<meta charset="UTF-8">
<meta name="robots" content="noindex,nofollow" />
<link rel="shortcut icon" type="image/x-icon" href="/wiki/images/favicon.ico" />
<link rel="icon" type="image/x-icon" href="/wiki/images/favicon.ico" />

<pre>
!!! Overview
[{$pagename}] has been [deprecated] and is now referred to as [Identity Assurance Level] ([IAL])

[The document|http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63-2.pdf|target='_blank'] has been developed by the [National Institute of Standards and Technology] ([[NIST]]) in furtherance of its statutory responsibilities under the [Federal Information Security and Management Act] ([FISMA]) of 2002, Public Law 107-347.

This technical guidance supplements OMB guidance, E-Authentication Guidance for Federal Agencies, that defines four levels of [authentication] Levels 1 to 4, in terms of the consequences of the [authentication] errors and misuse of [credentials]. Level 1 is the lowest [Level Of Assurance] and Level 4 is the highest. 


!!! Level 1
Although there is no [Identity Proofing] requirement at this level, the [authentication mechanism|Authentication Method] provides some assurance that the same claimant is accessing the protected transaction or data. It allows a wide range of available [authentication] technologies to be employed and allows any of the token methods of Levels 2, 3, or 4. Successful [authentication] requires that the claimant prove through a secure [authentication] protocol that he or she controls the [token].

Plaintext [passwords] or secrets are not transmitted across a network at Level 1. However this level does not require [cryptographic] methods that block offline attacks by an eavesdropper. For example, simple password [challenge-response] [protocols] are allowed. In many cases an eavesdropper, having intercepted such a protocol exchange, will be able to find the [password] with a straightforward dictionary attack.

At Level 1, long-term shared [authentication] secrets may be revealed to verifiers. [Assertions] issued about claimants as a result of a successful [authentication] are either cryptographically [authenticated] by relying parties (using Approved methods), or are obtained directly from a trusted party via a secure authentication protocol.

!!! Level 2 
Level 2 provides single factor remote network [authentication]. At Level 2, identity proofing requirements are introduced, requiring presentation of identifying materials or information. A wide range of available authentication technologies can be employed at Level 2. It allows any of the token methods of Levels 3 or 4, as well as passwords and PINs. Successful [authentication] requires that the claimant prove through a secure [authentication] protocol that he or she controls the [token]. Eavesdropper, replay, and on-line guessing attacks are prevented.

Long-term shared authentication secrets, if used, are never revealed to any party except the claimant and verifiers operated by the [Credential Service Provider] ([CSP]); however, session (temporary) shared secrets may be provided to independent verifiers by the [CSP]. Approved [cryptographic] techniques are [required|MUST].	[Assertions] issued about claimants as a result of a successful [authentication] are either cryptographically authenticated by [relying Parties|Relying Party] (using Approved methods), or are obtained directly from a trusted party via a secure authentication protocol.

!!! Level 3 
Level 3 provides [multi-factor|Multi-Factor Authentication] remote network authentication. At this level, identity proofing procedures require verification of identifying materials and information. Level 3 [authentication] is based on [Proof-of-Possession] of a key or a [One-Time password] through a cryptographic protocol. Level 3 authentication requires [cryptographic] strength mechanisms that protect the primary authentication token ([secret Key|Private Key], [private Key] or [one-Time password]) against compromise by the protocol threats including: eavesdropper, [replay|Replay attack], on-line guessing, verifier impersonation and [man-In-The-Middle] attacks. A minimum of two [Authentication Factors] is [required|MUST]. Three kinds of [tokens] may be used: “soft” cryptographic tokens, “hard” cryptographic tokens and “one-time password” device tokens.

[Authentication] requires that the claimant prove through a secure authentication protocol that he or she controls the token, and must first unlock the token with a password or biometric, or must also use a password in a secure authentication protocol, to establish two factor authentication. Long-term shared authentication secrets, if used, are never revealed to any party except the claimant and verifiers operated directly by the Credentials Service Provider (CSP), however session (temporary) shared secrets may be provided to independent verifiers by the CSP. Approved cryptographic techniques are used for all operations. Assertions issued about claimants as a result of a successful authentication are either cryptographically authenticated by relying parties (using Approved methods), or are obtained directly from a trusted party via a secure authentication protocol.

!!! Level 4
Level 4 is intended to provide the highest practical remote network authentication assurance. Level 4 [authentication] is based on [proof-of-Possession] of a key through a cryptographic protocol. Level 4 is similar to Level 3 except that only [“hard” cryptographic tokens|Hard tokens] are allowed, [FIPS] 140-2 cryptographic module validation requirements are strengthened, and subsequent critical data transfers must be authenticated via a key bound to the authentication process. The token shall be a hardware cryptographic module validated at FIPS 140-2 Level 2 or higher overall with at least FIPS 140-2 Level 3 physical security. By requiring a physical token, which cannot readily be copied and since FIPS 140-2 requires operator authentication at Level 2 and higher, this level ensures good, two factor remote authentication.

Level 4 requires strong cryptographic authentication of all parties and all sensitive data transfers between the parties. Either public key or symmetric key technology may be used. Authentication requires that the claimant prove through a secure authentication protocol that he or she controls the token. The protocol threats including: eavesdropper, replay, on-line guessing, verifier impersonation and man-in-the-middle attacks are prevented. Long-term shared authentication secrets, if used, are never revealed to any party except the claimant and verifiers operated directly by the Credentials Service Provider (CSP), however session (temporary) shared secrets may be provided to independent verifiers by the CSP. Strong Approved cryptographic techniques are used for all operations. All sensitive data transfers are cryptographically authenticated using keys bound to the authentication process.


[{$pagename}] may be used in [Risk Assessment] parameters that determine [Magnitude of the Potential loss]

!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
</pre>