101 Session / NIST Digital Identity Guidelines
From IIW
101 Session / NIST Digital Identity Guidelines
Tuesday 4B
Convener: Sarah Squire
Notes-taker(s): Kevin Trilli
Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:
- Updated after 10 yrs - Official June 2107, designed with govt’ agencies in mind; done on GitHub
- Orignal version conflated ID proofing and auth; motivation to change this and unbind
- Authentication
- Context: NIST in Commerce, so built to ensure fair commerce
- def. making sure a person or a thing is the same person or thing (which is different than being who they say they are)
- ID Proof doesn’t matter, just that you are returning act holder
- 4 Levels of Assurance of Identity, based on threat modeling against:
- Random input
- Snoopers
- Bots
- Financial attackers
- Nation States
- Hacktivists
- Old model - levels of assurance - LOA
- 1 - Little or none
- 2 - Some
- 3 - High
- 4 - Very High (strong crypto auth, man-in-middle resistance, no bearer tokens, in-person proofing with govt’ ID)
- Digital ID Guidelines (1, 2 and 3)
- Identity
- Authenticator
- Federation
- Identity Proofing (Volume A)
- Level 1- Pseudonymous
- Level 2 - remote or in-person proofing
- Level 3- In person, biometric collection (non-repudiation)
- Auth (Volume B)
- Level 1- single factor (know, have, or are)
- Level 2 - 2FA
- Level 3- 2FA w/crypto (private key) + verifier impersonation (Phisher) resistance (e.g, same TLS Channel, token binding)
- Federation (IDP and RP are different) (Volume C)
- Level 1 - Signed bearer assertion
- Level 2 - Signed, encrypted bearer assertion
- Level 3 - Signed, encrypted, holder-of-key assertion (not commercially available as of today)
- Password and MFA Policy
- KBA is banned (fed agencies can’t use— Yea!!)
- Bad security and bad usability
- OTP over SMS is restricted
- Telcos vulnerability, SMS can be sniffed, easy to engineer phone number porting/device replacement
- Not the same as App notifications
- Passwords
- Do
- Allow very long pw’s
- Accept spaces and special characters
- Compare to breach corpus (e.g Ashley Madison passwords published). (E.g, haveIbeenpawned)
- Do
- Do Not
- Require special characters (reduces possible set entropy)
- Force rotation (easier for fuzzy discovery
- Questions
- No inclusion of device fingerprint (but a known best practice)
- Password Recovery - big back door.