Standards for Identity Assurance

This page is to share and discuss various standards for identity assurannce, which is often defined as: 

"the ability to determine, with some level of certainty, that the person presenting themselves in an online transaction is who they say they are."

 Virginia Tech Standard for Personal Digital Identity Levels of Assurance

Identity assurance includes identity proofing, the credential issuance process, and credential strength. Erv recently approved the Standard for Personal Digital Identity Levels of Assurance, which is posted at www.it.vt.edu/administration/policies.html.  Virginia Tech's LOA's reflect (but may not completely conform to) standards from NIST Special Publication 800-63, Version 1.0.2, Electronic Authentication Guide http://csrc.nist.gov/publications/nistpubs/index.html .

While there may not be a mandate that the soft PDC follow any national or industry standard, past conversations with universiy Legal counsel have indicated that standards-based credentialing processes are desirable. The soft PDC may fit into Virginia Tech's LOA 3. The credential itself should be able to meet the criteria for NIST 800-63 LOA 3. The identity proofing would likely determine whether the soft PDC could qualify as NIST LOA 2 or NIST LOA 3. Similarly, the soft PDC credential should meet the criteria for an InCommon Silver credential. The identity proofing will likely determin whether the soft PDC would qualify for InComon Bronze or Silver.

InCommon Bronze and Silver

The InCommon Identity Assurance Assessment Framework at http://www.incommonfederation.org/assurance/ states (in Section 2.1), "InCommon Bronze and Silver are intended to be compatible with Federal NIST 800-63 Levels 1 and 2."

The Identity Proofing section (4.2.2.3) for the Silver profile specified at http://www.incommonfederation.org/docs/assurance/InC_Bronze-Silver_IAP_1.0.1.pdf , specifies In Person Proofing and Remote Proofing criteria that are very close (but identical) to those specified for In Person and Remote Proofing for LOA 2 in NIST 800-63 (section 6.3.1). However, the InCommon Silver profile (section 4.2.2.3.1) includes criteria for identity proofing using an Existing Relationship, which is not specifally categorized in Table 3 in NIST 800-63, but seems to be derived from the a paragraph immediately following Table 3.

NIST 800-63:

At Level 2, employers and educational institutions who verify the identity of their employees or students by means comparable to those stated above for Level 2 may elect to become an RA or CSP and issue credentials to employees or students, either in-person by inspection of a corporate or school issued picture ID, or through on-line processes, where notification is via the distribution channels notmally used for sensitive, personal communications.

InCommon Silver section 4.2.2.3.1:

Employers and educational institutions which verify the identity of their employees, students or other affiliates by means comparable to those stated  for In Person Proofing or remote Proofing may be designated an RA by the IdP operator. The IdP operator shall confirm that the applicant is a person with a current relationship to the organization, record the nature of that relationship and verify that the relationship is in good standing. If the IdP operator's IdMS directory or database is separate from the institution's or RA's database, the IdP operator shall confirm that the applicant's name and address are consistent in both places.


Perhaps Virginia Tech's identity proofing practices would show that we qualify for Silver in the "Existing Relationship" category.

Sample Silver in-person Registration Process from Penn State

Sample Silver Remote Registration Process from Penn State

Requirements for recording information from identity documents

InCommon Silver Section 4.2.3.2 item #2 requires that the RA record from the ID: 

• ID number
• Date of issuance
• Date of expiration
• Address, if available
• Date of birth 
  

NIST 800-63-01 (Table 3 in section 6.3.1) requires the RA to record from the ID:

• ID number
• Address
• Date of birth 
  

I-9 procedures require recording:

• Document title
• Issuing authority
• Document #
• Expiration date (if any)
  

NIST 800-63 section 8.2.3 states  the following regarding Level 3 and the Soft cryptographic token:

Soft cryptographic token: a cryptographic key stored on a general-purpose computer. Hardware tokens validated at FIPS 140-2 Level 1 or higher may also be used to hold the key and perform cryptographic operations. The claimant shall be required to activate the key before using it with a password or biometric, or, alternatively shall use a password as well as the key in an authentication protocol with the verifier. If a password is employed to unlock the soft token key, the key shall be kept encrypted under a key derived from a password meeting the requirements for Level 2 authentication, and decrypted only for actual use in authentication. Alternatively, if a password protocol is employed with the verifier, the use of the password shall meet the requirements for Level 2 authentication assurance.

      I think this means that a "soft cryptographic token" stored on a general-purpose computer is considered a LoA 3 credential if either of the following is true:

      1) a password or biometric is required to activate the key. The password would need to meet NIST LoA 2 requirements.

      2) the claimant is required to use a password as well as the key in an authenticated protocol with the verifier. In this case the password must meet NIST LoA 2 requirements, which includes password strength described in 8.2.2.4 and maybe 8.2.2.3.

Regarding option # 1, after the soft PDC enters the hands of the user, we cannot technically enforce use of a password that would meet NIST LoA 2, to activate the key. 

Question (probably for Internal Audit): If we created a policy that required the user to maintain a password on  a soft PDC (or P12 key store) that met NIST LoA 2 strength requirements, and issued a soft PDC that initially met the LoA 3 requirements, would that justify our recognizing that soft PDC as a Virginia Tech LoA 3 credential according to the LoA defined in the VT standard for Personal Digital Identity Levels of Assurance? http://www.it.vt.edu/publications/pdf/Standard_for_Personal_Digital_Identity_LOA_Final-09June2010.pdf 

Regarding option #2, according to Randy Marchany, http://computing.vt.edu/accounts_and_access/pickinggoodpasswords.html has the strength rules and they are close to the NIST criteria. I think Table A-1 shows that with our password strength rules and "dictionary" check, we're in the acceptable range.

Question: If a soft PDC were issued that initially me the LoA 3 requirements, and if it were subsequently used in combination with, say the PID and its password, would that justify our recognizing that soft PDC as a Virginia Tech LoA 3 credential according to the LoA defined in the VT standard for Personal Digital Identity Levels of Assurance? http://www.it.vt.edu/publications/pdf/Standard_for_Personal_Digital_Identity_LOA_Final-09June2010.pdf 

• Permalink

• Edit Oct 21

  Greg Kroll says:

Link to pdf of NIST 800-63 http://csrc.nist.gov/publications/nistpubs/800-63/SP8...
Link to pdf of NIST 800-63 http://csrc.nist.gov/publications/nistpubs/800-63/SP800-63V1_0_2.pdf