In today’s digitalized world digital identity has become more important than physical identity, as it has become a daily necessity. We can access the digital world by authenticating ourselves to access various social, and financial services via an online identity. It determines and validates the authorization to access any service over the internet. There are various challenges all over the digitalized world that are increasing day by days such as spoofing, impersonation, and other fraud activities. There are many guidelines available for the risk management process for selecting proper digital identity service, and implementing identity assurance, authentication assurance, federation assurance level based on risk assessment. However, in this digital era identity guidelines are important to understand digital identity risk and threat management which helps to understand the digital identity assurance level needed by all businesses. It helps to choose the right risk management process for digital identity service and provides mitigation techniques to minimize vulnerability and threat environment. Today, almost all work by everyone is done with a digital identity such as social engineering identity, financial service identity, and other services which are available for general or daily use.
NIST SP 800 63-3 provides technical requirements for organizations that provide digital identity services. Its purpose is to regulate the development and use of standard digital identity services. The guidance covers ID and authentication of users interacting with open networks and government IT systems. The guide defines requirements for identification, registration, authenticators, management processes, authentication protocols, and more. These NIST standards focus primarily on making sure someone is who they say they are before granting someone access to a digital service. They are outlined in NIST-defined assurance levels: Identity Assurance Level (IAL), Authenticator Assurance Level (AAL), and Federation Assurance Level (FAL). IAL refers to registration and identification to ensure that it is “this people”, such as a copy of a driver’s license, which requires a state-certified ID. AAL refers to the process by which a digital identity attempts to access a server, such as when a one-time password is sent to an individual’s registered mobile phone. FAL is Federated Identity Management involving a user authenticated by a third-party Identity Provider (IdP), attempting to access a Service (Service Provider) or Relying Party (RP) through a token or assertion sent to the Service by the IdP, “FAL” ( Federation Assurance Level) refers to the strength of the assertions used to convey authentication and attribute information to the RP.
Digital identity is an important component used to ensure the validity of a personnel over the network or over a digital medium and it faces proofing authentication challenge.
Digital authentication used for access control establishes the subject attempting to access a digital medium or services in one or more associated roles based on the information provided or supplied to the digital system and it enforces privilege and confidentiality of information to be accessed.NIST Special publication explains the technical importance of using the risk assessment and implementation guidelines to prove their digital identy within the agency where implemented for the two non-federated system role and system component selection referred to as Identity Assurance Level (IAL) and Authenticator Assurance Level (AAL) and for Federated system which uses the third component refer to as Federated Assurance Level (FAL).These component helps in establishing the validity of the user to the access control infrastructure implemented to authenticate the access to the system.
A recurring theme in this chapter was the three components of identity assurance: IAL, AAL, and FAL. More specifically, IAL is related to Identity assurance, AAL refers to Authentication assurance, and FAL refers to the strength of an assertion in a federal environment. I found the graphical representations and corresponding descriptions along with the decision tree to be helpful for determining an organization’s risk tolerance level.
The digital identity is a unique representation of the physical subject, or individual in the online world, that is engaged in an online transaction. This transaction could be as simple as just logging into a single service, or as complex as performing an e-commerce transaction across multiple services or websites. The purpose of the digital identity is often limited to use in the context of the service alone and does not necessarily need include or need all the physical world attributes or information of the individual.
The NIST guidelines document provides an excellent summary of what constitutes Levels of Assurance for each of the three key processes mentioned above. Levels of Assurance for a process, for all practical purposes, are indicators of the “strength” of the identity and access management controls implemented as part of that process. Typically, they range from level 1 to level 3. Below is a series of tables that are included in the guideline document that provide the summaries.
NIST SP 800 63-3 speaks about digital identity, model, risk management and assurance levels. The one key point I found interesting was 4.3.1 Authenticators. Speaks about MFA and the three main authentication factors. 1. Something you know such as your password. 2 Something you have like your ID badge and 3. Something you are such as facial recognition scan. The more usage of these factors, the more strength the system has for authentication.
NIST SP 800 63 provides the risk assessment methodology and a general overview of identity frameworks, authenticators, credentials, and assertions in relation to digital identity. Digital identity “is the unique representation of a subject engaged in an online transaction.”
Federating digital identities across applications offers many benefits from a security perspective as detailed in section 4.4 (page 14). These include enhanced user experience, cost reduction, data minimization, and other benefits that improve the efficiency of identity management. I found this section interesting because the implementation of federated identity is perceived as a positive change by users. Federation provides a better user experience as users do not need to remember different passwords across separate relaying parties.
Applying security controls can be perceived as an inconvenience by user, e.g. MFA using an authenticator app. With federation, the implementation is perceived favorably by users and helps to secure the user’s identity.
I found it really interesting to see how the FIPS 199 standard, which we’ve talked about a lot in this class as well as the protection of information assets course, is correlated to the NIST SP 800-63-3 standard. Professionals responsible for assessing the risk impacts of IAL (identity proofing process), AAL (authentication process), and FAL (federated verification process) as they relate to their digital and information assets within their organizations can refer to the FIPS 199 assessment results to ensure assurance levels are being met. If assurance is not adequate, the risk impacts to IAL, AAL, and FAL can be updated (i.e. strengthened) to ensure they are in alignment with the security standards of the system.
I also thought the reference of FIPS 199 was interesting in this publication. It makes sense to consider digital identity from a risk management perspective. Using FIPS 199allows for the protection of the service consummate with it’s impact value. For example, validating the identify of a user accessing tax information has a much different profile than an application managing building permits.
I appreciate how these documents work together and align on the same standards. This makes it much easier to communicate to stakeholders and implement the recommended guidelines.
This NIST document focused on implementing digital identity services. I found the section on the Digital Identity Model to be the most informative. Specifically, the figure on page 10 that outlined the interactions and entities that comprise the digital identity model. The left side of the figure shows the enrollment, lifecycle management activities and various states of ID proofing. The right side shows the entities and interactions involved with using an authenticator to perform digital authentication. I found it helpful to have these processes illustrated in a diagram and then having the various steps outlined underneath. While this model is a simple representation, it is also clear that the functions outlined can be separated and more complex models can be created in doing so.
I found Business Process vs. Online transaction to be interesting of how collecting data online might not have to be tied to the offline business process of handling data. For example, handling resumes would require AAL2 instead of AAL1 because online resumes would have personal data associated with them and can be later resumed when the user chooses to access the portal. However, the organization hiring for new jobs does not have to provide identity proofing because it is not necessary to apply extra security controls that might decrease the visibility (or availability) of the job listing. Instead, this is a separate process for after the candidate is selected. To me, it’s interesting to see how vastly different digital identity matters for online transactions then offline business functions.
Reading NIST SP 800 63-3, one thing that stood out to me was section 5.3.2, rating the impact (low, moderate, high) based on the category of harm (damage to reputation, financial loss, unauthorized release of sensitive information, etc.) It really paints a picture on a recurring theme of this program – how to determine the impact level for specific events. For example, if an organization faces a short-term inconvenience or something embarrassing, the impact would be graded as low. On the other hand, distress or serious damage to the organization’s reputation would be graded as high. Looking at financial impact, an insignificant financial loss would be graded as low, whereas a catastrophic financial loss would be graded as high.
I thought this section was interesting to read as well. I like your example. I feel that something embarrassing could be more serious than a rating of low. Company image is important in todays world. That definitely could affect the financial loss for a company.
NIST 800-63-3 guidelines is the third version to provide technical requirements for federal agencies implementing digital identify service. The guidelines remain identify proofing and authentication users interacting with government IT systems over open networks. NIST 800-63-3 is also used by entities. The guidelines provide three main assurance levels: Identity Assurance Level (IAL), Authenticator Assurance Level (AAL), and Federation Assurance level (FAL). IAL and AAL are referred to non-federated systems. IAL is a self-asserted identify that conveys the degree of confidence that the applicant’s claimed identify is his/her real identify. There are three requirements: IAL1 (zero self-assert), IAL2 (remote or in-person identify proofing), and IAL3 (adds addition to the step required at ILA2). AAL covers how addition factors can impact risk mitigation in authentication process. There are also 3 requirements: AAL1 (requirement of single or multi-factor authentication using a secure authentication protocol), AAL2 (proof of possession of two distinct authentication), and AAL3 (proof of possession of a key through a cryptographic protocol). FAL is a category describing the assertion protocol used in federated environment to communicate authentication and attribute information to a relying party. There are also 3 requirements: FAL1 (assertions need to be signed by the identify provider), FAL2 (assertion must be encrypted by the identify provider), and FAL3 (the user must be able to prove possession of a cryptographic key bound to the assertion).
This reading explained Digital Identity Guidelines
Digital identity is the unique representation of a subject engaged in an online transaction. A
digital identity is always unique in the context of a digital service, but does not necessarily need
to uniquely identify the subject in all contexts. In other words, accessing a digital service may
not mean that the subject’s real-life identity is known. Identity proofing establishes that a subject
is who they claim to be. Digital authentication is the process of determining the validity of one or
more authenticators used to claim a digital identity.
A key part of the reading was understanding the components of identity assurance, it was detailed as follows:
• IAL refers to the identity proofing process.
• AAL refers to the authentication process.
• FAL refers to the assertion protocol used in a federated environment to communicate
authentication and attribute information to an RP
A section that stood out to me was 4.3.1. Authenticators
It explained Authenticators as:
Something you know (e.g., a password).
Something you have (e.g., an ID badge or a cryptographic key).
Something you are (e.g., a fingerprint or other biometric data).
I think this is key because in my opinion the more of these required, the more secure the asset will be, requiring all 3 of these to me would be ideal.
Hi Jason
I think you’re right, a higher rating means it offers more control, which means more security. For example, AAL3 provides the most complex password validator, and it also has the highest level of information protection, which is more secure.
I found section 5.4 on “Risk Acceptance and Compensating Controls” to be interesting. The section covers guidelines on what the compensating controls need to achieve to be acceptable. This section shows that the document takes into consideration the differences in the needs and current setup/technologies of different agencies.
This article talks about digital identity. It has different meanings and it’s really hard to prove if the person I am communicating with is actually a person, not a dog or computer robots. Three components in digital identity were mentioned in the reading as the identity proofing process, the authentication process, and the strength of an assertion in a federated environment, used to
communicate authentication and attribute information (if applicable) to a relying party
(RP). These guidelines support scenarios that will allow pseudonymous interactions even when strong, multi-factor authenticators are used.
Authentication comes to verify the identity and it could be a password, token code or biometric etc..
Individuals are identified in many ways, such as our names, age, address, profession and many more. We see these identities on many forms called identity instruments. Some examples are driver’s licenses, social security cards, birth certificates, insurance cards, and even work and school badges. Having all of these forms of identification and the way we use them on a daily basis, whether online or physically in person makes our control over PII (Personal Identifiable Information) very much limited. Hackers are constantly attempting to access and exploit this information.
Thanks for sharing Josuhua. It’s easy to assume when you see a breach that a company or it’s people were negligent. However, with the vast amounts of sensitive user/consumer data that is out there makes managing identities in and of itself is really difficult and strenuous.
This informative NIST publication helps organizations secure online transactions through digital authentication controls. The framework explains the risk management process for selecting controls and implementing assurance based on risk. The components of identity assurance include the identity proofing process, authentication process, and assertion protocol. NIST recommends:
– risk assessment methodology that looks for identity frameworks, using authenticators, credentials, and assertation.
-enrollment and identity proofing that addresses applicant identity proofing via one of three different levels of risk mitigation
* when applicant applies CSP through enrollment process, CSP identity proofs the user and if it is successful user becomes subscriber.
** authenticator and credential are established between CSP and subscriber.
-addressing how a user securely authenticate to a CSP to access digital service
**authenticators check something user knows, user has, and user is
In today’s digitalized world digital identity has become more important than physical identity, as it has become a daily necessity. We can access the digital world by authenticating ourselves to access various social, and financial services via an online identity. It determines and validates the authorization to access any service over the internet. There are various challenges all over the digitalized world that are increasing day by days such as spoofing, impersonation, and other fraud activities. There are many guidelines available for the risk management process for selecting proper digital identity service, and implementing identity assurance, authentication assurance, federation assurance level based on risk assessment. However, in this digital era identity guidelines are important to understand digital identity risk and threat management which helps to understand the digital identity assurance level needed by all businesses. It helps to choose the right risk management process for digital identity service and provides mitigation techniques to minimize vulnerability and threat environment. Today, almost all work by everyone is done with a digital identity such as social engineering identity, financial service identity, and other services which are available for general or daily use.
NIST SP 800 63-3 provides technical requirements for organizations that provide digital identity services. Its purpose is to regulate the development and use of standard digital identity services. The guidance covers ID and authentication of users interacting with open networks and government IT systems. The guide defines requirements for identification, registration, authenticators, management processes, authentication protocols, and more. These NIST standards focus primarily on making sure someone is who they say they are before granting someone access to a digital service. They are outlined in NIST-defined assurance levels: Identity Assurance Level (IAL), Authenticator Assurance Level (AAL), and Federation Assurance Level (FAL). IAL refers to registration and identification to ensure that it is “this people”, such as a copy of a driver’s license, which requires a state-certified ID. AAL refers to the process by which a digital identity attempts to access a server, such as when a one-time password is sent to an individual’s registered mobile phone. FAL is Federated Identity Management involving a user authenticated by a third-party Identity Provider (IdP), attempting to access a Service (Service Provider) or Relying Party (RP) through a token or assertion sent to the Service by the IdP, “FAL” ( Federation Assurance Level) refers to the strength of the assertions used to convey authentication and attribute information to the RP.
Digital identity is an important component used to ensure the validity of a personnel over the network or over a digital medium and it faces proofing authentication challenge.
Digital authentication used for access control establishes the subject attempting to access a digital medium or services in one or more associated roles based on the information provided or supplied to the digital system and it enforces privilege and confidentiality of information to be accessed.NIST Special publication explains the technical importance of using the risk assessment and implementation guidelines to prove their digital identy within the agency where implemented for the two non-federated system role and system component selection referred to as Identity Assurance Level (IAL) and Authenticator Assurance Level (AAL) and for Federated system which uses the third component refer to as Federated Assurance Level (FAL).These component helps in establishing the validity of the user to the access control infrastructure implemented to authenticate the access to the system.
A recurring theme in this chapter was the three components of identity assurance: IAL, AAL, and FAL. More specifically, IAL is related to Identity assurance, AAL refers to Authentication assurance, and FAL refers to the strength of an assertion in a federal environment. I found the graphical representations and corresponding descriptions along with the decision tree to be helpful for determining an organization’s risk tolerance level.
The digital identity is a unique representation of the physical subject, or individual in the online world, that is engaged in an online transaction. This transaction could be as simple as just logging into a single service, or as complex as performing an e-commerce transaction across multiple services or websites. The purpose of the digital identity is often limited to use in the context of the service alone and does not necessarily need include or need all the physical world attributes or information of the individual.
The NIST guidelines document provides an excellent summary of what constitutes Levels of Assurance for each of the three key processes mentioned above. Levels of Assurance for a process, for all practical purposes, are indicators of the “strength” of the identity and access management controls implemented as part of that process. Typically, they range from level 1 to level 3. Below is a series of tables that are included in the guideline document that provide the summaries.
NIST SP 800 63-3 speaks about digital identity, model, risk management and assurance levels. The one key point I found interesting was 4.3.1 Authenticators. Speaks about MFA and the three main authentication factors. 1. Something you know such as your password. 2 Something you have like your ID badge and 3. Something you are such as facial recognition scan. The more usage of these factors, the more strength the system has for authentication.
Hello Corey,
I also found this section very interesting, and I agree the more authenticators required the more secure
NIST SP 800 63 provides the risk assessment methodology and a general overview of identity frameworks, authenticators, credentials, and assertions in relation to digital identity. Digital identity “is the unique representation of a subject engaged in an online transaction.”
Federating digital identities across applications offers many benefits from a security perspective as detailed in section 4.4 (page 14). These include enhanced user experience, cost reduction, data minimization, and other benefits that improve the efficiency of identity management. I found this section interesting because the implementation of federated identity is perceived as a positive change by users. Federation provides a better user experience as users do not need to remember different passwords across separate relaying parties.
Applying security controls can be perceived as an inconvenience by user, e.g. MFA using an authenticator app. With federation, the implementation is perceived favorably by users and helps to secure the user’s identity.
I found it really interesting to see how the FIPS 199 standard, which we’ve talked about a lot in this class as well as the protection of information assets course, is correlated to the NIST SP 800-63-3 standard. Professionals responsible for assessing the risk impacts of IAL (identity proofing process), AAL (authentication process), and FAL (federated verification process) as they relate to their digital and information assets within their organizations can refer to the FIPS 199 assessment results to ensure assurance levels are being met. If assurance is not adequate, the risk impacts to IAL, AAL, and FAL can be updated (i.e. strengthened) to ensure they are in alignment with the security standards of the system.
I also thought the reference of FIPS 199 was interesting in this publication. It makes sense to consider digital identity from a risk management perspective. Using FIPS 199allows for the protection of the service consummate with it’s impact value. For example, validating the identify of a user accessing tax information has a much different profile than an application managing building permits.
I appreciate how these documents work together and align on the same standards. This makes it much easier to communicate to stakeholders and implement the recommended guidelines.
This NIST document focused on implementing digital identity services. I found the section on the Digital Identity Model to be the most informative. Specifically, the figure on page 10 that outlined the interactions and entities that comprise the digital identity model. The left side of the figure shows the enrollment, lifecycle management activities and various states of ID proofing. The right side shows the entities and interactions involved with using an authenticator to perform digital authentication. I found it helpful to have these processes illustrated in a diagram and then having the various steps outlined underneath. While this model is a simple representation, it is also clear that the functions outlined can be separated and more complex models can be created in doing so.
I found Business Process vs. Online transaction to be interesting of how collecting data online might not have to be tied to the offline business process of handling data. For example, handling resumes would require AAL2 instead of AAL1 because online resumes would have personal data associated with them and can be later resumed when the user chooses to access the portal. However, the organization hiring for new jobs does not have to provide identity proofing because it is not necessary to apply extra security controls that might decrease the visibility (or availability) of the job listing. Instead, this is a separate process for after the candidate is selected. To me, it’s interesting to see how vastly different digital identity matters for online transactions then offline business functions.
Reading NIST SP 800 63-3, one thing that stood out to me was section 5.3.2, rating the impact (low, moderate, high) based on the category of harm (damage to reputation, financial loss, unauthorized release of sensitive information, etc.) It really paints a picture on a recurring theme of this program – how to determine the impact level for specific events. For example, if an organization faces a short-term inconvenience or something embarrassing, the impact would be graded as low. On the other hand, distress or serious damage to the organization’s reputation would be graded as high. Looking at financial impact, an insignificant financial loss would be graded as low, whereas a catastrophic financial loss would be graded as high.
I thought this section was interesting to read as well. I like your example. I feel that something embarrassing could be more serious than a rating of low. Company image is important in todays world. That definitely could affect the financial loss for a company.
NIST 800-63-3 guidelines is the third version to provide technical requirements for federal agencies implementing digital identify service. The guidelines remain identify proofing and authentication users interacting with government IT systems over open networks. NIST 800-63-3 is also used by entities. The guidelines provide three main assurance levels: Identity Assurance Level (IAL), Authenticator Assurance Level (AAL), and Federation Assurance level (FAL). IAL and AAL are referred to non-federated systems. IAL is a self-asserted identify that conveys the degree of confidence that the applicant’s claimed identify is his/her real identify. There are three requirements: IAL1 (zero self-assert), IAL2 (remote or in-person identify proofing), and IAL3 (adds addition to the step required at ILA2). AAL covers how addition factors can impact risk mitigation in authentication process. There are also 3 requirements: AAL1 (requirement of single or multi-factor authentication using a secure authentication protocol), AAL2 (proof of possession of two distinct authentication), and AAL3 (proof of possession of a key through a cryptographic protocol). FAL is a category describing the assertion protocol used in federated environment to communicate authentication and attribute information to a relying party. There are also 3 requirements: FAL1 (assertions need to be signed by the identify provider), FAL2 (assertion must be encrypted by the identify provider), and FAL3 (the user must be able to prove possession of a cryptographic key bound to the assertion).
This reading explained Digital Identity Guidelines
Digital identity is the unique representation of a subject engaged in an online transaction. A
digital identity is always unique in the context of a digital service, but does not necessarily need
to uniquely identify the subject in all contexts. In other words, accessing a digital service may
not mean that the subject’s real-life identity is known. Identity proofing establishes that a subject
is who they claim to be. Digital authentication is the process of determining the validity of one or
more authenticators used to claim a digital identity.
A key part of the reading was understanding the components of identity assurance, it was detailed as follows:
• IAL refers to the identity proofing process.
• AAL refers to the authentication process.
• FAL refers to the assertion protocol used in a federated environment to communicate
authentication and attribute information to an RP
A section that stood out to me was 4.3.1. Authenticators
It explained Authenticators as:
Something you know (e.g., a password).
Something you have (e.g., an ID badge or a cryptographic key).
Something you are (e.g., a fingerprint or other biometric data).
I think this is key because in my opinion the more of these required, the more secure the asset will be, requiring all 3 of these to me would be ideal.
Hi Jason
I think you’re right, a higher rating means it offers more control, which means more security. For example, AAL3 provides the most complex password validator, and it also has the highest level of information protection, which is more secure.
I found section 5.4 on “Risk Acceptance and Compensating Controls” to be interesting. The section covers guidelines on what the compensating controls need to achieve to be acceptable. This section shows that the document takes into consideration the differences in the needs and current setup/technologies of different agencies.
This article talks about digital identity. It has different meanings and it’s really hard to prove if the person I am communicating with is actually a person, not a dog or computer robots. Three components in digital identity were mentioned in the reading as the identity proofing process, the authentication process, and the strength of an assertion in a federated environment, used to
communicate authentication and attribute information (if applicable) to a relying party
(RP). These guidelines support scenarios that will allow pseudonymous interactions even when strong, multi-factor authenticators are used.
Authentication comes to verify the identity and it could be a password, token code or biometric etc..
Individuals are identified in many ways, such as our names, age, address, profession and many more. We see these identities on many forms called identity instruments. Some examples are driver’s licenses, social security cards, birth certificates, insurance cards, and even work and school badges. Having all of these forms of identification and the way we use them on a daily basis, whether online or physically in person makes our control over PII (Personal Identifiable Information) very much limited. Hackers are constantly attempting to access and exploit this information.
Thanks for sharing Josuhua. It’s easy to assume when you see a breach that a company or it’s people were negligent. However, with the vast amounts of sensitive user/consumer data that is out there makes managing identities in and of itself is really difficult and strenuous.
This informative NIST publication helps organizations secure online transactions through digital authentication controls. The framework explains the risk management process for selecting controls and implementing assurance based on risk. The components of identity assurance include the identity proofing process, authentication process, and assertion protocol. NIST recommends:
– risk assessment methodology that looks for identity frameworks, using authenticators, credentials, and assertation.
-enrollment and identity proofing that addresses applicant identity proofing via one of three different levels of risk mitigation
* when applicant applies CSP through enrollment process, CSP identity proofs the user and if it is successful user becomes subscriber.
** authenticator and credential are established between CSP and subscriber.
-addressing how a user securely authenticate to a CSP to access digital service
**authenticators check something user knows, user has, and user is