November 14, 2017
November 13, 2017
Posted June 19, 2017
The National Institute of Standards and Technology (NIST) has long been an authoritative reference source for authentication assurance guidance. Its latest publication, “Digital Identity Guidelines,” is no exception. The guidelines update previous standards and extend them to address identity and authentication as a service, providing the concepts and language necessary for proper care and feeding of digital identities.
Digital identity and authentication is the bedrock of online security, which is fast becoming a national security priority. The Digital Identity Guidelines represent a prudent expenditure of taxpayer dollars. What follows is a discussion of important areas where the NIST guidelines can be enhanced to provide the guidance necessary to make digital infrastructure more robust, more secure and easier to use.
Relative vs. absolute assurance levels
In 800-63B section 4, the three authenticator assurance levels (AAL) are defined in relative terms:
“Some assurance,” “high confidence” and “very high confidence” are conjunctive abstractions that are used in place of certainty. The NIST guidelines would be more valuable if AAL1, AAL2 and AAL3 were defined directly in terms of the attacks they mitigate. The target list should include online guessing/cracking, phishing, keyboard logging, OS-based attacks, network-based attacks, emulation, cloning, spoofing, and others.
Device identity confusion
The NIST guidelines lack a definition of device identity. There are multiple references to “device identity” that include statements to the effect of — while device identity mitigates risk and eliminates false positives, it does not increase assurance.
Here are examples of statements in the NIST guidelines that imply device identity does not enhance the assurance level.
The challenge with these statements is that there is no definition of “device identity,” which creates opportunity for speculation. Logically, if “device identity or geo-location may be used to identify or prevent possible authentication false positives” then shouldn’t it result in increased assurance levels? One can speculate that “device identity” refers to probabilistic methods for measuring device identity. Even so, if a probabilistic device/transaction risk score helps identify risk and identifies or mitigates false positives, then it does enhance the assurance level or confidence level. The NIST guideline should minimize these opportunities for ambiguity and provide an accurate definition of “device identity.” The NIST guidelines should also explain how it is possible for an identity artifact (probabilistic or deterministic) that improves the authentication outcome to not raise the assurance level.
The confusion is compounded with other references stating that a device is “something you have” and can be used as an independent authentication factor, which increases assurance level, as in 63-3B Section 4.2.1, which states: “Therefore, it is unnecessary to implement another factor with biometrics as the device is ’something you have,’ which serves as a valid second factor of the authenticator.”
Device identity mitigates false negatives
The NIST Digital Identity Guidelines state that “As part of authentication, mechanisms such as device identity or geolocation may be used to identify or prevent possible authentication false positives” but that they do not increase assurance levels. An authentication false positive is where the claimant is falsely authenticated as a fraudster. Device identity and contextual authentication are effective in identifying false positives. However, equally important is the prevention of false negatives, where a fraudster is falsely authenticated as the legitimate subscriber. There are common scenarios that result in authentication false negatives, including:
Device identity is an effective way to protect credentials that can be stolen, guessed or fraudulently reset to a new value. When device identity is used in combination with contextual authentication (location, IP address, etc.) and behavioral analytics, it provides a powerful, flexible way to bind an authenticator to a user in real time. This continuous real-time validation of the user/authenticator bind prevents authentication false positives and authentication false negatives. In the interests of broader understanding and uniform best practices, the NIST should provide rational justification for its claim that device identity and geolocation do not enhance the assurance level.
Risk-based mechanisms enhance identity assurance
In-person identity proofing is expensive and is not practical for many scenarios. For remote identity proofing, device identity and contextual factors, such as geolocation, are an effective approach to increasing confidence in the identity of the claimant. Yet there is no mention in the NIST guidelines that risk-based mechanisms increase identity assurance level (IAL). However, Section 4.2 of 800-63A does include geolocation and device characteristics in the requirements section:
If risk-based approaches, such as geo-location, device characteristics and others, enable the Credential Service Provider (CSP) to obtain additional identity confidence, then the document should include an explicit acknowledgement that risk-based approaches increase the IAL.
The NIST is moving in the right direction but more work is required to make its Digital Identity Guidelines sufficiently robust for the messiness of the real world. In scenarios where embedded authenticators are available, they are singularities that can be bypassed by theft, hijacking or cloning. Future NIST documents on authentication should reflect the reality that risk-based mechanisms (i.e. device identity, contextual authentication, behavioral analytics) provide CSPs and relying parties with higher levels of assurance in the digital identities of their subscribers.