Overview#LOA 4 is intended to provide the highest practical remote network authentication assurance.
LOA 4 is similar to LOA 3 except that only “hard” cryptographic tokens are allowed, FIPS 140-2 cryptographic module validation requirements are strengthened, and subsequent critical data transfers must be authenticated via a key bound to the authentication process. The token shall be a hardware cryptographic module validated at FIPS 140-2 Level 2 or higher overall with at least FIPS 140-2 Level 3 physical security. By requiring a physical token, which cannot readily be copied and since FIPS 140-2 requires operator authentication at LOA 2 and higher, this level ensures good, two factor remote authentication.
LOA 4 requires strong cryptographic authentication of all parties and all sensitive data transfers between the parties. Either Public Key or Symmetric Key technology may be used. Authentication requires that the claimant prove through a secure connection that he or she controls the token. The protocol threats including: eavesdropper, replay, on-line guessing, verifier impersonation and man-In-The-Middle attacks are prevented. Long-term shared authentication secrets, if used, are never revealed to any party except the claimant and verifiers operated directly by the Credential Service Provider (CSP), however session (temporary) shared secrets may be provided to independent verifiers by the CSP. Strong Approved cryptographic techniques are used for all operations. All sensitive data transfers are cryptographically authenticated using keys bound to the authentication process.