Levels of Authentication
What does Levels of Authentication Mean?
Levels of Authentication – A way of establishing a sender’s identity, and ensure the sender is allowed to send from a given domain.
The Office of Management and Budget lays out a five-step process for implementing the proper level of assurance for remote authentication: Risk assessment, mapping risks to proper level of assurance, selecting the technology for e-authentication, validating the implemented system and periodically reassessing risks and needs. SP 800-63 gives guidance for implementing the third step, selecting the technology.
The more serious the consequences of unauthorized access to a system, the higher the level of assurance required.
Level 1: the lowest level, requires no identity proofing of a remote user before issuing electronic credentials for access. Authentication can be done with a simple password challenge-response protocol, although such a method is vulnerable to third-party attacks.
Level 2: single-factor remote network authentication still is allowed, but identity proofing can be required, in which the remote user must first prove his or her identity before receiving credentials. A wide variety of authentication techniques can be used, including memorized secret tokens, pre-registered knowledge tokens, look-up secret tokens, out of band tokens and single factor one-time password devices.
Level 3: requires multi-factor authentication, proving possession of the proper token through the use of cryptography. The remote user can unlock the token with a password or biometric, or use a secure multi-token authentication protocol.
Level 4: the highest level, requires the highest practical level of assurance. This is based on proving possession of a key through a cryptographic protocol, and only hard cryptographic tokens are used, rather than software-based tokens. This can be met by using the FIPS 201 compliant Personal Identity Verification (PIV) card authentication key.
Trust of assertions made during the authentication process is enabled though the Security Assertion Markup Language, an XML-based security specification developed by the Organization for the Advancement of Structured Information Standards. Although SAML was emerging in 2006 when SP 800-63 was first published, it was not widely used in government at that time. It can provide scalability in authentication schemes and is one of the significant advances in the guidelines as they have been revised.