NIST offers technical guidance for e-authentication
- By William Jackson
- Jul 06, 2004
The technology required for verifying the identity of remote users accessing government systems has been outlined by the National Institute of Standards and Technology.
The Office of Management and Budget previously defined four levels of authentication assurance required for accessing systems, based on the seriousness of likely consequences if there is an error. Level 1 is the lowest level of certainty required and 4 is the highest. For instance, viewing public information or reserving a campsite online would require a lower level of assurance than accessing sensitive information or conducting financial transactions.
Agencies must do risk assessments for systems using remote authentication and determine the assurance level required for each.
NIST Special Publication 800-63, 'Electronic Authentication Guideline,'
defines the technology to be used at each level described by OMB.
The NIST publication addresses only widely implemented authentication methods based on secrets such as passwords or cryptographic keys shared by the user and the verifying party.
The agency expects in the future to address other forms of authentication, such as biometrics or extensive knowledge of private but not secret information. Private but not secret information could include such data as birth date and mother's maiden name.
The document gives technical requirements at each of the four levels of assurance for the elements of the authentication process:
- Tokens: typically a cryptographic key or password
- Identity proofing: a user's proof of identity presented when a credential is issued
- Remote authentication mechanisms: the combination of credentials, tokens and authentication protocols used
- Assertion mechanisms: the way results of authentication are communicated to other parties.
Level 1 requires no identity proofing and allows any type of token, including a simple PIN. Little effort to protect the session from offline attacks or eavesdroppers is required.
Level 2 requires some identity proofing. Passwords are accepted, but not PINs. Attacks and eavesdropping are prevented using cryptographic methods meeting Federal Information Processing Standard 140-2 requirements.
Level 3 requires stringent identity proofing and multi-factor authentication, typically a password or biometric factor used in combination with a software or hardware token, in addition to FIPS-validated cryptography.
Level 4 is the highest level of assurance, requiring multi-factor authentication with a hardware token. Cryptography in the hardware token must be validated at FIPS 140-2 level 2 overall, with level 3 validation for physical security. Critical data being transferred must be authenticated with a key generated by the authentication process.
William Jackson is a Maryland-based freelance writer.