2. Context
I’m a consultant to the National Institute of Standards
and Technology
Focusing on revising US Government digital identity
standards
Everything here is my own opinion; I don’t speak for
NIST!
3. About SP 800-63
NIST Special Publication
800-63, Digital Identity
Guidelines
Intended for federal
government use, but
also widely used
commercially and
internationally
4. Four-volume Set
Enrollment and
Identity Proofing
SP 800-63A
Authentication and
Lifecycle Management
SP 800-63B
Federation and Assertions
SP 800-63C
We will focus here
5. Authenticator Assurance
Levels (AALs)
AAL1 AAL2 AAL3
Authentication
Factors
1 2
2 (1 hardware-
based)
Reauthentication Monthly
12 hours /
30 min inactivity
12 hours /
15 min inactivity
Intent Not required Recommended Mandatory
Uses
Low-value
authentication w/no
personal data
General use
Critical
applications
7. What’s an Authenticator?
A secret used to authenticate
Something containing an authentication secret
Often referred to as a “token” but that word is overused
8. Factors
There are three authentication factors:
Something you know (memorized secret)
Something you have
Something you are (biometric)
Authenticators may provide 1 or 2 of these
11. Password Guidance
Changes
Any printing Unicode character 😀 (but also Å) + space
Up to at least 64 characters long
No password composition rules (e.g., required digit)
Use dictionary to weed out common choices
No expiration
No hints or “security questions”
12. Look-Up Secrets
List of one-time passwords for account access
Not memorized so list is “something you have”
Typically too complex
Only used once anyway
Inexpensive solution for account recovery
13. Out-of-Band Devices
Independent communication channel
Verifies possession and control of specific hardware
Email doesn’t do this: not acceptable
Needs close binding to primary comm channel
Typically typing a secret received over secondary channel on
the primary channel
Make sure attackers can’t get user to approve the wrong thing
14. Restricted Authenticators
Use of telephone network (SMS, voice
calls)
Doesn’t prove possession strongly
enough
Acceptable for now with restrictions,
may not always be
Notice to user
Available alternatives
15. Single-Factor OTP
Device or app that generates one-time passcodes
Time-based (synced to verifier) or event-based (button)
Usable anywhere there is a keyboard or keypad
Can be phished (depends on user vigilance)
Uses symmetric crypto (verifier breach reveals secret)
17. Single-Factor
Crypto Devices
Hardware device that interfaces directly with user
endpoint
Typically USB, but increasingly NFC, BTLE
Usually requires software drivers on user endpoint
Range from OTP generation to challenge/response to
verifier impersonation resistance
18. Crypto software
Typically an X.509 client certificate/private key pair
If private key requires activation by a memorized secret,
considered multi-factor
Difficult to enforce rate limits on memorized secret
guessing attacks
20. Common Characteristics
Authentication intent
Require physical action by claimant
Protects against malware attacks on hardware
authenticators
Replay resistance
Output of authenticator is only valid for one authentication
21. Common Characteristics (2)
Verifier impersonation resistance
Output of authenticator is bound to a specific authentication
session, invalid elsewhere
Protects against phishing attacks
Verifier compromise resistance
Breach of data stored by verifier doesn’t allow an attacker to
authenticate
Example: Verifier has only subscribers’ public keys
22. What About Biometrics?
Some problems
Not based on a secret: fingerprints, etc easy to obtain
Presentation attacks (e.g., gummy bear fingerprint)
Probabilistic match, typically 0.1% false accept rate
Mitigations
Tight binding to specific physical authenticator
Authentication of sensor if separate
Incentives to include liveness detection
23. Summary
There is no single ideal authenticator - depends on use
case, endpoint type, and user
Passwords have definite limitations, but continue to be
important as “something you know”
Two-factor authentication should be used much more
widely than it is today