NIST SP 800-63-2
Title: Electronic Authentication Guideline
Version: Revision 1
Date: 12 December 2011
Technical guidelines for Federal agencies implementing electronic authentication. The document lists technical requirements for the four levels assurance defined in OMB M-04-04 in the areas of identity proofing, registration, tokens, management processes, authentication protocols and assertion mechanisms.
This recommendation provides technical guidelines for Federal agencies implementing electronic authentication and is not intended to constrain the development or use of standards outside of this purpose. The recommendation covers remote authentication of users (such as employees, contractors, or private individuals) interacting with government IT systems over open networks. It defines technical requirements for each of four levels of assurance in the areas of identity proofing, registration, tokens, management processes, authentication protocols and related assertions. The document references specific technologies involved in some authentication schemes, including TLS as a means for establishing secure communications, HTTP cookies, SAML authentication and attribute assertions and Kerberos tickets. Token and credential management are discussed, including storage, verification, renewal/reissuance and revocation and destruction considerations. In Appendix A it includes an extensive discussion of password strength and how to calculate the "guessing entropy" based on a set of password rules. This publication supersedes NIST SP 800-63.
Security Considerations:The document is an information security guideline. The requirements in the document are grouped into four assurance levels that provide increasing levels of trust in the authentication process.
Interoperability Considerations: The purpose of the document is to provide sets of requirements for the OMB-04-04 Levels of Assurance. It promotes interoperability by providing a baseline set of requirements for diverse Identity Management systems.
Active Attack, Address Of Record, Approved, Applicant, Assertion, Assertion Reference, Assurance, Asymmetric Keys, Attack, Attacker, Attribute, Authentication, Authentication Protocol, Authentication Protocol Run, Authentication Secret, Authenticity, Bearer Assertion, Bit, Biometrics, Certificate Authority, Certificate Revocation List, Challenge-response Protocol, Claimant, Claimed Address, Completely Automated Public Turing Test To Tell Computers And Humans Apart, Cookie, Credential, Credential Service Provider, Cross Site Request Forgery, Cross Site Scripting, Cryptographic Key, Cryptographic Token, Data Integrity, Derived Credential, Digital Signature, Eavesdropping Attack, Electronic Authentication (e-authentication), Entropy, Extensible Markup Language, Federal Bridge Certification Authority, Federal Information Security Management Act, Federal Information Processing Standard, Guessing Entropy, Hash Function, Holder-of-key Assertion, Identity, Identity Proofing, Kerberos, Knowledge Based Authentication, Man-in-the-middle Attack, Message Authentication Code, Min-entropy, Multi-factor, Network, Nonce, Off-line Attack, Online Attack, Online Guessing Attack, Passive Attack, Password, Personal Identification Number, Personal Identity Verification Card, Personally Identifiable Information, Pharming, Phishing, Possession And Control Of A Token, Practice Statement, Private Credentials, Private Key, Protected Session, Pseudonym, Public Credentials, Public Key, Public Key Certificate, Public Key Infrastructure, Registration, Registration Authority, Relying Party, Remote, Replay Attack, Risk Assessment, Salt, Secondary Authenticator, Secure Sockets Layer, Security Assertion Markup Language, SAML Authentication Assertion, Session Hijack Attack, Shared Secret, Social Engineering, Special Publication, Strongly Bound Credentials, Subscriber, Symmetric Key, Token, Token Authenticator, Token Secret, Transport Layer Security, Trust Anchor, Unverified Name, Valid, Verified Name, Verifier, Verifier Impersonation Attack, Weakly Bound Credentials, Zeroize