The 4 levels of authentication in a mobile world
Connecting state and local government leaders
The growing use of remote devices to access government resources spurs NIST to revise its guide on how to select the right authentication technology for groups of users.
The National Institute of Standards and Technology is updating guidelines for authenticating the identity of remote online users of government IT systems to reflect the growing use of mobile and other remote devices.
Special Publication 800-63-2, Electronic Authentication Guideline, defines technical requirements for each of four levels of assurance for federal information systems, focusing on authentication schemes already widely deployed, based on shared secrets. Biometrics also can be used for higher levels of authentication. The publication does not break new technical ground, but is intended to guide agencies in the process of selecting the proper method of authentication based on the level of security needed for each system.
The current version of SP 800-62 is Revision 1, finalized in 2011. Revision 2, now in draft form, will replace it when approved. Comments on the draft of Revision 2 should be sent by March 4 to eauth-comments@nist.gov.
The proliferation of increasingly powerful mobile devices such as smart phones and tablets, in addition to the use of laptops and home PCs, and the growing availability of technologies such as Public-Key Infrastructure to provide strong authentication of remote users has changed the way systems control access to assets. Passwords still are the leading mechanism for authenticating user identity, but a growing number of systems rely on cryptographic keys or physical tokens to provide stronger authentication for resources that require greater security.
The Office of Management and Budget lays out a five-step process for implementing the proper level of assurance for remote authentication: Risk assessment, mapping risks to proper level of assurance, selecting the technology for e-authentication, validating the implemented system and periodically reassessing risks and needs. SP 800-63 gives guidance for implementing the third step, selecting the technology.
The more serious the consequences of unauthorized access to a system, the higher the level of assurance required.
Level 1: the lowest level, requires no identity proofing of a remote user before issuing electronic credentials for access. Authentication can be done with a simple password challenge-response protocol, although such a method is vulnerable to third-party attacks.
Level 2: single-factor remote network authentication still is allowed, but identity proofing can be required, in which the remote user must first prove his or her identity before receiving credentials. A wide variety of authentication techniques can be used, including memorized secret tokens, pre-registered knowledge tokens, look-up secret tokens, out of band tokens and single factor one-time password devices.
Level 3: requires multi-factor authentication, proving possession of the proper token through the use of cryptography. The remote user can unlock the token with a password or biometric, or use a secure multi-token authentication protocol.
Level 4: the highest level, requires the highest practical level of assurance. This is based on proving possession of a key through a cryptographic protocol, and only hard cryptographic tokens are used, rather than software-based tokens. This can be met by using the FIPS 201 compliant Personal Identity Verification (PIV) card authentication key.
Trust of assertions made during the authentication process is enabled though the Security Assertion Markup Language, an XML-based security specification developed by the Organization for the Advancement of Structured Information Standards. Although SAML was emerging in 2006 when SP 800-63 was first published, it was not widely used in government at that time. It can provide scalability in authentication schemes and is one of the significant advances in the guidelines as they have been revised.