From these guidelines, I learned that the digital identity model used reflects the technologies and architectures currently available on the market. More complex models are also available that separate functionality between more parties, such as issuing certificates and providing attributes. At the same time, there may be advantages in some application classes. In these guidelines, the party that is verified is called the claimant, and the party that verifies that identity is called the verifier. The verifier can verify that the claimer is a valid subscriber when the claimer successfully proves to the verifier that it owns and controls the verifier through the authentication protocol.
On the one hand, authentication cannot determine the authority of the claimant and is beyond the scope of these guidelines. But the RP can use the subscriber’s authentication identity and attributes, as well as other factors, to make authorization decisions.
From that article I understand that the verifier can verify that the claimer is a valid subscriber when it successfully proves to the verifier that it owns and controls the verifier via the authentication protocol. I also agree that organizations have more confidence in the accuracy of the requester’s identity. On the other hand, where the authority of the claimant is beyond the scope and cannot be determined, authorization decisions can be made by the RP using the subscriber’s authentication identity and attributes, among other factors.
This document introduces components of digital authentication assurance including identity proofing process (IAL), authentication process (AAL), and strength of an assertion in a federated environment. These assurances can aid in the strength and confidence in an individual’s identity. This documentation provides the general breakdown of the identity frameworks, authenticators, credentials, and assertions in digital systems.
These guidelines talk about MFA and how the authentication method should use at least 2 of the below:
* something you know
* something you are
* something you have
It also talks about the potential failures of identity proofing. This could be caused by accidentally providing access to the wrong person (e.g., a hacker successfully getting into a system by authenticating as someone else). Or it could be due to excessive identity proofing. This is when you are storing more data than necessary to authenticate someone.
Great point that excessive identity proofing can become a weakness within an authentication method. As you have mentioned, if authentication information is cached or stored within a serivce, attackers can intercept this data and use it to replay an authentication message. Ephemeral authentication methods like OTP can help thwart types of attacks as well reduce the overhead of storage the service needs to authenticate the claimant.
IT was an stated in the article that guidelines offer technical requirements for federal agencies establishing digital, identity services and are not meant to constrain the development. The guidelines cover identity proofing and authentication of users (such as employees, contractors, or private individuals) interacting with government IT systems over open networks. They define technical requirements in each of the areas of identity proofing, registration, authenticators, management processes, authentication protocols, federation, and related assertions.
Similar to how information systems can differentiate their security needs by applying risk categorizations and levels, digital identities can be confirmed with a level of assurance based on IAL (Identity Assurance Level), AAL (Authentication Assurance Level), and FAL (Federal Assurance Level). By calculating the levels for each of the identity categories, organizations can then adequately protect user information and follow federal guidelines while also being reasonable sure of the user identity without needing unnecessary verification.
I like how you compared IAL/AAL/FAL 1/2/3 with security categorizations. This is a good comparison to make because systems with higher security categorizations will typically require higher degrees of identity assurance as well.
A major takeaway of mine from NIST 800-63-3 is the difference between Enrollment and Identity Proofing (IAL) and Authentication and Lifecycle Management (AAL). IAL has to do more with the initial proof that someone is who they say they are, whether this proof is needed for a one-time service or a repeated subscription-like service. AAL has to do with the tools used for repeated authentication to access a product or service after the initial IAL is performed.
It is important to remember that there are also three different levels of IAL, AAL, and FAL. For instance, IAL1 is partially defined as the level that requires no link to a specific real life identity, but IAL3 requires the physical presence of a human being to be verified by a trained CSP representative. An example where IAL1 would be used is to create an account for an online service, e.g. a news site subscription. Creating an account serves as the IAL (IAL1), and the repeated login using the same credentials serves as the AAL (AAL1). As resources require more proof of real-life identity, the number of the designation increases until it gets to 3.
These NIST standards ensure that someone is who they say they are before granting them access to digital services. These digital identity standards and other cybersecurity frameworks are part of a larger government strategy to reduce identity theft and fraud. NIST 800-63-3 is divided into three sections: registration and identity proofing, authentication and lifecycle management, federation, and assertion.
The higher the risk that an individual will access an account they should not, the more confidence an organization must-have in the accuracy of the requester’s identity. Organizations garner increased confidence by adding further checks that individuals must pass before verifying their identity. Those checks are outlined in the levels of assurance defined by NIST: Identity Assurance Levels (IAL), Authenticator Assurance Levels (AAL), and Federation Assurance Levels (FAL).
Hey Zijian, I agree that one of the most important concepts outlined in this document is the need for increased assurance of an individual’s identity given the amount of sensitive information they have access to. The different assurance levels can help guide exactly what checks should be in place to verify someone’s identity.
Similar to our cryptography reading, to ensure the requesting party (claimant) is who they claim to be, they must demonstrate to the verifier that they have possession and control of at least one, preferably more (MFA) authenticators to authenticate and validate their identity. Claimants demonstrate this authentication process as either AAL1 (single-factor authentication), AAL2 (two-factor authentication), or AAL3 (multi-factor authentication). AAL3 is the most robust authentication process because it utilizes software and hardware components. Combining multiple forms of authentication greatly reduces the potential for identity spoofing by an adversary.
NIST 800-63-3 includes an overview of the general identity framework using the authenticator, credential, and assertions together in a digital system. This approach allows the agencies to set the assurance level based on the risk-based approach. Identity Assurance Level (IAL) function is to identify the user and verifying the user prior to granting access to the system. Authenticator Assurance Level (AAL) is the process of authorizing the user access to the system. Federation Assurance Level (FAL) provides the federated identity architecture requirement for the agencies.
And by combining appropriate business and privacy risk management with mission requirements, an institution will choose IAL, AAL, and FAL as different options. While many systems have the same numerical level for each of IAL, AAL, and FAL, this is not a requirement, and agencies should not assume they are all the same in any given system.
What I found most interesting in NIST’s 800-63-3 is how the strength of identity proofing is measured, specifically by using the different IAL measurement levels. At IAL1, there is no required identity proofing. All information from the “applicant” is self-asserted. On the other hand, IALs 2 and 3 both require identity proofing. The RP will ultimately make the decision between whether IAL2 or IAL3 is used, depending on specific attributes required.
Digital identity is proving someone is who they say they are. The method of recognizing a user’s Identity is authentication. There are three factors of authentication, Something you know, Something you have and something you are. Something you know is the most common form of Authentication. The Idea is that you know a secret, often known as a password or a PIN that’s stored in your memory and can be retrieved when needed. The second factor is something you have. This factor refers to information that you can physically carry with you. An example of this is a PIV card used by Federal Agencies. This smart card has a picture of the employee to identify the card holder and a microprocessor chip to grant them access to facilities and systems. These smart cards are usually used together with a Password or PIN. Something you are is information that only pertains to you. It’s a characteristic that only you and no one else has it. Examples are Fingerprints, Iris Scans, Retina Scans and Face and Voice Recognition.
The individual insurance levels are IAL, AAL, and FAL. As the article mentions, IAL is the robustness of the identity proofing process to confidently determine the identity of an individual. IAL is selected to mitigate potential identity proofing errors.
AAL- The robustness of the authentication process itself, and the binding between an authenticator and a specific individual’s identifier. AAL is selected to mitigate potential authentication errors.
FAL- The robustness of the assertion protocol the federation uses to communicate authentication and attribute information to an RP. FAL is optional as not all digital systems will leverage federated identity architects. FAL is selected to mitigate potential federation errors.
One takeaway in this reading is the crossover between NIST 800 63-3 and FIPS 199 security categorization principles. In order to effectively assess risk affiliated with digital transactions, FIPS 199 needs to be implemented alongside identity assurance levels, determining impact of various forms of loss.
NIST SP 800-63-3 – The Digital Identity Guidelines establish risk-based processes for assessing risks for identity management activities and selecting appropriate assurance levels and controls. Organizations have the flexibility to choose the proper assurance level to meet their specific needs
It serves as an umbrella publication introducing the digital identity model described in the SP 800-63-3 document suite. It frames identity guidelines in three significant areas:
• Federation and Assertions
• Enrollment and Identity Proofing
• Authentication and Lifecycle Management
In addition to serving as detailed guidelines in these areas, SP 800-63-3 addresses all factors involved in selecting the right Identity Assurance Level (IAL), Authentication Assurance Level (AAL), and Federation Assurance Level (FAL) for a given application.
These implementation resources are provided according to OMB memorandum M-19-17. While these resources reference normative guidelines in the SP 800-63-3 document suite and other documents, these resources are intended only as informative implementation guidance.
Dan Xu says
From these guidelines, I learned that the digital identity model used reflects the technologies and architectures currently available on the market. More complex models are also available that separate functionality between more parties, such as issuing certificates and providing attributes. At the same time, there may be advantages in some application classes. In these guidelines, the party that is verified is called the claimant, and the party that verifies that identity is called the verifier. The verifier can verify that the claimer is a valid subscriber when the claimer successfully proves to the verifier that it owns and controls the verifier through the authentication protocol.
On the one hand, authentication cannot determine the authority of the claimant and is beyond the scope of these guidelines. But the RP can use the subscriber’s authentication identity and attributes, as well as other factors, to make authorization decisions.
Dan Xu says
Hi Zijian,
From that article I understand that the verifier can verify that the claimer is a valid subscriber when it successfully proves to the verifier that it owns and controls the verifier via the authentication protocol. I also agree that organizations have more confidence in the accuracy of the requester’s identity. On the other hand, where the authority of the claimant is beyond the scope and cannot be determined, authorization decisions can be made by the RP using the subscriber’s authentication identity and attributes, among other factors.
Dhaval Patel says
This document introduces components of digital authentication assurance including identity proofing process (IAL), authentication process (AAL), and strength of an assertion in a federated environment. These assurances can aid in the strength and confidence in an individual’s identity. This documentation provides the general breakdown of the identity frameworks, authenticators, credentials, and assertions in digital systems.
Madalyn Stiverson says
These guidelines talk about MFA and how the authentication method should use at least 2 of the below:
* something you know
* something you are
* something you have
It also talks about the potential failures of identity proofing. This could be caused by accidentally providing access to the wrong person (e.g., a hacker successfully getting into a system by authenticating as someone else). Or it could be due to excessive identity proofing. This is when you are storing more data than necessary to authenticate someone.
Kelly Sharadin says
Hi Madalyn,
Great point that excessive identity proofing can become a weakness within an authentication method. As you have mentioned, if authentication information is cached or stored within a serivce, attackers can intercept this data and use it to replay an authentication message. Ephemeral authentication methods like OTP can help thwart types of attacks as well reduce the overhead of storage the service needs to authenticate the claimant.
kofi bonsu says
IT was an stated in the article that guidelines offer technical requirements for federal agencies establishing digital, identity services and are not meant to constrain the development. The guidelines cover identity proofing and authentication of users (such as employees, contractors, or private individuals) interacting with government IT systems over open networks. They define technical requirements in each of the areas of identity proofing, registration, authenticators, management processes, authentication protocols, federation, and related assertions.
Patrick Jurgelewicz says
Similar to how information systems can differentiate their security needs by applying risk categorizations and levels, digital identities can be confirmed with a level of assurance based on IAL (Identity Assurance Level), AAL (Authentication Assurance Level), and FAL (Federal Assurance Level). By calculating the levels for each of the identity categories, organizations can then adequately protect user information and follow federal guidelines while also being reasonable sure of the user identity without needing unnecessary verification.
Michael Jordan says
Patrick,
I like how you compared IAL/AAL/FAL 1/2/3 with security categorizations. This is a good comparison to make because systems with higher security categorizations will typically require higher degrees of identity assurance as well.
-Mike
Michael Jordan says
A major takeaway of mine from NIST 800-63-3 is the difference between Enrollment and Identity Proofing (IAL) and Authentication and Lifecycle Management (AAL). IAL has to do more with the initial proof that someone is who they say they are, whether this proof is needed for a one-time service or a repeated subscription-like service. AAL has to do with the tools used for repeated authentication to access a product or service after the initial IAL is performed.
It is important to remember that there are also three different levels of IAL, AAL, and FAL. For instance, IAL1 is partially defined as the level that requires no link to a specific real life identity, but IAL3 requires the physical presence of a human being to be verified by a trained CSP representative. An example where IAL1 would be used is to create an account for an online service, e.g. a news site subscription. Creating an account serves as the IAL (IAL1), and the repeated login using the same credentials serves as the AAL (AAL1). As resources require more proof of real-life identity, the number of the designation increases until it gets to 3.
zijian ou says
These NIST standards ensure that someone is who they say they are before granting them access to digital services. These digital identity standards and other cybersecurity frameworks are part of a larger government strategy to reduce identity theft and fraud. NIST 800-63-3 is divided into three sections: registration and identity proofing, authentication and lifecycle management, federation, and assertion.
The higher the risk that an individual will access an account they should not, the more confidence an organization must-have in the accuracy of the requester’s identity. Organizations garner increased confidence by adding further checks that individuals must pass before verifying their identity. Those checks are outlined in the levels of assurance defined by NIST: Identity Assurance Levels (IAL), Authenticator Assurance Levels (AAL), and Federation Assurance Levels (FAL).
Resources: https://insights.id.me/article/what-are-the-nist-800-63-digital-identity-guidelines/
Patrick Jurgelewicz says
Hey Zijian, I agree that one of the most important concepts outlined in this document is the need for increased assurance of an individual’s identity given the amount of sensitive information they have access to. The different assurance levels can help guide exactly what checks should be in place to verify someone’s identity.
Kelly Sharadin says
Similar to our cryptography reading, to ensure the requesting party (claimant) is who they claim to be, they must demonstrate to the verifier that they have possession and control of at least one, preferably more (MFA) authenticators to authenticate and validate their identity. Claimants demonstrate this authentication process as either AAL1 (single-factor authentication), AAL2 (two-factor authentication), or AAL3 (multi-factor authentication). AAL3 is the most robust authentication process because it utilizes software and hardware components. Combining multiple forms of authentication greatly reduces the potential for identity spoofing by an adversary.
Vraj Patel says
NIST 800-63-3 includes an overview of the general identity framework using the authenticator, credential, and assertions together in a digital system. This approach allows the agencies to set the assurance level based on the risk-based approach. Identity Assurance Level (IAL) function is to identify the user and verifying the user prior to granting access to the system. Authenticator Assurance Level (AAL) is the process of authorizing the user access to the system. Federation Assurance Level (FAL) provides the federated identity architecture requirement for the agencies.
zijian ou says
And by combining appropriate business and privacy risk management with mission requirements, an institution will choose IAL, AAL, and FAL as different options. While many systems have the same numerical level for each of IAL, AAL, and FAL, this is not a requirement, and agencies should not assume they are all the same in any given system.
Antonio Cozza says
What I found most interesting in NIST’s 800-63-3 is how the strength of identity proofing is measured, specifically by using the different IAL measurement levels. At IAL1, there is no required identity proofing. All information from the “applicant” is self-asserted. On the other hand, IALs 2 and 3 both require identity proofing. The RP will ultimately make the decision between whether IAL2 or IAL3 is used, depending on specific attributes required.
Kyuande Johnson says
Digital identity is proving someone is who they say they are. The method of recognizing a user’s Identity is authentication. There are three factors of authentication, Something you know, Something you have and something you are. Something you know is the most common form of Authentication. The Idea is that you know a secret, often known as a password or a PIN that’s stored in your memory and can be retrieved when needed. The second factor is something you have. This factor refers to information that you can physically carry with you. An example of this is a PIV card used by Federal Agencies. This smart card has a picture of the employee to identify the card holder and a microprocessor chip to grant them access to facilities and systems. These smart cards are usually used together with a Password or PIN. Something you are is information that only pertains to you. It’s a characteristic that only you and no one else has it. Examples are Fingerprints, Iris Scans, Retina Scans and Face and Voice Recognition.
Victoria Zak says
The individual insurance levels are IAL, AAL, and FAL. As the article mentions, IAL is the robustness of the identity proofing process to confidently determine the identity of an individual. IAL is selected to mitigate potential identity proofing errors.
AAL- The robustness of the authentication process itself, and the binding between an authenticator and a specific individual’s identifier. AAL is selected to mitigate potential authentication errors.
FAL- The robustness of the assertion protocol the federation uses to communicate authentication and attribute information to an RP. FAL is optional as not all digital systems will leverage federated identity architects. FAL is selected to mitigate potential federation errors.
Lauren Deinhardt says
One takeaway in this reading is the crossover between NIST 800 63-3 and FIPS 199 security categorization principles. In order to effectively assess risk affiliated with digital transactions, FIPS 199 needs to be implemented alongside identity assurance levels, determining impact of various forms of loss.
Olayinka Lucas says
NIST SP 800-63-3 – The Digital Identity Guidelines establish risk-based processes for assessing risks for identity management activities and selecting appropriate assurance levels and controls. Organizations have the flexibility to choose the proper assurance level to meet their specific needs
It serves as an umbrella publication introducing the digital identity model described in the SP 800-63-3 document suite. It frames identity guidelines in three significant areas:
• Federation and Assertions
• Enrollment and Identity Proofing
• Authentication and Lifecycle Management
In addition to serving as detailed guidelines in these areas, SP 800-63-3 addresses all factors involved in selecting the right Identity Assurance Level (IAL), Authentication Assurance Level (AAL), and Federation Assurance Level (FAL) for a given application.
These implementation resources are provided according to OMB memorandum M-19-17. While these resources reference normative guidelines in the SP 800-63-3 document suite and other documents, these resources are intended only as informative implementation guidance.