101 NIST – Digital Identity Guidelines ‘101’

From IIW

101 NIST – Digital Identity Guidelines ‘101’

Tuesday 4B

Convener: Sarah Squire

Notes-taker(s): Colin Jaccino

Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:

Levels of Assurance

Restrictions on use of SMS for 2FA

Password Policies Vectors of Trust

Password and MFA Guidance

Want to divorce identity from security and authentication

What is authentication

  • a way we determine that a person is the same as the last time we saw them (not who they say they are)

Types of threats:

  • unintentional account compromise
  • snooping by known relation
  • bots - don’t have access to your device, but may be able to brute force or reverse hashes
  • nefarious third parties by stealing identity
  • state actors - well-resourced nefarious parties
  • hacktivists - often with political motives

Levels of assurance

  • 1 -
  • 2
  • 3 -
  • 4 - Very high confidence
    • Strong cryptographic authentication
    • strong man-in-the-middle resistance
    • no bearer tokens
    • account owner has physically appeared and a government-issued photo-identifaction document has been verified

NIST Digital Identity Guidelines - Act III

  • Changed guidelines from 1 dimensional to three
  • Identity Assurance (1,2,3)
    • L1 - Pseudonymous
    • L2 - Remote or in-person identity proffing
    • L3 - In-person identity proofing with biometric collection for the purpose of non-repudiation
  • Authenticator (1,2,3)
    • L1 - Single-factor authentication
    • L2 - Two-factor authentication
    • L3 - Two-factor auth with cryptographic device and verifier impersonation resistance
  • Federation (1,2,3)
    • L1 - Signed bearer assertion
    • L2 - Signed and encrypted bearer assertion
    • L3 - Signed and encrypted holder-of-key assertion
      • A method of federation in which the client trusts the identity provider AND trusts (validated) that the person using the client is the correct person (the holder of key)

Secretary of State would be

ID assurance level 3

Auth assurance level 3

Federation assurance level 2

MFA Guidance

Knowledge-based authentication (KBA) is banned

  • bad security
  • bad usability

One-time password over SMS is restricted

  • Public switched telephone network has extensive vulnerabilities
  • SMS can be sniffed
  • Easy to socially engineer phone number porting/device replacement

Password Policy Guidance


  • Special character requirements (allow them, not require them)
  • Forced rotation


  • Allow ridiculously long passwords
  • Accept spaces and special characters
  • Compare to breach corpus
    • haveibeenpwned.com?

NIST 800-63-3???

Usability is key to security.

Look Up: UAF, U2F. Fido


Identity bootcamp - 1 day conference before Gartner’s identity conference