Post on 22-Jan-2018
transcript
Strong Authentication and US Federal
Digital ServicesPaul Grassi, Senior Standards and Technology Advisor, NIST
current state
based on
It gets worse
everyone else
where does FIDO fit in?
Privacy Enhancing & Voluntary
Secure & Resilient
Interoperable
Cost-Effective & Easy to Use
Authenticator Assurance
Levels
AA
L1 A
AL2 A
AL3
Authenticator Assurance Level 3(formerly known as LOA4)
AAL 3 is intended to provide the highest practical remote network
authentication assurance. Authentication at AAL 3 is based on proof of
possession of a key in a physical authenticator through a
cryptographic protocol. AAL 3 is similar to AAL 2 except that
only hardware cryptographic authenticators (in conjunction
with a memorized secret for single-factor cryptographic devices) and
multi-factor OTP devices are allowed. The authenticator SHALL be a
hardware cryptographic module validated at Federal
Information Processing Standard (FIPS) 140 Level
2 or higher overall (Level 1 for single-factor
authenticators) with at least FIPS 140 Level 3
physical security.
always supported
newly supported
USG Use Cases
?M-05-24
So we need a
new
interoperability
target?
what else?
dig-comments@nist.gov
pag3@nist.gov
https://www.nist.gov/itl/tig
@TrustedIDsNIST
https://service.govdelivery.com/accounts/USNIST/subscriber/new?topic_id=USNIST_213
http://trustedidentities.blogs.govdelivery.com
https://github.com/usnistgov/800-63-3