SESSION ID: IDY-F01 Measuring Authentication: NIST 800-63 and Vectors of Trust auth Sarah Squire Senior Identity Solution Architect Engage Identity @SarahKSquire
Eyewitness News 3
A Play in Five Acts What is authentication, and why are we measuring it? Levels of Assurance Vectors of Trust NIST Digital Identity Guidelines How to help 4
What is authentication, and why are we measuring it? Act I
What is authentication, and why are we measuring it? ELI5 version: Making sure that a person or thing is the same person or thing you saw last time (which is different from them being who they say they are!) 8
Levels of Assurance Act II
Levels of Assurance 10
Levels of Assurance LoA 1 LoA 2 LoA 3 LoA 4 Little or no confidence Some confidence High confidence Very high confidence 11
Levels of Assurance LoA 4 Very high confidence Strong cryptographic authentication 12
Levels of Assurance LoA 4 Very high confidence Strong cryptographic authentication Strong man-in-the-middle resistance 13
Levels of Assurance LoA 4 Very high confidence Strong cryptographic authentication Strong man-in-the-middle resistance No bearer tokens 14
Levels of Assurance LoA 4 Very high confidence Strong cryptographic authentication Strong man-in-the-middle resistance No bearer tokens Account owner has physically appeared and a government-issued photo-identification document has been verified by the relevant agency. 15
Vectors of Trust Act III
Vectors of Trust P C M A Identity Proofing Primary Credential Usage Primary Credential Management Assertion Presentation 17
Vectors of Trust P Identity Proofing P0: No proofing, not consistent across sessions 18
Vectors of Trust P Identity Proofing P0: No proofing, not consistent across sessions P1: Self-asserted, possibly pseudonymous 19
Vectors of Trust P Identity Proofing P0: No proofing, not consistent across sessions P1: Self-asserted, possibly pseudonymous P2: Identity has been proofed remotely or in-person 20
Vectors of Trust P Identity Proofing P0: No proofing, not consistent across sessions P1: Self-asserted, possibly pseudonymous P2: Identity has been proofed remotely or in-person P3: Binding relationship (employee, customer, student, etc.) 21
Vectors of Trust C Primary Credential Usage C0 No credential 22
Vectors of Trust C Primary Credential Usage C0 No credential Ca Session cookies 23
Vectors of Trust C Primary Credential Usage C0 No credential Ca Session cookies Cb Known device 24
Vectors of Trust C Primary Credential Usage C0 No credential Ca Session cookies Cb Known device Cc Shared secret such as a username and password combination 25
Vectors of Trust C Primary Credential Usage C0 No credential Ca Session cookies Cb Known device Cc Shared secret such as a username and password combination Cd Cryptographic proof of key possession using shared key Ce Cryptographic proof of key possession using asymmetric key 26
Vectors of Trust C Primary Credential Usage C0 No credential Ca Session cookies Cb Known device Cc Shared secret such as a username and password combination Cd Cryptographic proof of key possession using shared key Ce Cryptographic proof of key possession using asymmetric key Cf Sealed hardware token / trusted biometric / TPM-backed keys 27
Vectors of Trust M Primary Credential Management Ma Self-asserted primary credentials / no additional verification for primary credential issuance or rotation 28
Vectors of Trust M Primary Credential Management Ma Self-asserted primary credentials / no additional verification for primary credential issuance or rotation Mb Remote issuance and rotation / use of backup recover credentials (such as email verification) / deletion on user request 29
Vectors of Trust M Primary Credential Management Ma Self-asserted primary credentials / no additional verification for primary credential issuance or rotation Mb Remote issuance and rotation / use of backup recover credentials (such as email verification) / deletion on user request Mc Full proofing required for each issuance and rotation / revocation on suspicious activity 30
Vectors of Trust A Assertion Presentation Aa No protection / unsigned assertion 31
Vectors of Trust A Assertion Presentation Aa No protection / unsigned assertion Ab Signed and verifiable assertion, passed through the browser 32
Vectors of Trust A Assertion Presentation Aa No protection / unsigned assertion Ab Signed and verifiable assertion, passed through the browser Ac Signed and verifiable assertion, passed through a back channel 33
Vectors of Trust A Assertion Presentation Aa No protection / unsigned assertion Ab Signed and verifiable assertion, passed through the browser Ac Signed and verifiable assertion, passed through a back channel Ad Assertion encrypted to the relying party s key and audience protected 34
Vectors of Trust Example: Whistleblower P? 35
Vectors of Trust Example: Whistleblower P1 36
Vectors of Trust Example: Whistleblower P1.C? 37
Vectors of Trust Example: Whistleblower P1.Cb.Cc 38
Vectors of Trust Example: Whistleblower P1.Cb.Cc.M? 39
Vectors of Trust Example: Whistleblower P1.Cb.Cc.Ma 40
Vectors of Trust Example: Whistleblower P1.Cb.Cc.Ma.A? 41
Vectors of Trust Example: Whistleblower P1.Cb.Cc.Ma.Ac 42
NIST Digital Identity Guidelines Act IV
NIST Digital Identity Guidelines IAL AAL FAL Identity Assurance Level Authenticator Assurance Level Federation Assurance Level 44
NIST Digital Identity Guidelines IAL Identity Assurance Level Level 1: Pseudonymous 45
NIST Digital Identity Guidelines IAL Identity Assurance Level Level 1: Pseudonymous Level 2: Remote or In-person identity proofing 46
NIST Digital Identity Guidelines IAL Identity Assurance Level Level 1: Pseudonymous Level 2: Remote or In-person identity proofing Level 3: In-person identity proofing with biometric collection for the purpose of non-repudiation 47
NIST Digital Identity Guidelines AAL Authenticator Assurance Level Level 1: Single factor authentication 48
NIST Digital Identity Guidelines AAL Authenticator Assurance Level Level 1: Single factor authentication Level 2: Two-factor authentication 49
NIST Digital Identity Guidelines AAL Authenticator Assurance Level Level 1: Single factor authentication Level 2: Two-factor authentication Level 3: Two-factor authentication with cryptographic device and verifier impersonation resistance 50
NIST Digital Identity Guidelines FAL Federation Assurance Level Level 1: Signed bearer assertion 51
NIST Digital Identity Guidelines FAL Federation Assurance Level Level 1: Signed bearer assertion Level 2: Signed and encrypted bearer assertion 52
NIST Digital Identity Guidelines FAL Federation Assurance Level Level 1: Signed bearer assertion Level 2: Signed and encrypted bearer assertion Level 3: Signed and encrypted holder-of-key assertion 53
NIST Digital Identity Guidelines Example: Secretary of State Identity Assurance Level? 54
NIST Digital Identity Guidelines Example: Secretary of State Identity Assurance Level: 3 55
NIST Digital Identity Guidelines Example: Secretary of State Identity Assurance Level: 3 Authenticator Assurance Level? 56
NIST Digital Identity Guidelines Example: Secretary of State Identity Assurance Level: 3 Authenticator Assurance Level: 3 57
Vectors of Trust Example: Secretary of State Identity Assurance Level: 3 Authenticator Assurance Level: 3 Federation Assurance Level? 58
NIST Digital Identity Guidelines Example: Secretary of State Identity Assurance Level: 3 Authenticator Assurance Level: 3 Federation Assurance Level: 2 59
How to Help Act V
How to Help 61
Q & A 62
Resources Me: @SarahKSquire or sarah@engageidentity.com Vectors of Trust: https://datatracker.ietf.org/doc/draft-richer-vectors-of-trust/ NIST Federal Authentication Guidelines: https://pages.nist.gov/800-63-3/ 63