“Perhaps the most visible change is the push for phishing-resistant authentication—methods like passkeys, hardware-backed authenticators, and device binding….This shift signals that yesterday’s non-phishing-resistant MFA (SMS codes, security questions, and email OTPs) is no longer enough because they are easily compromised through man-in-the-middle or social engineering attacks like SIM swapping.”
Many of us have been using Docusign for years to electronically sign documents. But how does Docusign know that the person applying John Bredehoft’s signature is really John Bredehoft?
Enter Docusign’s implementation of Identity Assurance Level 2 (IAL2).
“The Docusign ID Verification for IAL2 Compliance workflow is easy to add to workflows within eSignature and Maestro, part of the Docusign Intelligent Agreement Management (IAM) platform.
“Before a recipient can access an agreement, they will be required to verify their identity using their existing ID.me or CLEAR account. If needed, they can create a free account with either provider from within the same Docusign workflow. Once verified, they can securely sign and complete their agreement, all in a single, seamless experience.”
But I have one teeny quibble with whoever writes Docusign’s headlines. The November 6 announcement was entitled “Identity Verification at the Highest Level: Docusign ID Verification for IAL2 Compliance.”
For our purposes, the big difference between IAL2 and IAL3 is that IAL2 allows “either remote or physically-present identity proofing,” while IAL3 requires “[p]hysical presence” for identity proofing. However, the proofing agent may “attend the identity proofing session via a CSP-controlled kiosk or device.” In other words, supervised enrollment.
“IAL3 is reserved for high-risk environments such as sensitive government services.”
How are solutions approved for a particular Identity Assurance Level?
Now I could get on my product marketing soapbox and loudly proclaim that my service is IAL2 compliant, or IAL3 compliant, or IAL4 compliant. (“What? You don’t know about IAL4? Obviously you’re not authorized to know about it.”)
“Available to Credential Service Providers offering Full or Component Credential Management Services. Modeled on best practice (drawing from, among other sources, ISO/IEC 27001, ISO/IEC 29115), this Class of Approval ensures the provider organization’s good standing and management / operational practices and assesses criteria which are derived strictly from NIST SP 800-63 rev.3 requirements, ensuring a conformant technical provision of the provider organization’s service.
You see that the Kantara Initiative doesn’t even offer an approval for IAL1, just for IAL2 and IAL3.
It also offers approvals for AAL2 and AAL3. I’ve previously discussed Authenticator Assurance Levels (AALs) in this post. Briefly, IALs focus on the initial identity proofing, while AALs focus on the authentication of a proven identity.
Component Services IAL2 approvals…and an IAL3 approval
Now if you go to the Kantara Initiative’s Trust Status List and focus on the Component Services, you’ll see a number of companies and their component services which are approved for NIST 800-63 rev.3 and offer an assurance level of IAL2.
With one exception.
“NextgenID Trusted Services Solution provides Supervised Remote Identity Proofing identity stations to collect, review, validate, proof, and package IAL-3 identity evidence and enrollment data for CSPs operating at IAL-3. The NextGenID TSS Identity Stations enable remote operators to remotely supervise NIST SP 800-63A compliant Supervised Remote Identity Proofing (SRIP) sessions for credentialing.”
So if remote identity assurance is not good enough for you, there’s a solution. I’ve already discussed NextgenID’s SUPERVISED remote identity proofing in this post. And there’s a video.
But clearly biometric product marketers are paying attention to the identity assurance levels…at least the real ones (not IAL4). But are they communicating benefit-oriented messages to their prospects?
Biometric product marketing has to be targeted to the right people, with the right message. And the biometric product marketing expert at Bredemarket can help a company’s marketing organization create effective content. Talk to Bredemarket.
AAL1 (some confidence). AAL1, in the words of NIST, “provides some assurance.” Single-factor authentication is OK, but multi-factor authentication can be used also. All sorts of authentication methods, including knowledge-based authentication, satisfy the requirements of AAL1. In short, AAL1 isn’t exactly a “nothingburger” as I characterized IAL1, but AAL1 doesn’t provide a ton of assurance.
AAL2 (high confidence). AAL2 increases the assurance by requiring “two distinct authentication factors,” not just one. There are specific requirements regarding the authentication factors you can use. And the security must conform to the “moderate” security level, such as the moderate security level in FedRAMP. So AAL2 is satisfactory for a lot of organizations…but not all of them.
AAL3 (very high confidence). AAL3 is the highest authenticator assurance level. It “is based on proof of possession of a key through a cryptographic protocol.” Of course, two distinct authentication factors are required, including “a hardware-based authenticator and an authenticator that provides verifier impersonation resistance — the same device MAY fulfill both these requirements.”
This is of course a very high overview, and there are a lot of…um…minutiae that go into each of these definitions. If you’re interested in that further detail, please read section 4 of NIST Special Publication 800-63B for yourself.
Which authenticator assurance level should you use?
NIST has provided a handy dandy AAL decision flowchart in section 6.2 of NIST Special Publication 800-63-3, similar to the IAL decision flowchart in section 6.1 that I reproduced earlier. If you go through the flowchart, you can decide whether you need AAL1, AAL2, or the very high AAL3.
One of the key questions is the question flagged as 2, “Are you making personal data accessible?” The answer to this question in the flowchart moves you between AAL2 (if personal data is made accessible) and AAL1 (if it isn’t).
So what?
Do the different authenticator assurance levels provide any true benefits, or are they just items in a government agency’s technical check-off list?
Perhaps the better question to ask is this: what happens if the WRONG person obtains access to the data?
Could the fraudster cause financial loss to a government agency?
Threaten personal safety?
Commit civil or criminal violations?
Or, most frightening to agency heads who could be fired at any time, could the fraudster damage an agency’s reputation?
If some or all of these are true, then a high authenticator assurance level is VERY beneficial.
Bredemarket 