Strong Authentication and US Federal

Digital ServicesPaul Grassi, Senior Standards and Technology Advisor, NIST

current state

based on

It gets worse

everyone else

where does FIDO fit in?

Privacy Enhancing & Voluntary

Secure & Resilient

Interoperable

Cost-Effective & Easy to Use

Authenticator Assurance

Levels

AA

L1 A

AL2 A

AL3

Authenticator Assurance Level 3(formerly known as LOA4)

AAL 3 is intended to provide the highest practical remote network

authentication assurance. Authentication at AAL 3 is based on proof of

possession of a key in a physical authenticator through a

cryptographic protocol. AAL 3 is similar to AAL 2 except that

only hardware cryptographic authenticators (in conjunction

with a memorized secret for single-factor cryptographic devices) and

multi-factor OTP devices are allowed. The authenticator SHALL be a

hardware cryptographic module validated at Federal

Information Processing Standard (FIPS) 140 Level

2 or higher overall (Level 1 for single-factor

authenticators) with at least FIPS 140 Level 3

physical security.

always supported

newly supported

USG Use Cases

?M-05-24

So we need a

new

interoperability

target?

what else?

strength of authentication (SOFA)

https://pages.nist.gov/SOFA

dig-comments@nist.gov

pag3@nist.gov

https://www.nist.gov/itl/tig

@TrustedIDsNIST

https://service.govdelivery.com/accounts/USNIST/subscriber/new?topic_id=USNIST_213

http://trustedidentities.blogs.govdelivery.com

https://github.com/usnistgov/800-63-3