Dissecting NIST Digital Identity Guidelines

Similar documents
hidglobal.com HID ActivOne USER FRIENDLY STRONG AUTHENTICATION

Digital Identity Guidelines aka NIST SP March 1, 2017 Ken Klingenstein, Internet2

A HOLISTIC APPROACH TO IDENTITY AND AUTHENTICATION. Establish Create Use Manage

See the ID Rules Before Us: FAL IAL AAL eh? Aaaagh!!! How, How, How, How?

FedRAMP Digital Identity Requirements. Version 1.0

Measuring Authentication: NIST and Vectors of Trust

Single Secure Credential to Access Facilities and IT Resources

hidglobal.com Still Going Strong SECURITY TOKENS FROM HID GLOBAL

Stop sweating the password and learn to love public key cryptography. Chris Streeks Solutions Engineer, Yubico

Trust Services for Electronic Transactions

FIDO AS REGTECH ADDRESSING GOVERNMENT REQUIREMENTS. Jeremy Grant. Managing Director, Technology Business Strategy Venable LLP

FIDO Alliance: Standards-based Solutions for Simpler, Strong Authentication

The Benefits of EPCS Beyond Compliance August 15, 2016

EXPERIENCE SIMPLER, STRONGER AUTHENTICATION

Who s Protecting Your Keys? August 2018

Securing Personal Mobile Device Access to Enterprise IT and Cloud Assets with Strong Authentication

SOLUTION BRIEF RSA SECURID SUITE ACCELERATE BUSINESS WHILE MANAGING IDENTITY RISK

HID Mobile Access. Simple. Secure. Smart.

Interagency Advisory Board HSPD-12 Insights: Past, Present and Future. Carol Bales Office of Management and Budget December 2, 2008

PKI Credentialing Handbook

EBOOK 4 TIPS FOR STRENGTHENING THE SECURITY OF YOUR VPN ACCESS

U.S. E-Authentication Interoperability Lab Engineer

HID goid Mobile ID Solution

Identity management. Tuomas Aura CSE-C3400 Information security. Aalto University, autumn 2014

Identity Management as a Service

The Next Generation of Credential Technology

As Enterprise Mobility Usage Escalates, So Does Security Risk

Public Key Infrastructure PKI. National Digital Certification Center Information Technology Authority Sultanate of Oman

Access Management Handbook

Identity Management. Rolf Blom Ericsson Research

HID goid Mobile ID Solution

Leveraging HSPD-12 to Meet E-authentication E

Safelayer's Adaptive Authentication: Increased security through context information

SWAMID Person-Proofed Multi-Factor Profile

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE

IDENTITY AND THE NEW AGE OF ENTERPRISE SECURITY BEN SMITH CISSP CRISC CIPT RSA FIELD CTO

Authentication Methods

PKI and FICAM Overview and Outlook

Enterprise Adoption Best Practices

Security Strategy for Mobile ID GSMA Mobile Connect Summit

Network Security Essentials

EXTENDING SINGLE SIGN-ON TO AMAZON WEB SERVICES BEST PRACTICES FOR IDENTITY FEDERATION IN AWS E-BOOK

USER AUTHENTICATION GUIDANCE FOR INFORMATION TECHNOLOGY SYSTEMS

MOBILITY TRANSFORMING THE MOBILE DEVICE FROM A SECURITY LIABILITY INTO A BUSINESS ASSET E-BOOK

Choosing the right two-factor authentication solution for healthcare

SAP Single Sign-On 2.0 Overview Presentation

TRUST ELEVATION WITH SAFELAYER TRUSTEDX. David Ruana, Helena Pujol 14Q4

Cryptologic and Cyber Systems Division

Next Generation Authentication

PSD2: Risks, Opportunities and New Horizons

WHITE PAPER AUTHENTICATION YOUR WAY SECURING ACCESS IN A CHANGING WORLD

EXPERIENCE SIMPLER, STRONGER AUTHENTICATION

Identity management. Tuomas Aura T Information security technology. Aalto University, autumn 2011

Canadian Access Federation: Trust Assertion Document (TAD)

Overview. Premium Data Sheet. DigitalPersona. DigitalPersona s Composite Authentication transforms the way IT

DigitalPersona for Healthcare Organizations

Canadian Access Federation: Trust Assertion Document (TAD)

A Practical Step-by-Step Guide to Managing Cloud Access in your Organization

How Next Generation Trusted Identities Can Help Transform Your Business

Identity and Authentication PKI Portfolio

AS emas emudhra Authentication Solution

Security Solutions for Mobile Users in the Workplace

Authentication Technology for a Smart eid Infrastructure.

BEYOND AUTHENTICATION IDENTITY AND ACCESS MANAGEMENT FOR THE MODERN ENTERPRISE

Inside Symantec O 3. Sergi Isasi. Senior Manager, Product Management. SR B30 - Inside Symantec O3 1

Operated by Los Alamos National Security, LLC for the U.S. Department of Energy's NNSA

Introduction of the Identity Assurance Framework. Defining the framework and its goals

Canadian Access Federation: Trust Assertion Document (TAD)

Integrated Access Management Solutions. Access Televentures

AXIAD IDS CLOUD SOLUTION. Trusted User PKI, Trusted User Flexible Authentication & Trusted Infrastructure

Assuring Identity. The Identity Assurance Framework CTST Conference, New Orleans, May-09

Canadian Access Federation: Trust Assertion Document (TAD)

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

Adobe Sign and 21 CFR Part 11

Integration Guide. SafeNet Authentication Manager. Using SAM as an Identity Provider for PingFederate

Canadian Access Federation: Trust Assertion Document (TAD)

Prof. Christos Xenakis

Hong Kong Access Federation (HKAF) Identity Management Practice Statement (IMPS)

Prof. Christos Xenakis

Using Biometric Authentication to Elevate Enterprise Security

SWAMID Identity Assurance Level 2 Profile

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

Strategies for the Implementation of PIV I Secure Identity Credentials

SAML-Based SSO Solution

Canadian Access Federation: Trust Assertion Document (TAD)

Interagency Advisory Board Meeting Agenda, August 25, 2009

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY

Canadian Access Federation: Trust Assertion Document (TAD)

Authentication Work stream FIGI Security Infrastructure and Trust Working Group. Abbie Barbir, Chair

Canadian Access Federation: Trust Assertion Document (TAD)

4TRESS AAA. Out-of-Band Authentication (SMS) and Juniper Secure Access Integration Handbook. Document Version 2.3 Released May hidglobal.

4TRESS FT2011 Out-of-Band Authentication and Juniper Secure Access

SAML-Based SSO Solution

Intel and Symantec: Improving performance, security, manageability and data protection

New Paradigms of Digital Identity:

Yubico with Centrify for Mac - Deployment Guide

FPKIPA CPWG Antecedent, In-Person Task Group

Enhancing cloud applications by using external authentication services. 2015, 2016 IBM Corporation

INFORMATION TECHNOLOGY COMMITTEE ESCB-PKI PROJECT

The NIST Cybersecurity Framework

Transcription:

Dissecting NIST 800-63 Digital Identity Guidelines KEY CONSIDERATIONS FOR SELECTING THE RIGHT MULTIFACTOR AUTHENTICATION

Embracing Compliance More and more business is being conducted digitally whether at work as an employee or at home as a consumer or citizen. Yet, the digital identities that protect access to these services have not kept pace with that expansion. The challenges of identifying and authenticating users of network systems are prevalent, as evidenced by the fact that the majority of data breaches are still caused by weak or stolen credentials. To complicate things, employees, consumers and citizens have different needs in term of convenience, security, cost and user experience. This ebook breaks down the assurance levels, risk considerations and options for becoming NIST 800-63 compliant.

Ensuring Risk-appropriate Security with Diverse Population Needs The majority of data breaches are still caused by weak or stolen credentials. To address application and use case challenges, the National Institute of Standards and Technologies (NIST) published Digital Identity Guidelines SP 800-63-3. SP 800-63 is a set of documents that provides guidelines on how to identify and authenticate users over internal networks or the Internet. SP 800-63 does not require a set level of security. Rather, it provides a methodology for organizations to determine a level of risk for each application and use case and to provide a set of options to mitigate those risks.

Levels of Assurance (LOA): Confidence in Digital Identities Digital identities do not fit into the one size fits all category. Not all applications and use cases require the same assurance level (i.e., security level). The assurance level is a combination of identity, authentication and federation. SP 800-63 defines a separate assurance level for each of those components, providing greater flexibility to application developers and IT security professionals. Assurance levels are defined as: 1 (low) 2 (medium) 3 (high) SP 800-63 then provides a methodology to assign the appropriate level to each component, looking at risk factors covering areas such as inconvenience, financial loss, safety, data breach and others. Once you ve determined the assurance level, SP 800-63 provides a list of capabilities that are appropriate for that level.

Identity Assurance Level (IAL): The Identity Proofing Process When you create a digital identity in an IT system, the first question to ask is, How is this digital identity related to a real-world identity? In some cases, you may want to provide anonymity to your users (e.g., a whistle blower application). In others, you may be required to reliably link a digital identity to a real-world person (e.g., Know Your Customer requirement for the financial industry). An Identity Assurance Level provides the flexibility to account for these different scenarios. SP 800-63 defines 3 IALs and the identity proofing processes to collect and validate the identity of the user. IAL 1 IAL 2 IAL 3 No link to a real-life identity Evidence to prove real-life identity; can be remote or in person Physical presence required for identity proofing

Authenticator Assurance Level (AAL): The Identity Authentication Process Once you ve performed identity proofing for a new user, you want to be reasonably sure that subsequent attempts at access to your application are from the right user, and not someone else impersonating the user. The Authenticator Assurance Level defines the level of assurance that the returning user is who they assert to be. Not all applications require the same level of assurance. Making an online restaurant reservation does not require the same assurance as accessing your taxpayer information or accessing a power generation system. SP 800-63 defines 3 AALs and the processes and methods to authenticate the returning user. AAL 1 AAL 2 AAL 3 Single or multi factor authentication Multi factor authentication with approved cryptography Hardware based multi factor authentication, with approved cryptography

Authenticator Types SP 800-63 allows for many authenticator types, and combining authenticators can increase the assurance level. Memorized Secret Look-Up Secret Out-of-Band Devices Multi-Factor OTP Device Single-Factor Cryptographic Software Single-Factor One-Time Password (OTP) Device Single-Factor Cryptographic Device Multi-Factor Cryptographic Software Multi-Factor Cryptographic Device

Authenticator Assurance Details SP 800-63 provides detailed requirements for authenticators as well as the systems verifying the authentication and the lifecycle management of the authenticators. Some requirements are specific to the authenticator type and some apply to all types. Authenticator privacy and usability are also considered. Of note, biometric use for authentication is limited only as part of multi-factor authentication with a physical authenticator. Biometric as part of identity proofing (IAL) does not have such a limitation. Similarly, risk-based and adaptive authentication techniques can be used to augment the security of the system but cannot be used as a primary or secondary authentication factor. Use of a Public Switched Telephone Network (i.e., SMS) is considered RESTRICTED, and the risk should be carefully considered before using it for authentication. AAL 1 AAL 2 AAL 3 AAL 1 AAL 2 AAL 3 FIPS 140-2 LEVEL REQUIREMENT Level 1 on the verifier (i.e. relying party) Level 1 on the verifier and authenticator Level 1 on the verifier Level 2 overall for multi-factor hardware authenticator (with level 3 for physical security) Level 1 overall for single factor hardware authenticator (with level 3 for physical security) Low Moderate High SP800-53 MAPPING

Federation Assurance Level (FAL): Assertions in a Federated Environment Federation is the process that allows sharing user authentication and user attributes across networked systems. It allows a Relying Party (RP) application to leverage an Identity Provider (IdP) to authenticate users and retrieve users attributes (e.g., names and addresses). Federation is useful, for example, when an application wants to let different user populations interact; but the most prevalent use is for cloud applications that want to let their customers control the authentication of their users providing more control to the customer within the IdP to avoid the need for multiple entries of generic user attributes like names and addresses. To achieve that goal, the Identity Provider and Relying Party typically exchange assertions. A Federation Assurance Level (FAL) defines how the IdP and RP trust the assertions they exchange. FAL 1 FAL 2 FAL 3 FAL 1 FAL 2 FEDERATION ASSURANCE LEVEL (FAL) RP can receive a bearer assertion, signed by the IdP using approved crytography Assertion is encrypted so that only the RP can read it Assertion contains subscriber s proof of possession (i.e. cryptographic signature) FAL EXAMPLES OpenID Connect Basic Client profile or Security Assertion Markup Language (SAML) Web SSO Artifact Binding profile OpenID Connect ID Token or SAML Assertion encrypted with the RP s public key SP 800-63 defines three FAL levels and the processes to register identities in RPs, and how assertions are protected and presented across the federation. FAL 3 Token Binding where token signature is generated from a hardware token

HID and SP 800-63 HID Global offers more authentication options than anyone else and can help your organization achieve SP 800-63 compliance, regardless of the assurance level required. HID OFFERS THE MOST AUTHENTICATION OPTIONS FROM ONE TRUSTED SOURCE We can easily accommodate the need for multiple authentication solutions within the same organization when requirements vary by group. FIDO & PKI Smart Card Push Notification Virtual Smart Card Recent Awards 2018 Top Multi-Factor Authentication Solution Provider, Enterprise Security Magazine 2018 Most Innovative Product for Cyber Security Discovery, Cyber Defense Magazine 2018 New Product of the Year, Info Security Product Guide Global Excellence Award 2017 Best IAM and CMS Product, Security Today Government Security Awards 2016 Best Identity Management Platform, GSN Homeland Security Awards 2016 Top 10 Fastest Growing Security Companies, SR 2016 Cyber Security Companies FIDO & PKI Smart USB Token BlueTooth Token Digital Certificate Risk-based One-time Password Token Biometric

Why HID Global? At HID Global, we Power Trusted Identities. That means we take a holistic approach to identity and access management, with the broadest portfolio of user authentication solutions to meet the needs of a variety of industries, across a variety of touchpoints.hid s portfolio includes: the widest selection of authenticators the broadest portfolio of identity and access management solutions.

Interested in learning more about Authentication Solutions from HID Global? LEARN MORE 2019 HID Global Corporation/ASSA ABLOY AB. All rights reserved. HID, HID Global, the HID Blue Brick logo, the Chain Design are trademarks of HID Global or its licensor(s)/supplier(s) in the US and other countries and may not be used without permission. All other trademarks, service marks, and product or service names are trademarks or registered trademarks of their respective owners. 2019-03-19-hid-iams-nist-guidelines-eb-en PLT-04335

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback