07 Jul The New NIST Digital Identity Guidelines (SP 800-63-3)
NIST (National Institute of Standards and Technology) published the new guidelines on digital identity on June 22nd, 2017. The most notable change is the retirement of the concept of Level of Assurance (LoA) as an evaluation criteria when it comes to digital identities.
The new guidelines now have 3 formal categories against which a digital identity related processes or technologies are evaluated against. In the previous versions the vetting process, or establishing the link between the real life identity and the digital identity was embedded into the evaluation of the overall assurance level (LoA). Now the process of digital identity registration has received its own category, Identity Assurance Level (IAL). IAL describes the strength or trustworthiness of the digital identity information. At the lowest level (1) the identity information is self asserted, and can therefore be anything from Donald Duck to Andre Agassi. At the other end of the scale (3) there’s a digital identity that has been properly vetted and that the attributes related to the identity (user) can be trusted. The requirements for the IAL are described in the SP-800-63-3a document.
Authentication method, or as NIST calls it, authenticator is now evaluated by itself. The Authenticator Assurance Level (AAL) describes how strong the method / authenticator is. Behind the number there exists multiple evaluation criteria. It’s not only about how strong the cryptography is. The criteria includes aspects such as how often reauthentication has to happen, resistance to; MitM, verifier impersonation and compromise, and replay. The scale is the same as for IAL, 1-3. At the low end you find the usual suspects such as passwords (memorized secrets) and to reach the highest level (3) multi-factor authenticators are required.
When identities cross from one identity domain to another, federation happens. There are numerous technologies on how to achieve federation from the older ones such as SAML 2.0 to the new protocols like OAuth and OpenID Connect. The older protocols work differently compared to the new standards. You can e.g. check out our blog on the differences between SAML and OAuth here. I recommend reading the article as both OpenID Connect and SAML are mentioned as examples in the NIST SP 800-63-3c. The completely new evaluation criteria called Federation Assurance Level (FAL). FAL uses again a scale of 1-3.
Compared to the AAL, FAL requirements are fairly simple. At the lowest level the assertions just need to be signed by the IdP. The intermediate level requires encryption of the assertion by the IdP. The highest level introduces a new key requirement, the user has to be able to prove possession of a cryptographic key bound to the assertion.
What does it all mean?
Compared to the old approach, where everything was bundled up into one assurance level, the new approach allows for more flexibility. A very typical use case in government services can be as follows;
Government agency A employee needs to access resources hosted by the government agency B. To make this happen in a user friendly way, federation takes place. With federation the agency A employee can Single Sign-On to the online service of Agency B. The employee does not have a PIV (or other government issued smart card / eID), but uses the plain old password (Active Directory password). Based on this information we can determine the assurance levels as accordingly: Identity Assurance Level = 3 as the employee has been thoroughly vetted, Authentication Assurance Level = 1 as a password is a memorized secret. The Federation Assurance Level can be anything between 1-3 (if the user is in possession of a separate key), but lets assume that the federation is setup properly and the IdP both signs and encrypts the assertions. We now have a combination of IAL=3, AAL=1, FAL=2. In the previous model the Level of Assurance would be at the lowest level as the strength of the authentication method was the weakest, determining the overall LOA.
I highly recommend getting familiar with the new NIST publication(s). These terms are bound to start appearing in texts concerning online user identities. The separation of registration, authentication and federation into separate categories is a very sensible move. The NIST guidelines provide excellent insight on how online services both in government space and in the commercial world could structure how they consume or transfer digital identity information.