Digital Identity

Peter Karman

https://karpet.github.io/slides/digital-identity/

Nobody knows you're a dog

NIST 800-63-3

Passwords

Passwords (cont)

Your gov IT is likely not following NIST guidelines. Forced expiration, composition (UPPER, lower, punctuation, etc), and security questions (mother's maiden name) are explicitly discouraged.

Authenticator Assurance Level 1

AAL1

"some assurance" with single- or multi-factor
Example: password

Authenticator Assurance Level 2

AAL2

"high confidence" with two distinct factors, approved cryptography
Example: password + OTP

Authenticator Assurance Level 3

AAL3

"very high confidence" with multi-factor using hardware-based authenticator, approved cryptography.
Example: PIV card + PIN

Identity Proofing

AAL + IAL

Your Identity Assurance Level cannot be higher than your Authenticator Assurance Level.
Example: IAL2 requires AAL2 or higher. IAL3 requires AAL3.

Identity Assurance Level 1

IAL1

Personal information MAY be collected but SHALL NOT be validated or verified. All attributes are understood to be self-asserted.
You can be a dog on the internet.

Identity Assurance Level 2

IAL2

Personal information must be collected, validated and verified, in-person (physical) or online (remote).
You might be a dog on the internet, but pretty good chance you aren't.

Identity Assurance Level 3

IAL3

Same as IAL2, plus:
  • Must be in-person
  • Must collect and retain biometric evidence
  • Address confirmation to postal address
You proved you aren't a dog in real life, and AAL3+IAL3 means you very likely aren't one on the internet.

Trust

In the end, it all comes down to trust and how we measure it.

Credits