Child pages
  • Levels of Assurance

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 4.0

...

The framework used within Tuakiri is based on the NIST Electronic Authentication Guideline – NIST SP 800-63-12. The NIST guideline forms the basis of many assurance frameworks used internationally and was selected with a view to being interoperable with other federations.

...

The following is a brief summary of the levels. For further details, please refer to NIST SP 800-63-12.

Level 1 – Identity assurance
There is no identity proofing requirement at this level. However, the fact that the user is able to authenticate to the identity provider gives some assurance. It means the identity provider has some relationship with the user because they have issued them a credential (username and password or cryptographic key).

...

Level 2 – Identity assurance
At Level 2, identity proofing requirements are introduced, requiring presentation of identifying materials or information. Both in-person and remote registration are permitted. For in-person registration the applicant must be in possession of a primary government photo ID (such as a driver's driver’s license or passport). For remote registration, the applicant submits the references of and attests to current possession of at least one primary government photo ID and a second form of identification. The applicant must provide to the registration authority at a minimum their name, date of birth, and current address or personal telephone number.

...

Level 3 – Authentication assurance
Level 3 authentication is based on proof of possession of a cryptographic key using a cryptographic protocol. Three kinds of tokens may be used to meet Level 3 requirements: "soft" “soft” cryptographic token, "hard" “hard” token, or "one“one-time password" password” device token. Level 3 authentication assurance requires cryptographic strength mechanisms that protect the primary authentication token against compromise by eavesdropper, replay, on-line guessing, verifier impersonation and man-in-the-middle attacks. Level 3 also requires two factor authentication; in addition to the key, the user must employ a password or biometric to activate the key.

Level 4 – Identity assurance
Remote registration is not permitted at this level. The applicant must appear in person before the registration officer. Presentation and verification of two independent ID documents or accounts is required, meeting the requirements of Level 3, one of which must be a current primary government photo ID that contains the applicant's applicant’s picture, and either address of record or nationality (e.g. driver's driver’s license or passport). A new recording of a biometric of the applicant at the time of application is also required to ensure the applicant cannot repudiate the application.

Level 4 – Authentication assurance
Level 4 is intended to provide the highest practical remote network authentication assurance. Level 4 authentication is based on proof of possession of a key through a cryptographic protocol. Level 4 is similar to Level 3 except that only "hard" “hard” cryptographic tokens are allowed, FIPS 140-2 cryptographic module validation requirements are strengthened, and subsequent critical data transfers must be authenticated via a key bound to the authentication process. The token shall be a hardware cryptographic module validated at FIPS 140-2 Level 2 or higher overall with at least FIPS 140-2 Level 3 physical security.

My organisation can only meet requirements for Level 1 at this time. Does that mean

...

we’re not compliant with the Rules for Participants?

No. The purpose of the framework is to allow your organisation to describe the processes you have used to identify and authenticate users, using a standard vocabulary. Service providers can then use this information to determine whether to allow the user access to their service. If you only meet the requirements for Level 1, that is fine. However, it does mean that your users will not be able to access services that require higher levels.

...

Where can I find more information?

NIST SP 800-63-1 2 is available from http://csrcnvlpubs.nist.gov/publications/nistpubs/800-63-1/SP-SpecialPublications/NIST.SP.800-63-12.pdf. This document is the basis of Tuakiri's Tuakiri’s levels of assurance framework.

...