101 Session / NIST Digital Identity Guidelines

From IIW

101 Session / NIST Digital Identity Guidelines


Tuesday 4B

Convener: Sarah Squire

Notes-taker(s): Kevin Trilli


Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:

  • Updated after 10 yrs - Official June 2107, designed with govt’ agencies in mind; done on GitHub 
  • Orignal version conflated ID proofing and auth; motivation to change this and unbind
  • Authentication
    • Context: NIST in Commerce, so built to ensure fair commerce
    • def. making sure a person or a thing is the same person or thing (which is different than being who they say they are)
      • ID Proof doesn’t matter, just that you are returning act holder
  • 4 Levels of Assurance of Identity, based on threat modeling against:
    • Random input
    • Snoopers
    • Bots
    • Financial attackers
    • Nation States
    • Hacktivists
  • Old model - levels of assurance - LOA
    • 1 - Little or none
    • 2 - Some
    • 3 - High 
    • 4 - Very High (strong crypto auth, man-in-middle resistance, no bearer tokens, in-person proofing with govt’ ID)
  • Digital ID Guidelines (1, 2 and 3)
    • Identity
    • Authenticator
    • Federation
  • Identity Proofing (Volume A)
    • Level 1- Pseudonymous
    • Level 2 - remote or in-person proofing
    • Level 3- In person, biometric collection (non-repudiation)
  • Auth (Volume B)
    • Level 1- single factor (know, have, or are)
    • Level 2 - 2FA
    • Level 3- 2FA w/crypto (private key) + verifier impersonation (Phisher) resistance (e.g, same TLS Channel, token binding)
  • Federation (IDP and RP are different) (Volume C)
    • Level 1 - Signed bearer assertion 
    • Level 2 - Signed, encrypted bearer assertion 
    • Level 3 - Signed, encrypted, holder-of-key assertion (not commercially available as of today)
  • Password and MFA Policy
    • KBA is banned  (fed agencies can’t use— Yea!!)
    • Bad security and bad usability
  • OTP over SMS is restricted 
    • Telcos vulnerability, SMS can be sniffed, easy to engineer phone number porting/device replacement
    • Not the same as App notifications
  • Passwords 
    • Do
      • Allow very long pw’s
      • Accept spaces and special characters
      • Compare to breach corpus (e.g Ashley Madison passwords published). (E.g, haveIbeenpawned)
  • Do Not
    • Require special characters (reduces possible set entropy)
    • Force rotation (easier for fuzzy discovery
  • Questions
    • No inclusion of device fingerprint (but a known best practice)
    • Password Recovery - big back door.