The National Institute of Standards and Technology (NIST) is not only one of the nation’s oldest physical science laboratories, it is also a non-regulatory agency of the United States Department of Commerce. From nanotechnologies to the world’s largest and most complex creations, NIST conducts research in support of a very wide array of technologies. The NIST Special Publication 800-63-1 is a 110 page document from NIST’s computer security division detailing electronic authentication. However, digging through to understand the contents of this document can be somewhat intimidating. In this article we will try and simplify its contents in order to gain a better understanding of how to meet and comply with these standards.
According to NIST Special Publication 800-63-1, “Electronic authentication (e-authentication) is the process of establishing confidence in user identities electronically presented to an information system. E-authentication presents a technical challenge when this process involves the remote authentication of individual people over an open network, for the purpose of electronic government and commerce.” A user looking to perform an electronic transaction should be authenticated by meeting the minimum technical requirements asserted by the criteria of one of four recommended levels of assurance. These levels of authentication assurance should be determined, based on the potential impacts of an authentication error on:
With Level 1 being the lowest and Level 4 being the highest, the NIST authentication levels are based on the degree of confidence needed to establish an identity. The established levels are:
NIST continues to establish a framework for determining authentication level assurance and guidance on how to meet these levels. As technologies change, NIST will continue to assist in providing consistent levels of authentication assurance and allowing the appropriate services to protect their systems and the privacy of their users.
Choosing the correct level of assurance within your own organization depends largely on the business requirements needed to assure safe and compliant transactions. Identifying that your customers are who they say they are is a very important factor when preventing fraud and trying to correctly assess if electronically presented information is legitimate. Finding a partner that can help meet these guidelines is an essential part of this process. Contact IDology to find out how we can help your organization meet the guidelines required for your business.