NIST SP 800-63-2

From IDESG Wiki
Revision as of 20:56, 26 February 2013 by Scott Shorter (Talk) (editorial change)

Jump to: navigation, search

Title: Electronic Authentication Guideline


Version: Revision 1

Date: 12 December 2011


Technical guidelines for Federal agencies implementing electronic authentication. The document lists technical requirements for the four levels assurance defined in OMB M-04-04 in the areas of identity proofing, registration, tokens, management processes, authentication protocols and assertion mechanisms.


This recommendation provides technical guidelines for Federal agencies implementing electronic authentication and is not intended to constrain the development or use of standards outside of this purpose. The recommendation covers remote authentication of users (such as employees, contractors, or private individuals) interacting with government IT systems over open networks. It defines technical requirements for each of four levels of assurance in the areas of identity proofing, registration, tokens, management processes, authentication protocols and related assertions. The document references specific technologies involved in some authentication schemes, including TLS as a means for establishing secure communications, HTTP cookies, SAML authentication and attribute assertions and Kerberos tickets. Token and credential management are discussed, including storage, verification, renewal/reissuance and revocation and destruction considerations. In Appendix A it includes an extensive discussion of password strength and how to calculate the "guessing entropy" based on a set of password rules. This publication supersedes NIST SP 800-63.

Privacy Considerations: Advises agencies to reference OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002 [OMB M-03-22]. Subscribers are assumed to trust relying parties to follow "all relevant privacy policy." PII gathered during registration is required to be protected. The document also defines "private credentials", which are credentials that cannot be disclosed without compromising the token (such as symmetric keys). There is discussion of when Relying Parties may operate anonymously, and discussion of how pseudonymity may be achieved.

Security Considerations:The document is an information security guideline. The requirements in the document are grouped into four assurance levels that provide increasing levels of trust in the authentication process.

Interoperability Considerations: The purpose of the document is to provide sets of requirements for the OMB-04-04 Levels of Assurance. It promotes interoperability by providing a baseline set of requirements for diverse Identity Management systems.