Digital Identity systems are a matter of great importance when it comes to define one’s self in the digital world, which is as real as the physical world and actually affects us in a very direct way. This is the reason why the construction of digital identity proofing and digital identity authentication services are no longer an optional issue. There is a wide consensus in the US that digital identity and authentication are the bedrock of online security and are fast becoming a national security priority. The starter versions of such services currently available provide identity assurance services that are used by various systems in order to provide some form of authorization (physical or logical).
What is Digital Identity
A Digital Identity is the information about a person or an organization used by computer systems to represent it to the cyberspace. Put simply, it is the online equivalent to the real identity of the person or organizatin.
Digital Identity Guidelines
The National Institute of Standards and Technology (NIST) has long been acknowledged as an authoritative reference source regarding authentication assurance guidance.
NIST recently released the NIST SP 800-63, now called Digital Identity Guidelines after months of public review. This four-volume suite provides technical guidelines for organizations that employ digital identity services. The new document updates the previous standards and expands them to address identity and authentication as a service, offering the concepts and language vital for proper care and feeding of digital identities – something most experts in the industry are calling a prudent expenditure of taxpayer’s dollars.
First released in 2003, SP 800-63 is NIST’s famous document that introduced the four levels of digital identity guidelines (LOA) – LOA 1, 2, 3 & 4 – as specified by the OMB’s M-04-04, E-Authentication Guidance for the Federal Agencies.
The key purpose of this new edition of 800-63, its third iteration, is to resolve the errors of LOAs in order to turn the concept into something more meaningful with the help of modern identity processes for both, the private and government sector.
Briefly put, the new document introduced the following major changes:
The new document decoupled the LOASs largely into component parts, to ensure that any authentication initiative could be graded as a 1, 2 or 3 for one facet and completely different grade for the other facet, instead of a blanket number like LOA 3. In a nutshell, the new SP 800-63 is breaking the ranking scheme into three segments:
- Enrollment and Identity Proofing (SP 800-63A)
- Authentication and Lifecycle Management (SP 800-63B)
- Federation and Assertions (SP 800-63C)
Under the new 800-63-3, as proposed, basically 3 ranks will be granted: Federation Assurance Level (FAL), Authentication Assurance Level (AAL) and Identity Assurance Level (IAL).
Digital Identity Assurance Levels (IAL):
- IAL1 – Self asserted; linking applicant to any particular real-life identity is not needed.
- IAL2 – The claimed identity’s real-life existence is supported by evidence; either physically present or remote identity proofing.
- 4ILA3 – Identity proofing demands a physical presence. A trained and authorized representative should identify the attributes.
Authentication Assurance Level (AAL):
- AAL1 – Offers any assurance that the actual claimant is in control of the authenticator; needs at minimum a single-factor authentication.
- AAL2 – Offers strong confidence about claimant’s control of authenticators; demands two different authentication factors; demands approved cryptographic techniques.
- AAL3 – Offers extremely strong confidence about claimant’s control of authenticators; an evidence of having a key via cryptographic protocol is needed for authentication; needs a “hard’ cryptographic authenticator as well.
Federation Assurance Level (FAL):
- FAL1 – Permits enabling of the RP by the subscriber in order to receive a bearer assertion.
- FAL2 – Imposes the condition that the assertion should be encrypted in a way that the only party who can decrypt it should be the RP.
- FAL3 – Demands that the subscriber presents the proof of control of the cryptographic key that is referenced in the assertion as well as the assertion artifact.
The main changes with regards to SP 800-63A:
- The permissible identity proofing process is revamped.
- In-person proofing options are expanded.
- Password guidance has been overhauled.
- Insecure authenticators are removed.
- Permissible use of biometrics is expanded.
- New federation recommendations and demands are added.
- Cookies as an assertion type have been removed.
The full details can be had at nist.gov.