risk-based process of selecting assurance levels.
Section 5 discusses the identity risk management and 6 shows you how to select the assurance level you need for the risk identified. Based on the risk and impact, you will choose one of three assurance levels within the following three categories: Identity Assurance Level (IAL), Authenticator Assurance Level (AAL). For federated systems, agencies will select a third component, Federation Assurance Level (FAL).
The most interesting portions to me were the flow charts for the IAL, AAL and FAL assurance levels. For example, based on the results you had from the risk assessment, you use the flow chart to decide if IAL1, IAL2, or IAL3 were needed for the identity assurance of a system. Any time you needed to include the high value for any risk impact or a moderate for personal safety, you would recommend the highest level of assurance of each component or IAM3. The same can be said for AAL and FAL.
Hi, Jonathan. As you mentioned the IAL, AAL, and FAL, they have three different levels that are like the level of the CIA. The highest-level means that it provides the most control. For example, AAL3 provides the most complicated cryptographic authenticator. Because of this, the assurance level is the highest to protect the information system.
Hi, Jonathan, I totally agree with your points, SP 800-63A sets three IALs to reflect the options agencies may select from based on their risk profile and the potential harm caused by an attacker making a successful false claim of an identity. IAL1: There is no requirement to link the applicant to a specific real-life identity. IAL2: Evidence supports the real-world existence of the claimed identity and verifies that the applicant is appropriately associated with this real-world identity. IAL3: Physical presence is required for identity proofing. Identifying attributes must be verified by an authorized and trained representative of the CSP.
With our lives and accounts living on the Internet, proving a digital identity is an important task to deter threats and mitigate risk. Three methods make sure a digital identity matches the person accessing it: Identity Assurance Level (IAL), Authenticator Assurance Level (AAL), and Federation Assurance Level (FAL). Within each of these Assurance Levels, there are three sub-levels for agencies to choose when assessing the potential harm an attacker can cause. Level 1 for each is the baseline method for making sure that an identity matches its digital and real counterpart, and is generally the least secure method. Level 2 introduces methods to prove a user is the authorized user, and Level 3 expands upon that with more secure authentication protocols. Typically when combining Assurance Levels, the levels for each should be the same (e.g. IAL, AAL, and FAL are all Level 2). Having multiple secure methods to prove a digital identity may seem tedious, but is very important to keep security to the highest standard.
Hi Krish, good analysis on the three IALs, I agree that having multiple secure methods to prove a digital identity is important in helping keep the organization’s security safe. I think it’s interesting how level 3 is able to be used to grant permissions for the lower IALs as well. What scenarios would you think a level I IAL be sufficient?
Using digital identity improves the quality of authentication and minimizes potential risks via RP SHALL implementation. There are three levels of potential impacts from low to high. The high impact will make affect both organizations and public interest in the long period. The moderate impact some significate projects implementation and reduce the effectiveness. Sometimes the organizations will ignore the low impact because it is limited on some insignificant projects and not affect any major operation. In these scenarios, organizations can use agencies SHOULD identify the appropriate guidelines, so that they can develop secure and privacy-enhanced services. They can alternative agencies MAY to set up the adjustment, which does not describe the solution in the SP 800-63, and they can also expand the controls with agencies SHOULD. The organizations can combine agencies SHOULD and MAY to create the policy on how to use the digital identity to improve their internal controls.
Authentication and lifecycle management focuses on the use of authenticators. Authentication is used by three factors: something you know, something you have, and something you are. MFA is using one or more of the three factors.
In digital authentication, the person requesting access must have or control one or more authenticators to prove their identity. The authenticators have contained secrets that only the valid identity owner will know. Some authenticators can be either public key pairs(asymmetric keys) or shared keys(symmetric keys). In asymmetric authentication, the claimant uses their private key and has knowledge of the owner’s public key, using the combination to verify their identity. Shared secrets in symmetric authentication can be symmetric keys or even memorized secrets such as passwords and pins. In this scenario, the only one with knowledge of this password or pin is the person requesting access. In digital authentication, the authenticator is always a secret and unknown to anyone besides the owner, compared to common authentication factors using authenticators such as an ID or biometrics.
This iteration of the Digital Identity Guidelines, NIST SP 800-63-3 where the concepts of digital authentication assurance -AAL. IAL and FAL-are introduced. These components “support the independent treatment of authentication strength and confidence in an individuals claimed identity. It also provides a risk assessment method and application of these components. The document also highlights the roles pre and post authentication and verification, how the components in the doc can be used in conjunction with the Registration Authority or Identity Manager aka Credential Service Providers. Section 5 is critical as it outlines the risk management model and method that are specific to Digital Identity Risk
According to the document, digital identity is the unique representation of a subject engaged in an online transaction. Identity proofing establishes that a subject is who they claim to be. There are three components to identity assurance, IAL (identity assurance level), is the degree of confidence that the applicant’s claimed identity is their real identity. AAL (authenticator assurance level), which describes the strength of the authentication process. FAL (federation assurance level), describes the assertion protocol used by the federation to communicate authentication and attribute information to a relying party. It is important to note that not all digital services require authentication or identity proofing. These guidelines applies to all transactions where digital identity or authentication is required. These guidelines primarily focus on agency services that interact with the non-federal workforce, such as citizens accessing benefits or private sector partners accessing information sharing collaboration spaces. It is also important to keep in mind that these guidelines do not address authentication for physical access such as buildings, though some authenticators used for digital access may also be used for physical access authentication. When assessing the potential impacts for each component of identity assurance a level of “Low, Moderate, or High” is assigned to them, as per the FIPS 199 document.
I took from the reading that federal government and agencies are encouraged to use federated identity architectures to improve the user experience and reduce costs associated with authentication. Federated architecture basically uses a single credential to drive access to multiple things. The user authenticates one time and the data used to house the credential is centralized. Agencies do not need to pay for collection, storage, disposal and compliance activities that are associated with storing personal information. By federating the identity, the agency is able to focus on mission enablement rather than identity management.
A single credential, on paper, sounds insecure. But if it’s federated, then it must have some security benefits that would make it useful in addition to making easier to authenticate users. Identity management can be cumbersome, so having a method such as this makes sense.
The SP 800-63 Digital Identity Guidelines provides an overview of general identity frameworks, using authenticators, credentials, and assertions together in a digital system, and a risk-based process of selecting assurance levels. And It mainly addresses how applicants can prove their identities and become enrolled as
valid subscribers within an identity system. It provides requirements by which applicants can both identity proof and enroll at one of three different levels of risk mitigation in both remote and physically-present scenarios.
SP 800-63A sets three IALs to reflect the options agencies may select from based on their risk profile and the potential harm caused by an attacker making a succe:ssful false claim of an identity.
IAL1: There is no requirement to link the applicant to a specific real-life identity.
IAL2: Evidence supports the real-world existence of the claimed identity and verifies that the applicant is appropriately associated with this real-world identity.
IAL3: Physical presence is required for identity proofing. Identifying attributes must be verified by an authorized and trained representative of the CSP.
AAL1: requires either single-factor or multi-factor authentication using a wide range of available authentication technologies.
AAL2 : Proof of possession and control of two distinct authentication factors is
required through secure authentication protocol.
AAL3 : is based on proof of possession of a key through a cryptographic protocol.
NIST Special Publication 800-63 describes the risk management process used to select digital identity services and alliance assurance levels based on risk. The result of the risk assessment is the main factor in selecting the most appropriate assurance level. This guide covers how to apply the results of risk assessment to determine the most appropriate level of assurance. Choosing the level of assurance is the normative part of this guide. With the rapid development of technology, through important updates of NIST, the guidelines for protecting digital identities are also moving in this direction. According to the SP 800-63-3 guideline, SMS is no longer recommended for multi-factor authentication. Identity verification and lifecycle management address the types of multi-factor authentication methods recommended by NIST. They include OTP (One Time Password) devices, MFA encryption software, and MFA encryption devices.
The document is an outline of digital authentication or identity proofing, for those digital services that do require it. It applies across multiple layers such as citizens, business partners and government entities, so it is a versatile document that is widely used and considered effective. Some of the transactions that don’t fall under the guidance are national security systems, in addition organizations that require varying levels of auth may consider what the guidance provides.
The guidelines primarily focus on agency services that interact with the non-federal workforce. However, it can also apply to private sector partners accessing information sharing collaboration spaces. When applied to those internal agency systems accessed by employees and contractors, those individuals are expected to hold a valid government issued credential such as a PIV card.
NIST SP 800-63 discusses the landscape of access control in a digital world. NIST’s definition of a digital identity is the unique representation of a subject engaged in an online transaction. The user or subject requests access to some digital service with their digital identity. The identity must be validated through a process called identity proofing, which verifies the person is who they claim to be before giving access to the system and information on the system. Ultimately, it prevents unauthorized access and privacy of data. It is important to note the difference between authentication and authorization. Although a user’s digital identity is valid, the user may not have the privilege to view any data within the system.
You explained the access control and digital identity process extremely well. I agree with you that its very important to know the difference between authentication and authorization. Authentication is the process of identifying users and validating who they claim to be. Some of the examples of authorization are password based authentication, two factor/multifactor authentication. Whereas, Authorization happens after a user’s identity has been successfully authenticated. For example, RBAC.
Digital identity is proving someone is who they say they are. The method of recognizing a user’s Identity is authentication. There are three factors of authentication, Something you know, Something you have and something you are. Something you know is the most common form of Authentication. The Idea is that you know a secret, often known as a password or a PIN that’s stored in your memory and can be retrieved when needed. The second factor is something you have. This factor refers to information that you can physically carry with you. An example of this is a PIV card used by Federal Agencies. This smart card has a picture of the employee to identify the card holder and a microprocessor chip to grant them access to facilities and systems. These smart cards are usually used together with a Password or PIN. Something you are is information that only pertains to you. It’s a characteristic that only you and no one else has it. Examples are Fingerprints, Iris Scans, Retina Scans and Face and Voice Recognition.
Digital identity faces risks that other widely used digital technologies have exposed, such as a series of potential risks in the digital ecosystem, such as data leakage, technical vulnerabilities, malfunctions, and personal data misuse.
As the foundation of many applications such as personal life, work, and social interaction, digital identity creates important economic and social value. However, digital identity is not without the possibility of abuse, so it requires reasonable control and strong governance and legislative regulation.
All stakeholders can use a common framework to prioritize digital identity risks when formulating policies, implementing management, and system design.
Digital Identity is a huge topic. In trying to wrap my head around it, I wonder hoe biometrics and its uses in authentication are impacted by our established digital identities. Especially in government where biometrics is used in some of the most classified areas. If I can log into my phone with a fingerprint then someone already has a scan of my print and could use it against me at my government job. It’s definitely an interesting topic!
Digital identity is the unique representation of a subject engaged in an online transaction, is an online or networked identity adopted or claimed in cyberspace by an individual, organization or electronic device. The information contained in a digital identity allows for assessment and authentication of a user interacting with a business system on the web, without the involvement of human operators. And usually in the digital services, the organization will combining proofing, authenticator, and federation requirements into a single bundle, the digital identity risk management will help to identify the risk and impact level of digital authentication, decrease the security and privacy risk. After risk assessments, one of the important step is selected individual assurance levels for identity proofing, authentication, and federation. The individual assurance levels includes, IAL (The robustness of the identity proofing process to confidently determine the identity of an individual); AAL (The robustness of the authentication process itself, and the binding between an authenticator and a specific individual’s identifier), and FAL (The robustness of the assertion protocol the federation uses to communicate authentication and attribute information to an RP).
Hi Xinyi,
I agree with your opinion. The strength of authentication is described by a sequential measure called identity assurance level (IAL). Any attribute information that the applicant needs to provide is self-declared and does not need to be verified, because identification is not required in ial1. Ial2 and ial3 require authentication. The claimant needs evidence to prove the existence of the claimed identity in the real world and to verify that he has an appropriate connection with the real world identity in ial2. The applicant’s identification must be physical and its identity attributes must be verified in ial3 by an authorized and trained CSP representative.
As per the NIST SP 800 63-3, digital identity is the unique representation of a subject engaged in an online transaction. One point to note is that accessing a digital service does not mean that the subject’s real-life identity is known. The risk management section caught my attention as it determines the extent to which risk must be mitigated by the identity proofing, authentication, and federation processes. After risk management the next step is individual assurance levels. The assurance levels are IAL, AAL, and FAL. IAL is selected to mitigate potential identity proofing errors. AAL is selected to mitigate potential authentication errors. FAL is optional and is selected to mitigate potential federation errors.
Hi Priyanka, digital identity is important these days, especially that when engaging in online activity, the subject does not have to reveal its real identity in the real life, but it can be verified and authenticated through two factor or multi-factor authentication process to make sure they are the owner and user of that digital identity.
Hi Priyanka,
NIST made some updates, replacing the level of assurance (LOA) with a different range of assurance, and each level was changed to levels 1-3, including the identity assurance level, the identity verifier assurance level, and the federal assurance level. IAL is related to the identification process, or how the organization examines a person’s true identity based on their digital identity. The Authenticator assurance level introduces other factors and how it affects the mitigation of risks. The federation level is used to convey identity verification and attribute information to the relying party.
This publication provides guidelines for avoiding authentication errors, authentication errors, and Federation errors. In particular, with regard to authentication errors (i.e., a false applicant claims an identity that does not belong to them), there are two errors that need to be avoided; one attacker successfully proves as someone else and safely stores more information about one person than is necessary to successfully provide digital services. One of the particularly interesting parts I find is the potential impact of each injury. There are six categories, including the following potential impacts: inconvenience, distress or damage to reputation or reputation, financial loss, damage to institutional plans or public interests, unauthorized release of sensitive information, personal safety, civil or criminal violations.
Nice summary of the risks of errors in the authentication and federation spaces. I found this interesting in how credential service providers are to protect the information provided by users to prove their identity before their authentication credentials are provided . The steps that a CSP goes through to verify identities should help mitigate the risks of these errors.
In this document, the chapter six talks about the selecting assurance level. The risk assessment results are the primary factor in selecting the most appropriate levels. First, compare the risk assessment impact profile to the impact profile associated with each assurance level. To determine the required assurance, find the lowest level whose impact profile meets or exceeds the potential impact for every category analyzed in the risk assessment. There is table shoeing six categories, which include inconvenience, distress or damage to standing or reputation, financial loss or agency liability, harm to agency program or public interests, unauthorized release of sensitive information, personal safety and civil or criminal violations. Each of them ca rated as low, mod or high. This table allows companies and organizations accessing its application or its information technology system, and make a policy or plane to enhance its security.
Digital identity refers to the identifiable characterization of an individual through digital information. It can also be understood as the public/private key that condenses the real identity information into the form of digital code, so as to bind, query and verify the real-time behavior information of an individual. Digital identity not only includes birth information, individual description, biological characteristics and other identity coding information, but also involves a variety of attributes of personal behavior information. With the rapid development of the Internet and digitization, the importance of digital identity is also increasing dramatically. One of the characteristics of both the Internet age and the blockchain age is that they are “digital”. And the basis of digital activities is the user’s digital identity. Only when the user’s digital identity is true and effective can the information data of a series of activities and transactions associated with it be true and effective. Therefore, the development of digital identity system is inevitable.
SP 800-63 Digital Identity Guidelines: Provides the risk assessment methodology and an overview of general identity frameworks. It also includes risk-based process of selecting assurance levels.
Section 5 discusses the identity risk management and 6 shows you how to select the assurance level you need for the risk identified. Based on the risk and impact, you will choose one of three assurance levels within the following three categories: Identity Assurance Level (IAL), Authenticator Assurance Level (AAL). For federated systems, agencies will select a third component, Federation Assurance Level (FAL).
The most interesting portions to me were the flow charts for the IAL, AAL and FAL assurance levels. For example, based on the results you had from the risk assessment, you use the flow chart to decide if IAL1, IAL2, or IAL3 were needed for the identity assurance of a system. Any time you needed to include the high value for any risk impact or a moderate for personal safety, you would recommend the highest level of assurance of each component or IAM3. The same can be said for AAL and FAL.
Hi, Jonathan. As you mentioned the IAL, AAL, and FAL, they have three different levels that are like the level of the CIA. The highest-level means that it provides the most control. For example, AAL3 provides the most complicated cryptographic authenticator. Because of this, the assurance level is the highest to protect the information system.
Hi, Jonathan, I totally agree with your points, SP 800-63A sets three IALs to reflect the options agencies may select from based on their risk profile and the potential harm caused by an attacker making a successful false claim of an identity. IAL1: There is no requirement to link the applicant to a specific real-life identity. IAL2: Evidence supports the real-world existence of the claimed identity and verifies that the applicant is appropriately associated with this real-world identity. IAL3: Physical presence is required for identity proofing. Identifying attributes must be verified by an authorized and trained representative of the CSP.
With our lives and accounts living on the Internet, proving a digital identity is an important task to deter threats and mitigate risk. Three methods make sure a digital identity matches the person accessing it: Identity Assurance Level (IAL), Authenticator Assurance Level (AAL), and Federation Assurance Level (FAL). Within each of these Assurance Levels, there are three sub-levels for agencies to choose when assessing the potential harm an attacker can cause. Level 1 for each is the baseline method for making sure that an identity matches its digital and real counterpart, and is generally the least secure method. Level 2 introduces methods to prove a user is the authorized user, and Level 3 expands upon that with more secure authentication protocols. Typically when combining Assurance Levels, the levels for each should be the same (e.g. IAL, AAL, and FAL are all Level 2). Having multiple secure methods to prove a digital identity may seem tedious, but is very important to keep security to the highest standard.
Hi Krish, good analysis on the three IALs, I agree that having multiple secure methods to prove a digital identity is important in helping keep the organization’s security safe. I think it’s interesting how level 3 is able to be used to grant permissions for the lower IALs as well. What scenarios would you think a level I IAL be sufficient?
Using digital identity improves the quality of authentication and minimizes potential risks via RP SHALL implementation. There are three levels of potential impacts from low to high. The high impact will make affect both organizations and public interest in the long period. The moderate impact some significate projects implementation and reduce the effectiveness. Sometimes the organizations will ignore the low impact because it is limited on some insignificant projects and not affect any major operation. In these scenarios, organizations can use agencies SHOULD identify the appropriate guidelines, so that they can develop secure and privacy-enhanced services. They can alternative agencies MAY to set up the adjustment, which does not describe the solution in the SP 800-63, and they can also expand the controls with agencies SHOULD. The organizations can combine agencies SHOULD and MAY to create the policy on how to use the digital identity to improve their internal controls.
Authentication and lifecycle management focuses on the use of authenticators. Authentication is used by three factors: something you know, something you have, and something you are. MFA is using one or more of the three factors.
In digital authentication, the person requesting access must have or control one or more authenticators to prove their identity. The authenticators have contained secrets that only the valid identity owner will know. Some authenticators can be either public key pairs(asymmetric keys) or shared keys(symmetric keys). In asymmetric authentication, the claimant uses their private key and has knowledge of the owner’s public key, using the combination to verify their identity. Shared secrets in symmetric authentication can be symmetric keys or even memorized secrets such as passwords and pins. In this scenario, the only one with knowledge of this password or pin is the person requesting access. In digital authentication, the authenticator is always a secret and unknown to anyone besides the owner, compared to common authentication factors using authenticators such as an ID or biometrics.
This iteration of the Digital Identity Guidelines, NIST SP 800-63-3 where the concepts of digital authentication assurance -AAL. IAL and FAL-are introduced. These components “support the independent treatment of authentication strength and confidence in an individuals claimed identity. It also provides a risk assessment method and application of these components. The document also highlights the roles pre and post authentication and verification, how the components in the doc can be used in conjunction with the Registration Authority or Identity Manager aka Credential Service Providers. Section 5 is critical as it outlines the risk management model and method that are specific to Digital Identity Risk
According to the document, digital identity is the unique representation of a subject engaged in an online transaction. Identity proofing establishes that a subject is who they claim to be. There are three components to identity assurance, IAL (identity assurance level), is the degree of confidence that the applicant’s claimed identity is their real identity. AAL (authenticator assurance level), which describes the strength of the authentication process. FAL (federation assurance level), describes the assertion protocol used by the federation to communicate authentication and attribute information to a relying party. It is important to note that not all digital services require authentication or identity proofing. These guidelines applies to all transactions where digital identity or authentication is required. These guidelines primarily focus on agency services that interact with the non-federal workforce, such as citizens accessing benefits or private sector partners accessing information sharing collaboration spaces. It is also important to keep in mind that these guidelines do not address authentication for physical access such as buildings, though some authenticators used for digital access may also be used for physical access authentication. When assessing the potential impacts for each component of identity assurance a level of “Low, Moderate, or High” is assigned to them, as per the FIPS 199 document.
I took from the reading that federal government and agencies are encouraged to use federated identity architectures to improve the user experience and reduce costs associated with authentication. Federated architecture basically uses a single credential to drive access to multiple things. The user authenticates one time and the data used to house the credential is centralized. Agencies do not need to pay for collection, storage, disposal and compliance activities that are associated with storing personal information. By federating the identity, the agency is able to focus on mission enablement rather than identity management.
Hi Heather,
A single credential, on paper, sounds insecure. But if it’s federated, then it must have some security benefits that would make it useful in addition to making easier to authenticate users. Identity management can be cumbersome, so having a method such as this makes sense.
The SP 800-63 Digital Identity Guidelines provides an overview of general identity frameworks, using authenticators, credentials, and assertions together in a digital system, and a risk-based process of selecting assurance levels. And It mainly addresses how applicants can prove their identities and become enrolled as
valid subscribers within an identity system. It provides requirements by which applicants can both identity proof and enroll at one of three different levels of risk mitigation in both remote and physically-present scenarios.
SP 800-63A sets three IALs to reflect the options agencies may select from based on their risk profile and the potential harm caused by an attacker making a succe:ssful false claim of an identity.
IAL1: There is no requirement to link the applicant to a specific real-life identity.
IAL2: Evidence supports the real-world existence of the claimed identity and verifies that the applicant is appropriately associated with this real-world identity.
IAL3: Physical presence is required for identity proofing. Identifying attributes must be verified by an authorized and trained representative of the CSP.
AAL1: requires either single-factor or multi-factor authentication using a wide range of available authentication technologies.
AAL2 : Proof of possession and control of two distinct authentication factors is
required through secure authentication protocol.
AAL3 : is based on proof of possession of a key through a cryptographic protocol.
NIST Special Publication 800-63 describes the risk management process used to select digital identity services and alliance assurance levels based on risk. The result of the risk assessment is the main factor in selecting the most appropriate assurance level. This guide covers how to apply the results of risk assessment to determine the most appropriate level of assurance. Choosing the level of assurance is the normative part of this guide. With the rapid development of technology, through important updates of NIST, the guidelines for protecting digital identities are also moving in this direction. According to the SP 800-63-3 guideline, SMS is no longer recommended for multi-factor authentication. Identity verification and lifecycle management address the types of multi-factor authentication methods recommended by NIST. They include OTP (One Time Password) devices, MFA encryption software, and MFA encryption devices.
The document is an outline of digital authentication or identity proofing, for those digital services that do require it. It applies across multiple layers such as citizens, business partners and government entities, so it is a versatile document that is widely used and considered effective. Some of the transactions that don’t fall under the guidance are national security systems, in addition organizations that require varying levels of auth may consider what the guidance provides.
The guidelines primarily focus on agency services that interact with the non-federal workforce. However, it can also apply to private sector partners accessing information sharing collaboration spaces. When applied to those internal agency systems accessed by employees and contractors, those individuals are expected to hold a valid government issued credential such as a PIV card.
NIST SP 800-63 discusses the landscape of access control in a digital world. NIST’s definition of a digital identity is the unique representation of a subject engaged in an online transaction. The user or subject requests access to some digital service with their digital identity. The identity must be validated through a process called identity proofing, which verifies the person is who they claim to be before giving access to the system and information on the system. Ultimately, it prevents unauthorized access and privacy of data. It is important to note the difference between authentication and authorization. Although a user’s digital identity is valid, the user may not have the privilege to view any data within the system.
Hi Anthony,
You explained the access control and digital identity process extremely well. I agree with you that its very important to know the difference between authentication and authorization. Authentication is the process of identifying users and validating who they claim to be. Some of the examples of authorization are password based authentication, two factor/multifactor authentication. Whereas, Authorization happens after a user’s identity has been successfully authenticated. For example, RBAC.
Digital identity is proving someone is who they say they are. The method of recognizing a user’s Identity is authentication. There are three factors of authentication, Something you know, Something you have and something you are. Something you know is the most common form of Authentication. The Idea is that you know a secret, often known as a password or a PIN that’s stored in your memory and can be retrieved when needed. The second factor is something you have. This factor refers to information that you can physically carry with you. An example of this is a PIV card used by Federal Agencies. This smart card has a picture of the employee to identify the card holder and a microprocessor chip to grant them access to facilities and systems. These smart cards are usually used together with a Password or PIN. Something you are is information that only pertains to you. It’s a characteristic that only you and no one else has it. Examples are Fingerprints, Iris Scans, Retina Scans and Face and Voice Recognition.