Tag Archives: federation assurance level

KeyData Cyber Sums Up The Most Visible Change in NIST SP 800-63-4

As we all transition from version 3 of NIST SP 800-63 to the new version 4 (63 63A 63B 63C), Biometric Update has published an article authored by Dustin Hoff of KeyData Cyber, “Navigating the crossroads of identity: leveraging NIST SP 800-63-4 for business advantage.”

So what has changed?

“Perhaps the most visible change is the push for phishing-resistant authentication—methods like passkeys, hardware-backed authenticators, and device binding….This shift signals that yesterday’s non-phishing-resistant MFA (SMS codes, security questions, and email OTPs) is no longer enough because they are easily compromised through man-in-the-middle or social engineering attacks like SIM swapping.”

Iguana-in-the-middle. Google Gemini.

Hoff says a lot more about version 4, including tips of transitioning to the new NIST standard. Read Hoff’s piece here on Biometric Update.

Identity Assurance Level 3 (IAL3): When Identity Assurance Level 2 (IAL2) Isn’t Good Enough

(Picture designed by Freepik.)

(Part of the biometric product marketing expert series)

I’ve talked about Identity Assurance Levels 1, 2, and 3 on several occasions. Most notably regarding Login.gov’s initial failure to adhere to Identity Assurance Level 2 (IAL2). (Old news; after the pilot, Login.gov is now certified for IAL2.)

But as usually happens, IAL2 is yesterday’s news. Because biometric tech always gets harder better faster stronger.

Refresher on IAL1, IAL2…and IAL 3

Let’s review the three identity assurance levels.

From https://pages.nist.gov/800-63-3/sp800-63a.html#sec2.

For our purposes, the big difference between IAL2 and IAL3 is that IAL2 allows “either remote or physically-present identity proofing,” while IAL3 requires “[p]hysical presence” for identity proofing. However, the proofing agent may “attend the identity proofing session via a CSP-controlled kiosk or device.” In other words, supervised enrollment.

When do you need IAL3? Mitek’s Adam Bacia clarifies:

“IAL3 is reserved for high-risk environments such as sensitive government services.”

How are solutions approved for a particular Identity Assurance Level?

Now I could get on my product marketing soapbox and loudly proclaim that my service is IAL2 compliant, or IAL3 compliant, or IAL4 compliant. (“What? You don’t know about IAL4? Obviously you’re not authorized to know about it.”)

But I doubt you would, um, trust my declaration.

Enter the Kantara Initiative, which manages an Identity Assurance Approval Process. For our purposes, we want to focus on the NIST 800-63 rev.3 class of approval:

“Available to Credential Service Providers offering Full or Component Credential Management Services. Modeled on best practice (drawing from, among other sources, ISO/IEC 27001, ISO/IEC 29115), this Class of Approval ensures the provider organization’s good standing and management / operational practices and assesses criteria which are derived strictly from NIST SP 800-63 rev.3 requirements, ensuring a conformant technical provision of the provider organization’s service.

“Assurance Levels: IAL2, IAL3; AAL2, AAL3; FAL2, FAL3”

  • You see that the Kantara Initiative doesn’t even offer an approval for IAL1, just for IAL2 and IAL3.
  • It also offers approvals for AAL2 and AAL3. I’ve previously discussed Authenticator Assurance Levels (AALs) in this post. Briefly, IALs focus on the initial identity proofing, while AALs focus on the authentication of a proven identity.
  • And you can also see that it offers approvals for FAL2 and FAL3. I’ve never discussed Federation Assurance Levels (FALs) before.

Component Services IAL2 approvals…and an IAL3 approval

Now if you go to the Kantara Initiative’s Trust Status List and focus on the Component Services, you’ll see a number of companies and their component services which are approved for NIST 800-63 rev.3 and offer an assurance level of IAL2.

With one exception.

“NextgenID Trusted Services Solution provides Supervised Remote Identity Proofing identity stations to collect, review, validate, proof, and package IAL-3 identity evidence and enrollment data for CSPs operating at IAL-3. The NextGenID TSS Identity Stations enable remote operators to remotely supervise NIST SP 800-63A compliant Supervised Remote Identity Proofing (SRIP) sessions for credentialing.”

So if remote identity assurance is not good enough for you, there’s a solution. I’ve already discussed NextgenID’s SUPERVISED remote identity proofing in this post. And there’s a video.

Trust Swiftly has also designed a remote IAL3 solution, but I couldn’t find Trust Swiftly on the Kantara Initiative’s Trust Status List. Perhaps it was processed under another accredited assessor.

But clearly biometric product marketers are paying attention to the identity assurance levels…at least the real ones (not IAL4). But are they communicating benefit-oriented messages to their prospects?

Biometric product marketing has to be targeted to the right people, with the right message. And the biometric product marketing expert at Bredemarket can help a company’s marketing organization create effective content. Talk to Bredemarket.

Stop losing prospects! Use Bredemarket content for tech marketers