identity assurance level

Authenticator Assurance Levels (AALs) and Digital Identity

(Part of the biometric product marketing expert series)

Back in December 2020, I dove into identity assurance levels (IALs) and digital identity, subsequently specifying the difference between identity assurance levels 2 and 3. These IALs are defined in section 4 of NIST Special Publication 800-63A, Digital Identity Guidelines, Enrollment and Identity Proofing Requirements.

It’s past time for me to move ahead to authenticator assurance levels (AALs).

Where are authenticator assurance levels defined?

Authenticator assurance levels are defined in section 4 of NIST Special Publication 800-63B, Digital Identity Guidelines, Authentication and Lifecycle Management. As with IALs, the AALs progress to higher levels of assurance.

AAL1 (some confidence). AAL1, in the words of NIST, “provides some assurance.” Single-factor authentication is OK, but multi-factor authentication can be used also. All sorts of authentication methods, including knowledge-based authentication, satisfy the requirements of AAL1. In short, AAL1 isn’t exactly a “nothingburger” as I characterized IAL1, but AAL1 doesn’t provide a ton of assurance.
AAL2 (high confidence). AAL2 increases the assurance by requiring “two distinct authentication factors,” not just one. There are specific requirements regarding the authentication factors you can use. And the security must conform to the “moderate” security level, such as the moderate security level in FedRAMP. So AAL2 is satisfactory for a lot of organizations…but not all of them.
AAL3 (very high confidence). AAL3 is the highest authenticator assurance level. It “is based on proof of possession of a key through a cryptographic protocol.” Of course, two distinct authentication factors are required, including “a hardware-based authenticator and an authenticator that provides verifier impersonation resistance — the same device MAY fulfill both these requirements.”

This is of course a very high overview, and there are a lot of…um…minutiae that go into each of these definitions. If you’re interested in that further detail, please read section 4 of NIST Special Publication 800-63B for yourself.

Which authenticator assurance level should you use?

NIST has provided a handy dandy AAL decision flowchart in section 6.2 of NIST Special Publication 800-63-3, similar to the IAL decision flowchart in section 6.1 that I reproduced earlier. If you go through the flowchart, you can decide whether you need AAL1, AAL2, or the very high AAL3.

The AAL CYOA from https://pages.nist.gov/800-63-3/sp800-63-3.html#63Sec6-Figure2.

One of the key questions is the question flagged as 2, “Are you making personal data accessible?” The answer to this question in the flowchart moves you between AAL2 (if personal data is made accessible) and AAL1 (if it isn’t).

So what?

Do the different authenticator assurance levels provide any true benefits, or are they just items in a government agency’s technical check-off list?

Perhaps the better question to ask is this: what happens if the WRONG person obtains access to the data?

Could the fraudster cause financial loss to a government agency?
Threaten personal safety?
Commit civil or criminal violations?
Or, most frightening to agency heads who could be fired at any time, could the fraudster damage an agency’s reputation?

If some or all of these are true, then a high authenticator assurance level is VERY beneficial.

Take Me to the (Login.gov IAL2) Pilot

From https://imgflip.com/memegenerator/Pepperidge-Farm-Remembers.

As further proof that I am celebrating, rather than hiding, my “seasoned” experience—and you know what the code word “seasoned” means—I am entitling this blog post “Take Me to the Pilot.”

Although I’m thinking about a different type of “pilot”—a pilot to establish that Login.gov can satisfy Identity Assurance Level 2 (IAL2).

From https://pages.nist.gov/800-63-3/sp800-63a.html#sec2.

A recap of Login.gov and IAL2-non compliance

I just mentioned IAL2 in a blog post on Wednesday, with this seemingly throwaway sentence.

So if you think you can use Login.gov to access a porn website, think again.
From https://bredemarket.com/2024/04/10/age-assurance-meets-identity-assurance-level-2/.

The link in that sentence directs the kind reader to a post I wrote in November 2023, detailing that fact that the GSA Inspector General criticized…the GSA…for implying that Login.gov was IAL2-compliant when it was not. The November post references a GSA-authored August blog post which reads in part (in bold):

Login.gov is on a path to providing an IAL2-compliant identity verification service to its customers in a responsible, equitable way.
From https://www.gsa.gov/blog/2023/08/18/reducing-fraud-and-increasing-access-drives-record-adoption-and-usage-of-logingov.

Because it obviously wouldn’t be good to do it in an irresponsible inequitable way.

But the GSA didn’t say how long that path would be. Would Login.gov be IAL2-compliant by the end of 2023? By mid 2024?

It turns out the answer is neither.

Eight months later we have…a pilot

You would think that achieving IAL2 compliance would be a top priority. After all, the longer that Login.gov doesn’t comply, the more government agencies that will flock to IAL2-compliant ID.me.

Enter Steve Craig of PEAK.IDV and the weekly news summaries that he posts on LinkedIn. Today’s summary includes the following item:

4/ GSA’s Login.gov Pilots Enhanced Identity Verification

Login.gov’s pilot will allow users to match a live selfie with the photo on a self-supplied form of photo ID, such as a driver’s license

Other interesting updates in the press release 👇
From https://www.linkedin.com/posts/stevenbcraig_digitalidentity-aml-compliance-activity-7184539504504930306-LVPF/.

From https://www.gsa.gov/about-us/newsroom/news-releases/general-services-administrations-logingov-pilot-04112024#.

And here’s what GSA’s April 11 press release says.

Specifically, over the next few months, Login.gov will:

Pilot facial matching technology consistent with the National Institute of Standards and Technology’s Digital Identity Guidelines (800-63-3) to achieve evidence-based remote identity verification at the IAL2 level….

Using proven facial matching technology, Login.gov’s pilot will allow users to match a live selfie with the photo on a self-supplied form of photo ID, such as a driver’s license. Login.gov will not allow these images to be used for any purpose other than verifying identity, an approach which reflects Login.gov’s longstanding commitment to ensuring the privacy of its users. This pilot is slated to start in May with a handful of existing agency-partners who have expressed interest, with the pilot expanding to additional partners over the summer. GSA will simultaneously seek an independent third party assessment (Kantara) of IAL2 compliance, which GSA expects will be completed later this year.
From https://www.gsa.gov/about-us/newsroom/news-releases/general-services-administrations-logingov-pilot-04112024#.

In short, GSA’s April 11 press release about the Login.gov pilot says that it expects to complete IAL2 compliance later this year. So it’s going to take more than a year for the GSA to repair the gap that its Inspector General identified.

My seasoned response

Once I saw Steve’s update this morning, I felt it sufficiently important to share the news among Bredemarket’s various social channels.

With a picture.

B-side of Elton John “Your Song” single issued 1970.

For those of you who are not as “seasoned” as I am, the picture depicts the B-side of a 1970 vinyl 7″ single (not a compact disc) from Elton John, taken from the album that broke Elton in the United States. (Not literally; that would come a few years later.)

By the way, while the original orchestrated studio version is great, the November 1970 live version with just the Elton John – Dee Murray – Nigel Olsson trio is OUTSTANDING.

From https://www.youtube.com/watch?v=cC1ocO0pVgs.

Back to Bredemarket social media. If you go to my Instagram post on this topic, I was able to incorporate an audio snippet from “Take Me to the Pilot” (studio version) into the post. (You may have to go to the Instagram post to actually hear the audio.)

View this post on Instagram

A post shared by John Bredehoft (Bredemarket) (@bredemarket)

Not that the song has anything to do with identity verification using government ID documents paired with facial recognition. Or maybe it does; Elton John doesn’t know what the song means, and even lyricist Bernie Taupin doesn’t know what the song means.

So from now on I’m going to say that “Take Me to the Pilot” documents future efforts toward IAL2 compliance. Although frankly the lyrics sound like they describe a successful iris spoofing attempt.

Through a glass eye, your throne
Is the one danger zone
From https://genius.com/Elton-john-take-me-to-the-pilot-lyrics.

Postscript

For you young whippersnappers who don’t understand why the opening image mentioned “54 Years On,” this is a reference to another Elton John song.

And it’s no surprise that the live version is better.

From https://www.youtube.com/watch?v=rRngmF-AcFQ.

Now I’m going to listen to this all day. Cue the Instagram post (if Instagram has access to the 17-11-70/11-17-70 version).

Age Assurance Meets Identity Assurance (Level 2)

I’ve talked about age verification and age estimation here and elsewhere. And I’ve also talked about Identity Assurance Level 2. But I’ve never discussed both simultaneously until now.

I belatedly read this March 2024 article that describes Georgia’s proposed bill to regulate access to material deemed harmful to minors.

A minor in Georgia (named Jimmy Carter) in the 1920s, before computers allowed access to adult material. From National Park Service, https://www.nps.gov/jica/learn/historyculture/early-life.htm.

The Georgia bill explicitly mentions Identity Assurance Level 2.

Under the bill, the age verification methods would have to meet or exceed the National Institute of Standards and Technology’s Identity Assurance Level 2 standard.

So if you think you can use Login.gov to access a porn website, think again.

There’s also a mention of mobile driver’s licenses, albeit without a corresponding mention of the ISO/IEC 18013-5:2021.

Specifically mentioned in the bill text is “digitized identification cards,” described as “a data file available on a mobile device with connectivity to the internet that contains all of the data elements visible on the face and back of a driver’s license or identification card.”

So digital identity is becoming more important for online access, as long as certain standards are met.

Login.gov and IAL2 #realsoonnow

Back in August 2023, the U.S. General Services Administration published a blog post that included the following statement:

Login.gov is on a path to providing an IAL2-compliant identity verification service to its customers in a responsible, equitable way. Building on the strong evidence-based identity verification that Login.gov already offers, Login.gov is on a path to providing IAL2-compliant identity verification that ensures both strong security and broad and equitable access.
From https://www.gsa.gov/blog/2023/08/18/reducing-fraud-and-increasing-access-drives-record-adoption-and-usage-of-logingov

It’s nice to know…NOW…that Login.gov is working to achieve IAL2.

This post explains what the August 2023 GSA post said, and what it didn’t say.

But first, I’ll define what Login.gov and “IAL2” are.

What is Login.gov?

Here is what Login.gov says about itself:

Login.gov is a secure sign in service used by the public to sign in to participating government agencies. Participating agencies will ask you to create a Login.gov account to securely access your information on their website or application.

You can use the same username and password to access any agency that partners with Login.gov. This streamlines your process and eliminates the need to remember multiple usernames and passwords.
From https://www.login.gov/what-is-login/

From https://www.gsa.gov/about-us/organization/federal-acquisition-service/technology-transformation-services

Obviously there are a number of private companies (over 80 last I counted) that provide secure access to information, but Login.gov is provided by the government itself—specifically by the General Services Administration’s Technology Transformation Services. Agencies at the federal, state, and local level can work with the GSA TTS’ “18F” organization to implement solutions such as Login.gov.

Why would agencies implement Login.gov? Because the agencies want to protect their constituents’ information. If fraudsters capture personally identifiable information (PII) of someone applying for government services, the breached government agency will face severe repurcussions. Login.gov is supposed to protect its partner agencies from these nightmares.

How does Login.gov do this?

Sometimes you might use two-factor authentication consisting of a password and a second factor such as an SMS code or the use of an authentication app.
In more critical cases, Login.gov requests a more reliable method of identification, such as a government-issued photo ID (driver’s license, passport, etc.).

What is IAL2?

At the risk of repeating myself, I’ll briefly go over what “Identity Assurance Level 2” (IAL2) is.

From https://pages.nist.gov/800-63-3/sp800-63a.html

The U.S. National Institute of Standards and Technology, in its publication NIST SP 800-63a, has defined “identity assurance levels” (IALs) that can be used when dealing with digital identities. It’s helpful to review how NIST has defined the IALs. (I’ll define the other acronyms as we go along.)

Assurance in a subscriber’s identity is described using one of three IALs:

IAL1: There is no requirement to link the applicant to a specific real-life identity. Any attributes provided in conjunction with the subject’s activities are self-asserted or should be treated as self-asserted (including attributes a [Credential Service Provider] CSP asserts to an [Relying Party] RP). Self-asserted attributes are neither validated nor verified.

IAL2: Evidence supports the real-world existence of the claimed identity and verifies that the applicant is appropriately associated with this real-world identity. IAL2 introduces the need for either remote or physically-present identity proofing. Attributes could be asserted by CSPs to RPs in support of pseudonymous identity with verified attributes. A CSP that supports IAL2 can support IAL1 transactions if the user consents.

IAL3: Physical presence is required for identity proofing. Identifying attributes must be verified by an authorized and trained CSP representative. As with IAL2, attributes could be asserted by CSPs to RPs in support of pseudonymous identity with verified attributes. A CSP that supports IAL3 can support IAL1 and IAL2 identity attributes if the user consents.
From https://pages.nist.gov/800-63-3/sp800-63a.html#sec2

So in its simplest terms, IAL2 requires evidence of a verified credential so that an online person can be linked to a real-life identity. If someone says they’re “John Bredehoft” and fills in an online application to receive government services, IAL2 compliance helps to ensure that the person filling out the online application truly IS John Bredehoft, and not Bernie Madoff.

As more and more of us conduct business—including government business—online, IAL2 compliance is essential to reduce fraud.

One more thing about IAL2 compliance. The mere possession of a valid government issued photo ID is NOT sufficient for IAL2 compliance. After all, Bernie Madoff may be using John Bredehoft’s driver’s license. To make sure that it’s John Bredehoft using John Bredehoft’s driver’s license, an additional check is needed.

This has been explained by ID.me, a private company that happens to compete with Login.gov to provide identity proofing services to government agencies.

Biometric comparison (e.g., selfie with liveness detection or fingerprint) of the strongest piece of evidence to the applicant
From https://network.id.me/article/what-is-nist-ial2-identity-verification/

So you basically take the information on a driver’s license and perform a facial recognition 1:1 comparison with the person possessing the driver’s license, ideally using liveness det e ction, to make sure that the presented person is not a fake.

From https://www.nist.gov/news-events/news/2023/09/whats-wrong-picture-nist-face-analysis-program-helps-find-answers

So what?

So the GSA was apparently claiming how secure Login.gov was. Guess who challenged the claim?

The GSA.

Now sometimes it’s ludicrous to think that the government can police itself, but in some cases government actually identifies government faults.

Of course, this works best when you can identify problems with some other government entity.

Which is why the General Services Administration has an Inspector General. And in March 2023, the GSA Inspector General released a report with the following title: “GSA Misled Customers on Login.gov’s Compliance with Digital Identity Standards.”

The title is pretty clear, but Fedscoop summarized the findings for those who missed the obvious:

As part of an investigation that has run since last April (2022), GSA’s Office of the Inspector General found that the agency was billing agencies for IAL2-compliant services, even though Login.gov did not meet Identity Assurance Level 2 (IAL2) standards.

GSA knowingly billed over $10 million for services provided through contracts with other federal agencies, even though Login.gov is not IAL2 compliant, according to the watchdog.
From https://fedscoop.com/gsa-login-gov-watchdog-report/

So now GSA is explicitly saying that Login.gov ISN’T IAL2-compliant.

Which helps its private sector competitors.

The Difference Between Identity Assurance Levels 2 and 3

It’s been years since I talked about Identity Assurance Levels (IALs) in any detail, but I wanted to delve into two of the levels and see when IAL3 is necessary, and when it is not.

But first, a review

If the term “identity assurance level” is new to you, let me reprint what they are. This is taken from my December 3, 2020 post on identity assurance levels and digital identity.

The U.S. National Institute of Standards and Technology has defined “identity assurance levels” (IALs) that can be used when dealing with digital identities. It’s helpful to review how NIST has defined the IALs.

Assurance in a subscriber’s identity is described using one of three IALs:

IAL1: There is no requirement to link the applicant to a specific real-life identity. Any attributes provided in conjunction with the subject’s activities are self-asserted or should be treated as self-asserted (including attributes a [Credential Service Provider] CSP asserts to an [Relying Party] RP). Self-asserted attributes are neither validated nor verified.

IAL2: Evidence supports the real-world existence of the claimed identity and verifies that the applicant is appropriately associated with this real-world identity. IAL2 introduces the need for either remote or physically-present identity proofing. Attributes could be asserted by CSPs to RPs in support of pseudonymous identity with verified attributes. A CSP that supports IAL2 can support IAL1 transactions if the user consents.

IAL3: Physical presence is required for identity proofing. Identifying attributes must be verified by an authorized and trained CSP representative. As with IAL2, attributes could be asserted by CSPs to RPs in support of pseudonymous identity with verified attributes. A CSP that supports IAL3 can support IAL1 and IAL2 identity attributes if the user consents.

For purposes of this post, IAL1 is (if I may use a technical term) a nothingburger. It may be good enough for a Gmail account, but these days even social media accounts are more likely to require IAL2.

And it’s worthwhile to mention (as I did before) that in practice, IAL3 may not require physical presence.

IAL3: In-person or supervised-remote identity proofing is required.
From https://id4d.worldbank.org/guide/levels-assurance-loas

So what’s the practical difference between IAL2 and IAL3?

If we ignore IAL1 and concentrate on IAL2 and IAL3, we can see one difference between the two. IAL2 allows remote, unsupervised identity proofing, while IAL3 requires (in practice) that any remote identity proofing is supervised.

Much of my time at my previous employer Incode Technologies involved unsupervised remote identity proofing (IAL2). For example, if a woman wants to set up an account at a casino, she can complete the onboarding process to set up the account on her phone, without anyone from the casino being present to make sure she wasn’t faking her face or her ID. (Fraud detection is the “technologies” part of Incode Technologies, and that’s how they make sure she isn’t faking.)

From https://www.youtube.com/watch?v=w4Y725Pn5HE

But what if you need supervised remote identity proofing for legal or other reasons? Another company called NextgenID offers this.

From https://www.youtube.com/watch?v=ykDdCgkrMKs

But is this good enough? Yes it is, according to Nextgen.

SRIP provides remote supervision of in-person proofing using NextgenID’s Identity Stations, an all-in-one system designed to securely perform all enrollment processes and workflow requirements. The station facilitates the complete and accurate capture at IAL levels 1, 2 and 3 of all required personal identity documentations and includes a full complement of biometric capture support for face, fingerprint, and iris.
From https://www.nextgenid.com/markets-srip.php

Now there are some other differences between IAL2 and IAL3 in terms of the proofing, so NIST came up with a handy dandy chart that allows you to decide which IAL level you need.

From NIST Special Publication 800-63
Revision 3, Section 6.1 “Selecting IAL.”

When deciding between IAL2 and IAL3, question 3 in the table above is the most critical. NIST explains the purpose of question 3:

At this point, the agency understands that some level of proofing is required. Step 3 is intended to look at the potential impacts of an identity proofing failure to determine if IAL2 or IAL3 is the most appropriate selection. The primary identity proofing failure an agency may encounter is accepting a falsified identity as true, therefore providing a service or benefit to the wrong or ineligible person. In addition, proofing, when not required, or collecting more information than needed is a risk in and of itself. Hence, obtaining verified attribute information when not needed is also considered an identity proofing failure. This step should identify if the agency answered Step 1 and 2 incorrectly, realizing they do not need personal information to deliver the service. Risk should be considered from the perspective of the organization and to the user, since one may not be negatively impacted while the other could be significantly harmed. Agency risk management processes should commence with this step.
From https://pages.nist.gov/800-63-3/sp800-63-3.html#sec6

Even with the complexity of the flowchart, some determinations can be pretty simple. For example, if any of the six risks listed under question 3 are determined to be “high,” then you must use IAL3.

But the whole exercise is a lot to work through, and you need to work through it yourself. When I pasted the PNG file for the flowchart above into this blog post, I noticed that the filename is “IAL_CYOA.png.” And we all know what “CYOA” means.

But if you do the work, you’ll be better informed on the procedures you need to use to verify the identities of people.

One footnote: although NIST is a U.S. organization, its identity assurance levels (including IAL2 and IAL3) are used worldwide, including by the World Bank. So everyone should be familiar with them.

Identity assurance levels (IALs) and digital identity

(Part of the biometric product marketing expert series)

There is more and more talk about digital identity, especially as COVID-19 accelerates the move to contactless and remote transactions. However, there are many types of digital identity, ranging from a Colorado, Louisiana, or Oklahoma digital driver’s license to your Facebook, Google, or Microsoft ID to the online equivalent of my old Radio Shack Battery Club card.

All of these different types of digital identities suggest that some identities are more rigorous than others. For example, I’ve lost track of how many digital identities I’ve created with Google over the years, but if California ever gets around to implementing a digital driver’s license, I’ll only have one of them. (And I won’t be able to get another license in Nevada.)

In this particular case, the government IS here to help.

Assurance in a subscriber’s identity is described using one of three IALs:

IAL1: There is no requirement to link the applicant to a specific real-life identity. Any attributes provided in conjunction with the subject’s activities are self-asserted or should be treated as self-asserted (including attributes a [Credential Service Provider] CSP asserts to an [Relying Party] RP). Self-asserted attributes are neither validated nor verified.

IAL2: Evidence supports the real-world existence of the claimed identity and verifies that the applicant is appropriately associated with this real-world identity. IAL2 introduces the need for either remote or physically-present identity proofing. Attributes could be asserted by CSPs to RPs in support of pseudonymous identity with verified attributes. A CSP that supports IAL2 can support IAL1 transactions if the user consents.

IAL3: Physical presence is required for identity proofing. Identifying attributes must be verified by an authorized and trained CSP representative. As with IAL2, attributes could be asserted by CSPs to RPs in support of pseudonymous identity with verified attributes. A CSP that supports IAL3 can support IAL1 and IAL2 identity attributes if the user consents.

Interestingly, the standard assumes that pseudonymous identity can be proofed…but this requires that SOMEONE know the actual identity.

And in practice, the “physical presence” requirement of IAL3 can be met by either being “in-person,” or in a “supervised remote” case. (This is needed to make sure that I don’t register with someone else’s face, for example.)

So when considering the robustness of any digital identity scheme, it’s necessary to ascertain whether the digital identity can reliably be mapped to a real life identity. This doesn’t necessarily mean that IAL1 is bad per se; in some cases, such as my old Radio Shack Battery Club example, a robust mapping to a real life identity is NOT necessary.

But in other cases, such as a need to gain entrance to a nuclear power plant, that reliable mapping IS essential.