Digital Identity

Peter Karman

Nobody knows you're a dog

NIST 800-63-3


Passwords (cont)

Your gov IT is likely not following NIST guidelines. Forced expiration, composition (UPPER, lower, punctuation, etc), and security questions (mother's maiden name) are explicitly discouraged.

Authenticator Assurance Level 1


"some assurance" with single- or multi-factor
Example: password

Authenticator Assurance Level 2


"high confidence" with two distinct factors, approved cryptography
Example: password + OTP

Authenticator Assurance Level 3


"very high confidence" with multi-factor using hardware-based authenticator, approved cryptography.
Example: PIV card + PIN

Identity Proofing


Your Identity Assurance Level cannot be higher than your Authenticator Assurance Level.
Example: IAL2 requires AAL2 or higher. IAL3 requires AAL3.

Identity Assurance Level 1


Personal information MAY be collected but SHALL NOT be validated or verified. All attributes are understood to be self-asserted.
You can be a dog on the internet.

Identity Assurance Level 2


Personal information must be collected, validated and verified, in-person (physical) or online (remote).
You might be a dog on the internet, but pretty good chance you aren't.

Identity Assurance Level 3


Same as IAL2, plus:
  • Must be in-person
  • Must collect and retain biometric evidence
  • Address confirmation to postal address
You proved you aren't a dog in real life, and AAL3+IAL3 means you very likely aren't one on the internet.


In the end, it all comes down to trust and how we measure it.