SP 800-63B is mainly about authentication and lifecycle management.
In the entire life cycle of digital identity from design to implementation, creating value and gaining trust is essential. First, the design and implementation plan of digital identities need to be based on a comprehensive assessment of the status of digital infrastructure, the degree of trust in institutions, and the policy environment; second, digital identities should be prioritized in areas that can create meaningful value for individuals and institutions. And continue to focus on providing an excellent user experience; finally, digital identity must solve related risk issues while releasing value, which requires careful design, good facilities, and standardized management as a guarantee.
Digital authentication is the process of determining the validity of one or more authenticators used to claim a digital identity. Authentication can help to confirm the origin and integrity of data in electronic form. and reduce the potential for fraud.
Authenticator Assurance Levels (AAL) is intended to provide some confidence in the Authentication provided by Identity Provider to a Relying Party (RP) at some desired Level Of Assurance Authenticator. AAL have three level. In AAL1, it just need to provides some assurance that the claimant controls the Claim requires at least single-factor authentication. In AAL2, it required to provides high confidence that the claimant controls Claim two different Authentication Factors (Multi-Factor Authentication). In AAL3, it needs to provides very high confidence that the claimant controls the Claim authentication based on Proof-of-Possession of a key through a cryptographic protocol requires a “hard” cryptographic authenticator. With the higher level authentication, the malicious actors requires to have better apabilities and expend greater resources in order to successfully subvert the authentication process, it can help to reduce the potential for fraud.
Hi Xinyi, digital authentication is to make sure the person who claims who they are the actually who they are. Digital identity is a way for users to make the action in the internet. It does not reveal who they are in real life.
This document mentions about the threats and security considerations in regard to authenticator. An attacker who gains control of the authenticator will impersonate as the authenticator’s owner. Something you know may be disclosed to an attacker and something you have may be lost, damaged, stolen from the owner, or cloned by an attacker. For example, the attacker might guess a memorized secret such as a pin or passcode. Another example an attacker who gains access to the owner’s computer might copy a software authenticator.
Hi Priyanka,
Your reply is very interesting. What you have may be lost, damaged, stolen from your owner, or cloned by an attacker. For example, an attacker who gains access to the owner’s computer may copy the software verifier. Hardware verifier may be stolen, tampered or copied. Out of band secrets may be intercepted by attackers and used to authenticate their own session.
Hi, Priyanka. I agree that you mentioned guessing a memorized secret. Some malicious people may observe the trace, such as a fingerprint on the keypad, to guess what your password is. I think cleaning the keypad regularly is important to avoid attackers guessing your password.
I’m most interested in that is the “certifier assurance level.”. This section contains normative and informative materials. To meet the requirements of a specific AAL, the applicant should be certified as a subscriber at least to a certain extent. The result of the authentication process is an identifier that should be used every time a subscriber authenticates the RP. The identifier can be a pseudonym. Subscriber identifiers should not be used repeatedly for different topics but should be used repeatedly when CSP re-registers previously registered topics. You can also provide additional properties that identify the subscriber as a unique topic.
Digital authentication certificate is a digital certificate as the core encryption technology can encrypt and decrypt the information transmitted on the network, digital signature and signature verification, to ensure the security and integrity of information transmitted on the Internet. If the registrant identifies a person, it does so through another person that the registrant trusts. The person the registrant trusts is the identity authority (which can be a natural person). Comparing the digital identity to a certificate, the digital certificate is a stamp or seal (or a signature added to the digital identity card) on the digital identity card by the identity authority. This behavior indicates that the identity authority has identified the person. The identity and access configuration life cycle refers to the creation, management, and deletion of accounts. Access control management is the set of tasks and responsibilities involved in managing accounts, access, and accountability throughout the account life cycle. These tasks are included in the three responsibilities of the identity and access configuration life cycle: configuration, account review, and account revocation.
A Memorized Secret authenticator commonly referred to as a password or, if numeric, a PIN is a secret value intended to be chosen and memorized by the user. Memorized secrets need to be of sufficient complexity and secrecy that it would be impractical for an attacker to guess or otherwise discover the correct secret value. A memorized secret is something you know. Memorized secrets chosen randomly by the CSP or verifier SHALL be at least 6 characters in length and MAY be entirely numeric. If the CSP or verifier disallows a chosen memorized secret based on its appearance on a blacklist of compromised values, the subscriber SHALL be required to choose a different memorized secret.
The memorized secret authenticator is one form of authenticator commonly used today, due to its simplicity, we often need to have another form of authentication layered as well. Some ways memorized secrets can be better protected is by setting complexity requirements, maximum password ages, and account lockout requirements as well.
This document has a lot of material to digest. It addresses the appropriate AAL to use for when a person wants to securely authenticate to a CSP. It defines and lists the requirements for the authenticator and verifier, such as single-factor, multi-factor, how to handle OOB verifiers, OTP verification and etc. for each AAL level. With authentication is also appears there are more security threats to consider while managing the sessions and configuring the environment to account for the different AAL levels.
The portion I focused on was the session management and authenticator lifecycle management. During these sections, the article addresses how to handle the expiration and termination of the session. AAL1 says the session must be reauthenticated every 30 days. For AAL2, reauthentication is for 30 minutes of inactivity. For AAL3, reauthentication occurs after 15 minutes of inactivity. This portion was very interesting to me because the software I work with has a session management starting at 30 minutes. This would make me assume we are at AAL2. I’ll have to ask the powers that be if this is the level we are acting at.
Hi, Jonathan, thank you for your sharing, I also think the reauthentication is interesting, AAL1 has 30 days, AAL2 has 12 hours or 30 minutes inactivity, AAL3 has 12 hours or 15 minutes inactivity.
Browser cookies can affect the confidentiality, integrity, and availability of the users’ PII, which they provide to users of the website. If the users turn off the cookies feature in their browser, their PII will not be saved in a cookie, and they can avoid the risk of disclosure of their privacy. However, many people often ignore the setting of cookies in the browser. In this document, there are several requirements for how to control the cookies. The company’s system admin can use these requirements to restrict the features of cookies for the employees’ devices, such as only enable on HTTPS sessions and disable in JavaScript. Although the impact of cookies is not dangerous as computer viruses are, they maintain the users’ sensitive information, and the companies should create and implement the policy to mitigate the potential risk through using browser cookies.
Most end users aren’t even aware how sessions end in the browser. When people re-visit sites after already being logged in are surprised they aren’t asked for their username or password again. Leaving sessions open with an unattended laptop is a great way to let someone view your email or access your banking information. Always lock your PC, log out of the session and close the browser to help make sure the session isn’t left to time out.
I think it’s important that when using authenticators, those authenticators can have threats associated with them. Some of these threats include theft of the authentication device, duplication, eavesdropping, offline cracking, phishing, social engineering, and online guessing. Thankfully, this document shows methods to mitigate some of these. Theft can be mitigated with multi-factor authentication, duplication can be stopped if the authenticators make it hard to extract the code, eavesdropping can be stopped by using a closed network, and online guessing can be mitigated by having a lockout after a certain number of failed attempts. Having secure authenticators will make sure that digital identity is also secure.
I think its important to be aware of the threats rather than think you can create a security feature that won’t have any threats. Being aware puts your security team in a far better position compared to assuming there are no flaws. I also think the features such as lockout and two factor are very good ways to mitigate, while they won’t do a 100% job, like most other things, they will help cover the vast majority.
An interesting takeaway from the guidelines is the authenticator lifecycle management. These events can occur over the lifecycle and affect the authenticator’s use. Some things that may happen are binding, loss, theft, unauthorized duplication, expiration, and revocation.
Binding can be used because it is associated with a specific authenticator and with the subscriber’s account. It’s already used in conjunction with other authenticators so no other authenticator is needed. It can be bind during environment, the CSP will be binding at least two physical authenticators to the subscriber’s online identity, multiple authenticators are bound in order to help the subscriber recover in case of loss or theft of the primary authenticator.
Post enrollment binding requires the subscriber to add an additional authenticator to their existing AAL. An example may be requiring the subject to provide another authenticator when using an OTP device. The subscriber may also be required to add the additional factor to the single factor account if they are requesting the account to be upgraded to a higher level of permissions.
The focus of NIST SP 800-63B is to provide the guidelines for Authentication and Lifecycle Management of Digital Identity. The components highlighted here are the Authenticator Assurance Levels or AALs– AAL1 (single or multi-factor authentication is required), AAL2 (two different authentication are required through secure authentication protocol(s)) and AAL3 (proof of authentication through possession of a key through approved cryptographic protocol. It then goes into Permitted Authenticator Types and Section 5 goes over the Authenticator and Verifier Requirements.
I too found this portion of the reading interesting and how the authentication levels also relate back to the security level on the underlying data access guidelines. Basically, additional factors are added to an identity account if the individual has higher security clearance levels just like physical data.
This paper goes into many of the possible threats against authentication. Some of the many attacks that are mentioned are offline cracking. Offline cracking could be a software PKI authenticator is subjected to a dictionary attack to identity the correct password to use to decrypt the private key. There is also a side channel attack where a cryptographic authenticator secret is extracted by analysis of the response time of the authenticator over a number of attempts. Online guessing involves guessing authenticator outputs for an OTP device registered to a legitimate claimant. Lastly the paper mentions eavesdropping as a possible threat. This can be memorizing secrets by watching keyboard entries or being intercepted by a keystroke logging software.
Dictionary attacks could prove very effective if users pick common terms for their passwords. Hopefully users make their passwords as unique as possible to prevent this method of cracking. Unique passwords would also foil online guessing, in addition to making a lockout after multiple wrong guesses.
This reading focuses on authentication and lifecycle management. I learned about authenticator lifecycle management and the events in that lifecycle including binding, loss, theft, unauthorized duplication, expiration and revocation. Authentication binding is establishing an association between a specific authenticator, like Active Directory and the subscriber account to enable use of the authenticator. The authenticator is required to bind at least two authenticators to the subscriber’s online identity to meet the multifactor authentication requirements like a password and a token or temporary secret. In addition the binding has a lifecycle including binding of additional authenticator at existing AAL, adding an additional factor to a single factor account, replacing a lost authenticator, binding to a subscriber provided authenticator, renewal , loss, theft, damage and unauthorized duplication, expiration, revocation and termination. So there are lifecycles within lifecycles in the authentication cycle.
The key points that I take away from this document is the different requirements of each AALs, For the permitted authenticator types, AAL1 has Memorized Secret;
Look-Up Secret; Out-of-Band; SF OTP Device; MF OTP Device; SF Crypto Software; SF Crypto Device; MF Crypto Software; MF Crypto Device. AAL2 has MF OTP Device; MF Crypto Software; MF Crypto Device; or Memorized Secret plus. AAL3 has MF Crypto Device; SF Crypto Device plus Memorized Secret; SF OTP Device plus MF Crypto Device or Software; SF OTP Device plus, SF Crypto Software plus Memorized Secret. For the FIPS 140 Verification, AAL1 and the AAL2 are the level 1, AAL3 has the level 1 and 2 overall and level 3 physical security.
For the reauthentication, AAL1 has 30 days, AAL2 has 12 hours or 30 minutes inactivity, AAL3 has 12 hours or 15 minutes inactivity. For the security controls, AAL1 uses the SP 800-53 Low Baseline. AAL2 uses SP 800-53 Moderate Baseline. AAL3 uses the SP 800-53 High Baseline.
NIST Special Publication 800-63B, “Digital Identity Guidelines, Identity Verification, and Life Cycle Management”, which includes instructions for assurance levels and storage secret requirements. The authentication level of the authenticator is: AAL1 requires single-factor authentication, AAL2 requires two authentication factors to improve security, and AAL3 requires the use of a hardware-based authenticator and verifier to simulate resistance. In addition, you can find threats to authenticators used for digital authentication and threat mitigation mechanisms in this document to mitigate these threats.
I found the memorized secret verifiers system interesting as it is a very common find from both the consumer and organization side. It goes into depth on what makes up the password creation process. It goes over what restrictions, minimum requirements, and additional resources to help people create stronger passwords are included. AS of more recently websites have been incorporating “password strength” meters, showing someone how strong the password they typed in but did not submit is. This helps those who may not understand that attackers can crack easy passwords extremely fast due to advanced computing.
Biometrics is a type of “something you are” authentication mechanism that uses a person’s physical characteristics such as their fingerprint or face. Additionally, it can be a behavioral characteristic such as typing cadence. Biometrics have limited use due the inconsistencies and false accept rate and false match rate. Interestingly, biometric characteristics are not considered secrets because it can be obtained online or by taking a picture. For example, fingerprints can be lifted off objects and faces can be gather by taking pictures of people without their permission then used to abuse the weaknesses of biometric authentication. Furthermore, biometric systems cannot be stand alone and needs to be complemented with “something you have” authentication.
There are multiple events that occur in the lifecycle of an Authenticator. These events include binding, loss, theft, unauthorized duplication, expiration and revocation.
Compromised authenticators include those that have been lost, stolen, or subject to unauthorized duplication. If and when an authenticator expires, it SHALL NOT be usable for authentication. Revocation referred to as termination. refers to removal of the binding between an authenticator. The subscriber no longer meets its eligibility requirements which causes the surrender or certify destruction of any physical authenticator containing certified attributes signed by the CSP as soon as practical after revocation or termination takes place
Zibai Yang says
SP 800-63B is mainly about authentication and lifecycle management.
In the entire life cycle of digital identity from design to implementation, creating value and gaining trust is essential. First, the design and implementation plan of digital identities need to be based on a comprehensive assessment of the status of digital infrastructure, the degree of trust in institutions, and the policy environment; second, digital identities should be prioritized in areas that can create meaningful value for individuals and institutions. And continue to focus on providing an excellent user experience; finally, digital identity must solve related risk issues while releasing value, which requires careful design, good facilities, and standardized management as a guarantee.
Xinyi Zheng says
Digital authentication is the process of determining the validity of one or more authenticators used to claim a digital identity. Authentication can help to confirm the origin and integrity of data in electronic form. and reduce the potential for fraud.
Authenticator Assurance Levels (AAL) is intended to provide some confidence in the Authentication provided by Identity Provider to a Relying Party (RP) at some desired Level Of Assurance Authenticator. AAL have three level. In AAL1, it just need to provides some assurance that the claimant controls the Claim requires at least single-factor authentication. In AAL2, it required to provides high confidence that the claimant controls Claim two different Authentication Factors (Multi-Factor Authentication). In AAL3, it needs to provides very high confidence that the claimant controls the Claim authentication based on Proof-of-Possession of a key through a cryptographic protocol requires a “hard” cryptographic authenticator. With the higher level authentication, the malicious actors requires to have better apabilities and expend greater resources in order to successfully subvert the authentication process, it can help to reduce the potential for fraud.
Ting-Yen Huang says
Hi Xinyi, digital authentication is to make sure the person who claims who they are the actually who they are. Digital identity is a way for users to make the action in the internet. It does not reveal who they are in real life.
Priyanka Ranu says
This document mentions about the threats and security considerations in regard to authenticator. An attacker who gains control of the authenticator will impersonate as the authenticator’s owner. Something you know may be disclosed to an attacker and something you have may be lost, damaged, stolen from the owner, or cloned by an attacker. For example, the attacker might guess a memorized secret such as a pin or passcode. Another example an attacker who gains access to the owner’s computer might copy a software authenticator.
Haozhe Lin says
Hi Priyanka,
Your reply is very interesting. What you have may be lost, damaged, stolen from your owner, or cloned by an attacker. For example, an attacker who gains access to the owner’s computer may copy the software verifier. Hardware verifier may be stolen, tampered or copied. Out of band secrets may be intercepted by attackers and used to authenticate their own session.
Cami Chen says
Hi, Priyanka. I agree that you mentioned guessing a memorized secret. Some malicious people may observe the trace, such as a fingerprint on the keypad, to guess what your password is. I think cleaning the keypad regularly is important to avoid attackers guessing your password.
Haozhe Lin says
I’m most interested in that is the “certifier assurance level.”. This section contains normative and informative materials. To meet the requirements of a specific AAL, the applicant should be certified as a subscriber at least to a certain extent. The result of the authentication process is an identifier that should be used every time a subscriber authenticates the RP. The identifier can be a pseudonym. Subscriber identifiers should not be used repeatedly for different topics but should be used repeatedly when CSP re-registers previously registered topics. You can also provide additional properties that identify the subscriber as a unique topic.
Junhan Hao says
Digital authentication certificate is a digital certificate as the core encryption technology can encrypt and decrypt the information transmitted on the network, digital signature and signature verification, to ensure the security and integrity of information transmitted on the Internet. If the registrant identifies a person, it does so through another person that the registrant trusts. The person the registrant trusts is the identity authority (which can be a natural person). Comparing the digital identity to a certificate, the digital certificate is a stamp or seal (or a signature added to the digital identity card) on the digital identity card by the identity authority. This behavior indicates that the identity authority has identified the person. The identity and access configuration life cycle refers to the creation, management, and deletion of accounts. Access control management is the set of tasks and responsibilities involved in managing accounts, access, and accountability throughout the account life cycle. These tasks are included in the three responsibilities of the identity and access configuration life cycle: configuration, account review, and account revocation.
Ting-Yen Huang says
A Memorized Secret authenticator commonly referred to as a password or, if numeric, a PIN is a secret value intended to be chosen and memorized by the user. Memorized secrets need to be of sufficient complexity and secrecy that it would be impractical for an attacker to guess or otherwise discover the correct secret value. A memorized secret is something you know. Memorized secrets chosen randomly by the CSP or verifier SHALL be at least 6 characters in length and MAY be entirely numeric. If the CSP or verifier disallows a chosen memorized secret based on its appearance on a blacklist of compromised values, the subscriber SHALL be required to choose a different memorized secret.
Mei X Wang says
The memorized secret authenticator is one form of authenticator commonly used today, due to its simplicity, we often need to have another form of authentication layered as well. Some ways memorized secrets can be better protected is by setting complexity requirements, maximum password ages, and account lockout requirements as well.
Jonathan Castelli says
This document has a lot of material to digest. It addresses the appropriate AAL to use for when a person wants to securely authenticate to a CSP. It defines and lists the requirements for the authenticator and verifier, such as single-factor, multi-factor, how to handle OOB verifiers, OTP verification and etc. for each AAL level. With authentication is also appears there are more security threats to consider while managing the sessions and configuring the environment to account for the different AAL levels.
The portion I focused on was the session management and authenticator lifecycle management. During these sections, the article addresses how to handle the expiration and termination of the session. AAL1 says the session must be reauthenticated every 30 days. For AAL2, reauthentication is for 30 minutes of inactivity. For AAL3, reauthentication occurs after 15 minutes of inactivity. This portion was very interesting to me because the software I work with has a session management starting at 30 minutes. This would make me assume we are at AAL2. I’ll have to ask the powers that be if this is the level we are acting at.
Zhen Li says
Hi, Jonathan, thank you for your sharing, I also think the reauthentication is interesting, AAL1 has 30 days, AAL2 has 12 hours or 30 minutes inactivity, AAL3 has 12 hours or 15 minutes inactivity.
Cami Chen says
Browser cookies can affect the confidentiality, integrity, and availability of the users’ PII, which they provide to users of the website. If the users turn off the cookies feature in their browser, their PII will not be saved in a cookie, and they can avoid the risk of disclosure of their privacy. However, many people often ignore the setting of cookies in the browser. In this document, there are several requirements for how to control the cookies. The company’s system admin can use these requirements to restrict the features of cookies for the employees’ devices, such as only enable on HTTPS sessions and disable in JavaScript. Although the impact of cookies is not dangerous as computer viruses are, they maintain the users’ sensitive information, and the companies should create and implement the policy to mitigate the potential risk through using browser cookies.
Jonathan Castelli says
Most end users aren’t even aware how sessions end in the browser. When people re-visit sites after already being logged in are surprised they aren’t asked for their username or password again. Leaving sessions open with an unattended laptop is a great way to let someone view your email or access your banking information. Always lock your PC, log out of the session and close the browser to help make sure the session isn’t left to time out.
Krish Damany says
I think it’s important that when using authenticators, those authenticators can have threats associated with them. Some of these threats include theft of the authentication device, duplication, eavesdropping, offline cracking, phishing, social engineering, and online guessing. Thankfully, this document shows methods to mitigate some of these. Theft can be mitigated with multi-factor authentication, duplication can be stopped if the authenticators make it hard to extract the code, eavesdropping can be stopped by using a closed network, and online guessing can be mitigated by having a lockout after a certain number of failed attempts. Having secure authenticators will make sure that digital identity is also secure.
Austin Mecca says
I think its important to be aware of the threats rather than think you can create a security feature that won’t have any threats. Being aware puts your security team in a far better position compared to assuming there are no flaws. I also think the features such as lockout and two factor are very good ways to mitigate, while they won’t do a 100% job, like most other things, they will help cover the vast majority.
Mei X Wang says
An interesting takeaway from the guidelines is the authenticator lifecycle management. These events can occur over the lifecycle and affect the authenticator’s use. Some things that may happen are binding, loss, theft, unauthorized duplication, expiration, and revocation.
Binding can be used because it is associated with a specific authenticator and with the subscriber’s account. It’s already used in conjunction with other authenticators so no other authenticator is needed. It can be bind during environment, the CSP will be binding at least two physical authenticators to the subscriber’s online identity, multiple authenticators are bound in order to help the subscriber recover in case of loss or theft of the primary authenticator.
Post enrollment binding requires the subscriber to add an additional authenticator to their existing AAL. An example may be requiring the subject to provide another authenticator when using an OTP device. The subscriber may also be required to add the additional factor to the single factor account if they are requesting the account to be upgraded to a higher level of permissions.
Vanessa Marin says
The focus of NIST SP 800-63B is to provide the guidelines for Authentication and Lifecycle Management of Digital Identity. The components highlighted here are the Authenticator Assurance Levels or AALs– AAL1 (single or multi-factor authentication is required), AAL2 (two different authentication are required through secure authentication protocol(s)) and AAL3 (proof of authentication through possession of a key through approved cryptographic protocol. It then goes into Permitted Authenticator Types and Section 5 goes over the Authenticator and Verifier Requirements.
Heather Ergler says
I too found this portion of the reading interesting and how the authentication levels also relate back to the security level on the underlying data access guidelines. Basically, additional factors are added to an identity account if the individual has higher security clearance levels just like physical data.
Anthony Messina says
This paper goes into many of the possible threats against authentication. Some of the many attacks that are mentioned are offline cracking. Offline cracking could be a software PKI authenticator is subjected to a dictionary attack to identity the correct password to use to decrypt the private key. There is also a side channel attack where a cryptographic authenticator secret is extracted by analysis of the response time of the authenticator over a number of attempts. Online guessing involves guessing authenticator outputs for an OTP device registered to a legitimate claimant. Lastly the paper mentions eavesdropping as a possible threat. This can be memorizing secrets by watching keyboard entries or being intercepted by a keystroke logging software.
Krish Damany says
Hi Anthony,
Dictionary attacks could prove very effective if users pick common terms for their passwords. Hopefully users make their passwords as unique as possible to prevent this method of cracking. Unique passwords would also foil online guessing, in addition to making a lockout after multiple wrong guesses.
Heather Ergler says
This reading focuses on authentication and lifecycle management. I learned about authenticator lifecycle management and the events in that lifecycle including binding, loss, theft, unauthorized duplication, expiration and revocation. Authentication binding is establishing an association between a specific authenticator, like Active Directory and the subscriber account to enable use of the authenticator. The authenticator is required to bind at least two authenticators to the subscriber’s online identity to meet the multifactor authentication requirements like a password and a token or temporary secret. In addition the binding has a lifecycle including binding of additional authenticator at existing AAL, adding an additional factor to a single factor account, replacing a lost authenticator, binding to a subscriber provided authenticator, renewal , loss, theft, damage and unauthorized duplication, expiration, revocation and termination. So there are lifecycles within lifecycles in the authentication cycle.
Zhen Li says
The key points that I take away from this document is the different requirements of each AALs, For the permitted authenticator types, AAL1 has Memorized Secret;
Look-Up Secret; Out-of-Band; SF OTP Device; MF OTP Device; SF Crypto Software; SF Crypto Device; MF Crypto Software; MF Crypto Device. AAL2 has MF OTP Device; MF Crypto Software; MF Crypto Device; or Memorized Secret plus. AAL3 has MF Crypto Device; SF Crypto Device plus Memorized Secret; SF OTP Device plus MF Crypto Device or Software; SF OTP Device plus, SF Crypto Software plus Memorized Secret. For the FIPS 140 Verification, AAL1 and the AAL2 are the level 1, AAL3 has the level 1 and 2 overall and level 3 physical security.
For the reauthentication, AAL1 has 30 days, AAL2 has 12 hours or 30 minutes inactivity, AAL3 has 12 hours or 15 minutes inactivity. For the security controls, AAL1 uses the SP 800-53 Low Baseline. AAL2 uses SP 800-53 Moderate Baseline. AAL3 uses the SP 800-53 High Baseline.
Wenyao Ma says
NIST Special Publication 800-63B, “Digital Identity Guidelines, Identity Verification, and Life Cycle Management”, which includes instructions for assurance levels and storage secret requirements. The authentication level of the authenticator is: AAL1 requires single-factor authentication, AAL2 requires two authentication factors to improve security, and AAL3 requires the use of a hardware-based authenticator and verifier to simulate resistance. In addition, you can find threats to authenticators used for digital authentication and threat mitigation mechanisms in this document to mitigate these threats.
Austin Mecca says
I found the memorized secret verifiers system interesting as it is a very common find from both the consumer and organization side. It goes into depth on what makes up the password creation process. It goes over what restrictions, minimum requirements, and additional resources to help people create stronger passwords are included. AS of more recently websites have been incorporating “password strength” meters, showing someone how strong the password they typed in but did not submit is. This helps those who may not understand that attackers can crack easy passwords extremely fast due to advanced computing.
Anthony Wong says
Biometrics is a type of “something you are” authentication mechanism that uses a person’s physical characteristics such as their fingerprint or face. Additionally, it can be a behavioral characteristic such as typing cadence. Biometrics have limited use due the inconsistencies and false accept rate and false match rate. Interestingly, biometric characteristics are not considered secrets because it can be obtained online or by taking a picture. For example, fingerprints can be lifted off objects and faces can be gather by taking pictures of people without their permission then used to abuse the weaknesses of biometric authentication. Furthermore, biometric systems cannot be stand alone and needs to be complemented with “something you have” authentication.
Kyuande Johnson says
There are multiple events that occur in the lifecycle of an Authenticator. These events include binding, loss, theft, unauthorized duplication, expiration and revocation.
Compromised authenticators include those that have been lost, stolen, or subject to unauthorized duplication. If and when an authenticator expires, it SHALL NOT be usable for authentication. Revocation referred to as termination. refers to removal of the binding between an authenticator. The subscriber no longer meets its eligibility requirements which causes the surrender or certify destruction of any physical authenticator containing certified attributes signed by the CSP as soon as practical after revocation or termination takes place