This reading provided an introduction to the Digital Identity Guidelines, which are intended to be used as technical guidelines to implement digital authentication. The publication defined a digital identity to be a “unique representation of a subject engaged in an online transaction” and outlined the three key components of the guidelines: Identity Assurance, Authenticator Assurance, and Federation Assurance. Each of these components had a decision tree to walk the implementor through which risk characteristics were present and help determine what appropriate level should be selected for each. The levels correspond to the FIPS 199 categories and the end-product of the assessment would be a Digital Identity Acceptance Statement, which would include the assessed assurance levels, implemented assurance levels, rationale if the implemented level was not the same as the assessed level, a comparability demonstration if compensation controls were used, and a rationale if federated identification would not be accepted.
This NIST document describes how a subject can have multiple digital identities for different services such as one for email and one for social media. It is important to identify the subject to make sure they are who they claim to be, especially in higher risk services like financial institutions. The guideline breaks down identity assurance into two components: Identity Assurance Level (identity proofing process) and Authenticator Assurance Level (authentication process). There is a third component called Federation Assurance Level (FAL), but this component is only used in federated systems. Each of these components have different assurance levels ranging from 1-3, which are based on risk.
The Digital Identify Risk management section in this guideline clearly articulated the requirements and considerations to think about when determining the appropriate assurance levels (or LOA) for the Identity Assurance Level (IAL), the Authenticator Assurance Level (AAL) and the Federation Assurance Level (FAL). When used correctly, this section will assist organizations avoid errors and failures associated with identity proofing, authentication, and federation. The section notes the importance of assessing these risks separately to ensure the require assurance level for each transaction is considered. The risk assessment section includes the categories of harm and impact such as financial loss, unauthorized release of sensitive information, or personal safety, and guidelines to consider when assessing the impact value of these categories which will be rated as either high, moderate, or low. Finally the guidance provides specific decision trees to help an organization determine the appropriate assurance level, which will be rated on a scale of 1-3 based on the overall determination of risk which includes the results of the risk assessment performed and other factors or considerations such as risk acceptance and compensating controls.
An important takeaway from this reading is an understanding of digital identity risk management and an understanding of the different digital identity assurance levels that must be selected by an organization, of which there are three. First is the identity assurance level, referring to the degree of confidence with which a user’s identity can be determined. Second is the authenticator assurance level, the degree of confidence with which the organization can verify a user’s authentication claim. Third is the federation assurance level, which is a measure of how secure that authentication claim is during data communication. These are collectively referred to as xAL, and the levels chosen by the organization should be in line with the level of digital identity risk the organization has accepted.
Digital Identity guidelines gives a rundown of risk management processes for choosing appropriate digital identity services and the details for applying two non-federated levels called identity assurance (making sure the applicant’s identity is legitimate) and authenticator assurance (strength of the authentication process); and for a combined system, the federation assurance level (an assertion used to communicate authentication and feature information to a “Relying Party”) based on the threat. The authentication process drew my attention because it maintains privacy defense by alleviating the threats of unauthorized entry to a person’s information, and also includes privacy conditions to assist in lessening potential related privacy risks.
I enjoyed this part as well. I never thought about identity management in this light before. Not only is there authentication, but there is also a risk rating system.
Digital identity is the unique representation of a subject for an online transaction. These guidelines do not address the physical access authentication nor address device identity. It reflects the availability of technology and architecture of digital identify model. There are three levels of an ordinal measurement: AAL1, AAL2, and AAL3. These are the strength of the authentication process. AAL1 provides some assurance that authenticator tied to the subscriber account by using single-factor or multifactor authentication. AAL2 provides high confidence that authenticator tied to the subscriber account by using two-factor authentication and approved cryptographic techniques. AAL3 uses a hardware-based authenticator and an authenticator that provides verifier imitation resistance to bind the authenticator to the subscriber’s account, thereby providing a very high degree of confidence.
Hi To-Yin. Thank you for bringing up the importance of digital identity being a unique representation of a subject for transactions transmitted online networks. The three levels (AAL1, AAL2, and AAL3) are used to assess the risk levels of authentication. As you indicated in your comment, AAL3 does provide the highest level of authentication since it provides verifier imitation resistance to bind the authenticator to the subscriber’s account.
One key point from this reading was the graphical representations of IAL, AAl, and FAL. IAL is related to Identity assurance, AAL reverse to Authentication assurance, and FAL refers to the strength of an assertion in a federal environment. These charts solidify what we read about each Assurance level. The corresponding descriptions for each question in the decision tree also helped justify why am assertation is a 1, 2, or 3. The overall xAL’s that are chosen are based on the individual organization’s risk tolerance levels in conjunction with the decision tree.
NIST SP 800 63-3 “Digital Identity Guidelines” hammers home the point that verifying digital identities is hard and full of opportunities for attackers. The biggest thing I learned about was the three components of identity assurance: IAL (refers to the identity proofing process), AAL (refers to the authentication process), and FAL (refers to the strength of an assertion in a federated environment, used to communicate authentication and attribute information (if applicable) to a relying party
(RP)). Agencies choose levels for each of the three based on risk. And the risk to each needs to be evaluated independently. It’s helpful thinking of the levels 1, 2, and 3 relating to low, moderate, and high.
An interesting takeaway from this reading is digital identity risk management. Similar to the typical RMF, risks are identified, assessed & categorized. Based on these impact levels, individual assurance for identity proofing, authentication and federation are determined, along with processes and technologies necessary for each assurance level. Risks of identify proofing, authentication and federation includes financial loss; unauthorized release of sensitive information, personal safety, etc. The required level of assurance is then determined based on FIPS 199 security categorization.
The key takeaway from this reading is identity proofing, the proofed is usually the applicant, when they have been authenticated, they are the subscriber. IAL is an ordinal measurement that describes the strength of identity proofing. IAL1 identity spoofing is not required, any information is self-asserted and not verified. IAL2 and IAL3 require spoofing, CSP must assert information about the subscriber, like attribute values and identifiers. RP may require IAL2 or IAL3 but only require specific attributes. AL1 requires single factor authentification, AAL2 requires two-factor authentication, and the highest level, AAL3 requires additional use of hardware-based authenticator and verifier impersonation resistance.
An authenticator was divided into three factors: something you know, something you have, and something you are. MFA is referring to any time more than one of those factors is invoked. The more factors employed, the more robust the authentication system. An interesting detail in this text is, “Knowledge-based authentication, where the claimant is prompted to answer questions that are presumably known only by the claimant, also does not constitute an acceptable secret for digital authentication.” In addition, “A biometric also does not constitute a secret. Accordingly, these guidelines only allow the use of biometrics for authentication when strongly bound to a physical authenticator.”
These guidelines describe the risk management processes for selecting appropriate digital identity services and provide mitigations to the vulnerabilities inherent online. The guidelines cover identity proofing and authentication of users interacting with IT systems over open networks. Identity proofing establishes that a subject is who they claim to be. Digital authentication is the process of determining the validity of one or more authenticators used to claim a digital identity. There are three assurance level for each of the identity, authenticator, and federation. The assurance level determination is only based on transactions that are part of a digital system. To determine the appropriate level of assurance of the user’s asserted identity, agencies shall assess the potential risks and identify measures to minimize their impact.
An important takeaway that interested me from NIST SP 800-63-3 Digital Identity Guidelines, was that the guideline provides technical requirements for federal agencies implementing digital identity services. Digital identity is important in order to better manage cybersecurity threats and mitigate risks. According to the guideline, three methods can make certain the identity of an entity. These three methods are: identity Assurance Level (IAL), Authenticator Assurance Level (AAL), and Federation Assurance Level (FAL). For each of these methods, there are three sub-levels for governmental agencies to choose when analyzing potential harm from an attacker. Usually, when combining the different methods all three levels should match and be the same. If a threat is thought to be high value for any risk impact or a moderate for personal safety one should recommend the highest level of assurance of each portion.
The concept of digital identity is a very complex one. It can be a double-edged sword but it can also be great for business. It is important that identity authentication is only used when absolutely necessary in order to protect the human user. If I am accessing anything financial online, I should have to verify my identity. The same goes for healthcare. That being said, you don’t need to verify your human identity on the internet to uniquely browse. As a matter of fact, just about anyone who doesn’t know any better carries around with them a digital fingerprint. There might not be a name or person tied to this fingerprint, but there are thousands upon thousands of actions tied to this fingerprint. For example, I do know better, but I still don’t know how to erase my own digital fingerprint. coveryourtracks.eff.org illustrates this for you. I am blocking ads and my identity may or may or not be concealed, but my fingerprint is prevalent. This is because you are sharing dozens of different identifiers when you surf the web. The combination of things like your browser, your OS, your screen size, your fonts, your IP address, cookies, etc… all make up a unique identifier for you. So even without knowing your name, hackers can still identify you.
Panayiotis,
THank you for sharing your thoughts. You have extremely helpful insight and examples of why he digital identity is a complex concept. I really liked the ideas of blocking ads, which may conceal your identity, but your fingerprint may be prevalent. That is a double edged sword
The decision trees that were presented was a helpful example of how company’s can rank certain risks. From a risk audit perspective, this type of assessment could be helpful in determining where an audit should be emphasized. Keeping this assessment in mind, would help the company create a risk assessment that could be reviewed for transfer, mitigation, and avoidance. Especially because not every risk could be reviewed during an audit.
his reading describes digital identity and provides details on how to determine one’s digital identity level. The reading providing a thorough understanding of digital identity which is the unique identify of someone involved in an online transaction. What I found interesting is that not all transactions require a digital identity. There are two components of digital identity. First, identity proofing establishes that a subject is who they claim to be, and digital authentication is the process of determining the validity of one or more authenticators used to claim a digital identity. With this, agencies determine their digital identity level in relation to proofing and authentication. Federal agencies have an additional level to adhere to which is the federal assurance level which refers to the strength of an assertion in a federated environment, used to communicate authentication and attribute information to a relying party.
This reading provided an introduction to the Digital Identity Guidelines, which are intended to be used as technical guidelines to implement digital authentication. The publication defined a digital identity to be a “unique representation of a subject engaged in an online transaction” and outlined the three key components of the guidelines: Identity Assurance, Authenticator Assurance, and Federation Assurance. Each of these components had a decision tree to walk the implementor through which risk characteristics were present and help determine what appropriate level should be selected for each. The levels correspond to the FIPS 199 categories and the end-product of the assessment would be a Digital Identity Acceptance Statement, which would include the assessed assurance levels, implemented assurance levels, rationale if the implemented level was not the same as the assessed level, a comparability demonstration if compensation controls were used, and a rationale if federated identification would not be accepted.
This NIST document describes how a subject can have multiple digital identities for different services such as one for email and one for social media. It is important to identify the subject to make sure they are who they claim to be, especially in higher risk services like financial institutions. The guideline breaks down identity assurance into two components: Identity Assurance Level (identity proofing process) and Authenticator Assurance Level (authentication process). There is a third component called Federation Assurance Level (FAL), but this component is only used in federated systems. Each of these components have different assurance levels ranging from 1-3, which are based on risk.
The Digital Identify Risk management section in this guideline clearly articulated the requirements and considerations to think about when determining the appropriate assurance levels (or LOA) for the Identity Assurance Level (IAL), the Authenticator Assurance Level (AAL) and the Federation Assurance Level (FAL). When used correctly, this section will assist organizations avoid errors and failures associated with identity proofing, authentication, and federation. The section notes the importance of assessing these risks separately to ensure the require assurance level for each transaction is considered. The risk assessment section includes the categories of harm and impact such as financial loss, unauthorized release of sensitive information, or personal safety, and guidelines to consider when assessing the impact value of these categories which will be rated as either high, moderate, or low. Finally the guidance provides specific decision trees to help an organization determine the appropriate assurance level, which will be rated on a scale of 1-3 based on the overall determination of risk which includes the results of the risk assessment performed and other factors or considerations such as risk acceptance and compensating controls.
An important takeaway from this reading is an understanding of digital identity risk management and an understanding of the different digital identity assurance levels that must be selected by an organization, of which there are three. First is the identity assurance level, referring to the degree of confidence with which a user’s identity can be determined. Second is the authenticator assurance level, the degree of confidence with which the organization can verify a user’s authentication claim. Third is the federation assurance level, which is a measure of how secure that authentication claim is during data communication. These are collectively referred to as xAL, and the levels chosen by the organization should be in line with the level of digital identity risk the organization has accepted.
Digital Identity guidelines gives a rundown of risk management processes for choosing appropriate digital identity services and the details for applying two non-federated levels called identity assurance (making sure the applicant’s identity is legitimate) and authenticator assurance (strength of the authentication process); and for a combined system, the federation assurance level (an assertion used to communicate authentication and feature information to a “Relying Party”) based on the threat. The authentication process drew my attention because it maintains privacy defense by alleviating the threats of unauthorized entry to a person’s information, and also includes privacy conditions to assist in lessening potential related privacy risks.
Hi Christopher,
I enjoyed this part as well. I never thought about identity management in this light before. Not only is there authentication, but there is also a risk rating system.
Digital identity is the unique representation of a subject for an online transaction. These guidelines do not address the physical access authentication nor address device identity. It reflects the availability of technology and architecture of digital identify model. There are three levels of an ordinal measurement: AAL1, AAL2, and AAL3. These are the strength of the authentication process. AAL1 provides some assurance that authenticator tied to the subscriber account by using single-factor or multifactor authentication. AAL2 provides high confidence that authenticator tied to the subscriber account by using two-factor authentication and approved cryptographic techniques. AAL3 uses a hardware-based authenticator and an authenticator that provides verifier imitation resistance to bind the authenticator to the subscriber’s account, thereby providing a very high degree of confidence.
Hi To-Yin. Thank you for bringing up the importance of digital identity being a unique representation of a subject for transactions transmitted online networks. The three levels (AAL1, AAL2, and AAL3) are used to assess the risk levels of authentication. As you indicated in your comment, AAL3 does provide the highest level of authentication since it provides verifier imitation resistance to bind the authenticator to the subscriber’s account.
One key point from this reading was the graphical representations of IAL, AAl, and FAL. IAL is related to Identity assurance, AAL reverse to Authentication assurance, and FAL refers to the strength of an assertion in a federal environment. These charts solidify what we read about each Assurance level. The corresponding descriptions for each question in the decision tree also helped justify why am assertation is a 1, 2, or 3. The overall xAL’s that are chosen are based on the individual organization’s risk tolerance levels in conjunction with the decision tree.
NIST SP 800 63-3 “Digital Identity Guidelines” hammers home the point that verifying digital identities is hard and full of opportunities for attackers. The biggest thing I learned about was the three components of identity assurance: IAL (refers to the identity proofing process), AAL (refers to the authentication process), and FAL (refers to the strength of an assertion in a federated environment, used to communicate authentication and attribute information (if applicable) to a relying party
(RP)). Agencies choose levels for each of the three based on risk. And the risk to each needs to be evaluated independently. It’s helpful thinking of the levels 1, 2, and 3 relating to low, moderate, and high.
An interesting takeaway from this reading is digital identity risk management. Similar to the typical RMF, risks are identified, assessed & categorized. Based on these impact levels, individual assurance for identity proofing, authentication and federation are determined, along with processes and technologies necessary for each assurance level. Risks of identify proofing, authentication and federation includes financial loss; unauthorized release of sensitive information, personal safety, etc. The required level of assurance is then determined based on FIPS 199 security categorization.
The key takeaway from this reading is identity proofing, the proofed is usually the applicant, when they have been authenticated, they are the subscriber. IAL is an ordinal measurement that describes the strength of identity proofing. IAL1 identity spoofing is not required, any information is self-asserted and not verified. IAL2 and IAL3 require spoofing, CSP must assert information about the subscriber, like attribute values and identifiers. RP may require IAL2 or IAL3 but only require specific attributes. AL1 requires single factor authentification, AAL2 requires two-factor authentication, and the highest level, AAL3 requires additional use of hardware-based authenticator and verifier impersonation resistance.
An authenticator was divided into three factors: something you know, something you have, and something you are. MFA is referring to any time more than one of those factors is invoked. The more factors employed, the more robust the authentication system. An interesting detail in this text is, “Knowledge-based authentication, where the claimant is prompted to answer questions that are presumably known only by the claimant, also does not constitute an acceptable secret for digital authentication.” In addition, “A biometric also does not constitute a secret. Accordingly, these guidelines only allow the use of biometrics for authentication when strongly bound to a physical authenticator.”
These guidelines describe the risk management processes for selecting appropriate digital identity services and provide mitigations to the vulnerabilities inherent online. The guidelines cover identity proofing and authentication of users interacting with IT systems over open networks. Identity proofing establishes that a subject is who they claim to be. Digital authentication is the process of determining the validity of one or more authenticators used to claim a digital identity. There are three assurance level for each of the identity, authenticator, and federation. The assurance level determination is only based on transactions that are part of a digital system. To determine the appropriate level of assurance of the user’s asserted identity, agencies shall assess the potential risks and identify measures to minimize their impact.
An important takeaway that interested me from NIST SP 800-63-3 Digital Identity Guidelines, was that the guideline provides technical requirements for federal agencies implementing digital identity services. Digital identity is important in order to better manage cybersecurity threats and mitigate risks. According to the guideline, three methods can make certain the identity of an entity. These three methods are: identity Assurance Level (IAL), Authenticator Assurance Level (AAL), and Federation Assurance Level (FAL). For each of these methods, there are three sub-levels for governmental agencies to choose when analyzing potential harm from an attacker. Usually, when combining the different methods all three levels should match and be the same. If a threat is thought to be high value for any risk impact or a moderate for personal safety one should recommend the highest level of assurance of each portion.
The concept of digital identity is a very complex one. It can be a double-edged sword but it can also be great for business. It is important that identity authentication is only used when absolutely necessary in order to protect the human user. If I am accessing anything financial online, I should have to verify my identity. The same goes for healthcare. That being said, you don’t need to verify your human identity on the internet to uniquely browse. As a matter of fact, just about anyone who doesn’t know any better carries around with them a digital fingerprint. There might not be a name or person tied to this fingerprint, but there are thousands upon thousands of actions tied to this fingerprint. For example, I do know better, but I still don’t know how to erase my own digital fingerprint. coveryourtracks.eff.org illustrates this for you. I am blocking ads and my identity may or may or not be concealed, but my fingerprint is prevalent. This is because you are sharing dozens of different identifiers when you surf the web. The combination of things like your browser, your OS, your screen size, your fonts, your IP address, cookies, etc… all make up a unique identifier for you. So even without knowing your name, hackers can still identify you.
Panayiotis,
THank you for sharing your thoughts. You have extremely helpful insight and examples of why he digital identity is a complex concept. I really liked the ideas of blocking ads, which may conceal your identity, but your fingerprint may be prevalent. That is a double edged sword
The decision trees that were presented was a helpful example of how company’s can rank certain risks. From a risk audit perspective, this type of assessment could be helpful in determining where an audit should be emphasized. Keeping this assessment in mind, would help the company create a risk assessment that could be reviewed for transfer, mitigation, and avoidance. Especially because not every risk could be reviewed during an audit.
his reading describes digital identity and provides details on how to determine one’s digital identity level. The reading providing a thorough understanding of digital identity which is the unique identify of someone involved in an online transaction. What I found interesting is that not all transactions require a digital identity. There are two components of digital identity. First, identity proofing establishes that a subject is who they claim to be, and digital authentication is the process of determining the validity of one or more authenticators used to claim a digital identity. With this, agencies determine their digital identity level in relation to proofing and authentication. Federal agencies have an additional level to adhere to which is the federal assurance level which refers to the strength of an assertion in a federated environment, used to communicate authentication and attribute information to a relying party.