Accelerate Compliance of NIST SP 800-63-3 with ForgeRock


Unpacking the Realities of Identity Assurance Level (IAL) and Authenticator Assurance Level (AAL) to Make Compliance Easier 

No matter how much security and interoperability it brings, the thought of ‘compliance’ always brings a resigned sigh. Yet, from the U.S. Federal Government (Fed) to state and local governments and educational institutions (SLED), complying with guidelines and standards is a must not only for security but for interoperability and cost reduction.

Digital identity is at the heart of addressing many government specifications and guidelines. In this post, we’ll unpack two assurance levels, identity assurance level (IAL) and authenticator assurance level (AAL), within the NIST’s SP 800-63-3 Digital Identity Guidelines. For more detailed information on implementing IAL and AAL using ForgeRock Intelligent Access, read ForgeRock and NIST Special Publication 800-63-3.

Let’s begin.

In the current revision (revision 3) of SP 800-63, NIST replaces the idea of a single level of assurance (LOA) with three different types of assurance, each with three levels:

  1. Identity assurance level (IAL) 1-3
  2. Authenticator assurance level (AAL) 1-3
  3. Federation assurance level (FAL) 1-3 (I’ll write about FAL at a later date)

Each assurance type is so specific that NIST provides an 80+ page special publication to each, 800-63A, 800-63B, 800-63C, respectively.

Why are there three levels of assurance for each assurance type? Simply put, the levels of assurance are directly related to the potential damage caused if data is compromised.

  • Assurance level 1 covers less sensitive data such as publicly available information.
  • Assurance level 2 considers sensitive data such as for official use only, or personal data.
  • Assurance level 3 includes highly sensitive data such as financial data, or personnel data.

Before we dig in further, let’s clear up the relationship between identity proofing and authenticators, as this distinction is important. Identity proofing is required during account creation and, in some cases, periodically throughout the lifecycle of the identity. Once a claimant’s identity has been proved, and while still in the account creation process, the claimant registers the authenticators (such as username and password, biometrics, etc.) These authenticators are used to access the account in the future. In general, an applicant proves his identity once but repeatedly authenticates.

Back to the task at hand: IAL and AAL.

Identity Assurance Levels (IAL) as Described in NIST SP 800-63A Enrollment and Identity Proofing

To achieve an identity assurance level, an applicant proves he, she, or it (e.g., a computer or a thing) has a real-life identity. This proofing process extends from self-asserted proof in IAL1 to highly scrutinized physical evidence in IAL3, where proofing requires the physical presence of both the applicant and a trained and authorized representative of the authorizing agency.

By far, most agencies seek IAL2 proofing of an applicant and use trusted sources to help prove someone is who they say they are. Examples of trusted sources include issuers of smartcards (such as CAC and PIV), driver’s licenses, student IDs, teachers union credentials, and first responder credentials.

Other than self-asserted proof, IAL proofing sometimes involves a third party that specializes in identity proofing, such as PII matching, biometric analytics, credit verification, demographic matching, etc. This may sound complicated, yet agencies find a quick path to IAL compliance at any assurance level using ForgeRock’s Intelligent Access toolset combined with third-party identity proofing technologies from our partner network. Details are provided in the paper ForgeRock and NIST Special Publication 800-63-3.

Authenticator Assurance Levels (AAL) as Described in NIST SP 800-63B Authentication and Lifecycle Management

SP 800-63B covers ‘authenticators’, or the mechanisms used to access an account. Authenticators are as simple as username/password or as complex as a multifactor cryptographic challenge-response. 

Also covered within SP 800-63B are ‘authentication factors’, which include: something you know (password, PIN, etc.), something you have (a one-time password fob, etc.), and something you are (such as biometrics like your thumbprint, iris, or face pattern).

Authenticator assurance levels determine how confident we are that the claimant possesses and controls the authenticators tied to their account. There are three AAL assurance levels. Each assurance level requires one or more distinct authentication factors.

  1. AAL1 is the lowest assurance level and only requires a single authentication factor and an authenticator such as a simple username and password. AAL1 is used to access publicly available information like commissary prices, open courses, or public services.
  2. AAL2 is more stringent than AAL1 in that it requires two distinct authentication factors, such as a username and password (something you know) and a one-time-password pushed to a device (something you have). AAL2 is used to secure accounts with access to sensitive information such as personal data, agency internal but not classified data, the claimant’s student or financial data, etc. 
  3. AAL3, the highest assurance level, extends AAL2 by requiring: 
  • Hardware-based authenticators
  • An authenticator that provides impersonation resistance (such as biometrics)
  • Proof a cryptographic key is in the claimant’s possession. 

AAL3 is used to secure an agency's most sensitive data, such as a facility security officer’s duties, a university registrar, or any other function that requires access to the most sensitive information held by an agency. 

To support authenticators, both hardware and software, government and publicly funded non-federal organizations require a flexible, yet robust, identity platform to orchestrate all AAL compliance levels. This is where ForgeRock comes in.

With the ForgeRock Identity Platform, government and publicly funded non-federal organizations leverage industry-leading authentication and identity features in conjunction with hundreds of pre-integrated identity proofing and authenticator options made available through our partners in our expansive Trust Network. Because of ForgeRock’s comprehensive functionality, you can build an authentication journey that meets or exceeds all 800-63A and B compliance requirements. Additionally, if you require federated single sign on, there are ForgeRock modules to help you quickly achieve any 800-63C assurance level. In short, you can orchestrate all 800-63-3 assurance levels (IAL1-3, AAL1-3, FAL1-3). 

For more details on how ForgeRock can help you achieve NIST’s SP 800-63-3 specifications, read ForgeRock and NIST Special Publication 800-63-3. And stay tuned for additional blog posts on this topic.