The National Institute of Standards and Technology (NIST) is not only one of the nation’s oldest physical science laboratories, it is also a non-regulatory agency of the United States Department of Commerce. From nanotechnologies to the world’s largest and most complex creations, NIST conducts research in support of a very wide array of technologies. The NIST Special Publication 800-63-1 is a 110 page document from NIST’s computer security division detailing electronic authentication. However, digging through to understand the contents of this document can be somewhat intimidating. In this article we will try and simplify its contents in order to gain a better understanding of how to meet and comply with these standards.
According to NIST Special Publication 800-63-1, “Electronic authentication (e-authentication) is the process of establishing confidence in user identities electronically presented to an information system. E-authentication presents a technical challenge when this process involves the remote authentication of individual people over an open network, for the purpose of electronic government and commerce.” A user looking to perform an electronic transaction should be authenticated by meeting the minimum technical requirements asserted by the criteria of one of four recommended levels of assurance. These levels of authentication assurance should be determined, based on the potential impacts of an authentication error on:
- Inconvenience, distress, or damage to standing or reputation;
- Financial loss or agency liability;
- Harm to agency programs or public interests;
- Unauthorized release of sensitive information;
- Personal safety;
- Civil or criminal violations.
With Level 1 being the lowest and Level 4 being the highest, the NIST authentication levels are based on the degree of confidence needed to establish an identity. The established levels are:
- Level 1 – Little or no confidence in the asserted identity’s validity.
- No identity proofing is required at this level, but the authentication mechanism should provide some assurance that the same claimant is accessing the protected transaction or data.
- Level 2 – Some confidence in the asserted identity’s validity.
- Level 2 provides for single-factor remote network authentication, including identity-proofing requirements for the presentation of identifying materials or information.
- Level 3 – High confidence in the asserted identity’s validity.
- Level 3 provides multifactor remote network authentication. At this level, identity-proofing procedures require the verification of identifying materials and information.
- Level 4 – Very high confidence in the asserted identity’s validity.
- Level 4 provides the highest practical assurance of remote network authentication. Authentication is based on proof of possession of a key through a cryptographic protocol. This level requires a physical token and strong crytographic authentication of all parties and all sensitive data transfers between the parties.
NIST continues to establish a framework for determining authentication level assurance and guidance on how to meet these levels. As technologies change, NIST will continue to assist in providing consistent levels of authentication assurance and allowing the appropriate services to protect their systems and the privacy of their users.
Choosing the correct level of assurance within your own organization depends largely on the business requirements needed to assure safe and compliant transactions. Identifying that your customers are who they say they are is a very important factor when preventing fraud and trying to correctly assess if electronically presented information is legitimate. Finding a partner that can help meet these guidelines is an essential part of this process. Contact IDology to find out how we can help your organization meet the guidelines required for your business.