101 NIST – Digital Identity Guidelines ‘101’
101 NIST – Digital Identity Guidelines ‘101’
Tuesday 4B
Convener: Sarah Squire
Notes-taker(s): Colin Jaccino
Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:
Levels of Assurance
Restrictions on use of SMS for 2FA
Password Policies Vectors of Trust
Password and MFA Guidance
Want to divorce identity from security and authentication
What is authentication
- a way we determine that a person is the same as the last time we saw them (not who they say they are)
Types of threats:
- unintentional account compromise
- snooping by known relation
- bots - don’t have access to your device, but may be able to brute force or reverse hashes
- nefarious third parties by stealing identity
- state actors - well-resourced nefarious parties
- hacktivists - often with political motives
Levels of assurance
- 1 -
- 2
- 3 -
- 4 - Very high confidence
- Strong cryptographic authentication
- strong man-in-the-middle resistance
- no bearer tokens
- account owner has physically appeared and a government-issued photo-identifaction document has been verified
NIST Digital Identity Guidelines - Act III
- Changed guidelines from 1 dimensional to three
- Identity Assurance (1,2,3)
- L1 - Pseudonymous
- L2 - Remote or in-person identity proffing
- L3 - In-person identity proofing with biometric collection for the purpose of non-repudiation
- Authenticator (1,2,3)
- L1 - Single-factor authentication
- L2 - Two-factor authentication
- L3 - Two-factor auth with cryptographic device and verifier impersonation resistance
- Federation (1,2,3)
- L1 - Signed bearer assertion
- L2 - Signed and encrypted bearer assertion
- L3 - Signed and encrypted holder-of-key assertion
- A method of federation in which the client trusts the identity provider AND trusts (validated) that the person using the client is the correct person (the holder of key)
Secretary of State would be
ID assurance level 3
Auth assurance level 3
Federation assurance level 2
MFA Guidance
Knowledge-based authentication (KBA) is banned
- bad security
- bad usability
One-time password over SMS is restricted
- Public switched telephone network has extensive vulnerabilities
- SMS can be sniffed
- Easy to socially engineer phone number porting/device replacement
Password Policy Guidance
DON'T
- Special character requirements (allow them, not require them)
- Forced rotation
DO
- Allow ridiculously long passwords
- Accept spaces and special characters
- Compare to breach corpus
- haveibeenpwned.com?
NIST 800-63-3???
Usability is key to security.
Look Up: UAF, U2F. Fido
IDPro.org
Identity bootcamp - 1 day conference before Gartner’s identity conference
https://www.rsaconference.com/videos/measuring-authentication-nist-800-63-and-vectors-of-trust