Nobody knows you're a dog
- Published in 1993, Peter Steiner's cartoon is the most reproduced New Yorker cartoon of all time.
- Who you are on the internet has always been a Hard Problem
NIST 800-63-3
- Passwords
- Authenticator Assurance Level (AAL)
- Identity Assurance Level (IAL)
Passwords
- Length most important
- Complexity is counterproductive
- Hard to guess, easy to remember
Passwords (cont)
Your gov IT is likely not following NIST guidelines.
Forced expiration, composition (UPPER, lower, punctuation, etc), and
security questions (mother's maiden name) are explicitly discouraged.
Authenticator Assurance Level 1
Authenticator Assurance Level 2
Authenticator Assurance Level 3
AAL3
"very high confidence" with multi-factor using hardware-based authenticator, approved cryptography.
Example: PIV card + PIN
Identity Proofing
AAL + IAL
Your Identity Assurance Level cannot be higher than your Authenticator Assurance Level.
Example: IAL2 requires AAL2 or higher. IAL3 requires AAL3.
Identity Assurance Level 1
IAL1
Personal information MAY be collected but SHALL NOT be validated or verified. All attributes are understood to be self-asserted.
You can be a dog on the internet.
Identity Assurance Level 2
IAL2
Personal information must be collected, validated and verified, in-person (physical) or online (remote).
- "Superior" or "Strong" + "Fair" evidence
- "Strong" verification process
- Address confirmation
You might be a dog on the internet, but pretty good chance you aren't.
Identity Assurance Level 3
IAL3
Same as IAL2, plus:
- Must be in-person
- Must collect and retain biometric evidence
- Address confirmation to postal address
You proved you aren't a dog in real life, and AAL3+IAL3 means you very likely aren't one on the internet.
Trust
In the end, it all comes down to trust and how we measure it.