A Logo

Feel free to include my content in your page via my
RSS feed

Help Irongeek.com pay for
bandwidth and research equipment:

Search Irongeek.com:

Affiliates:
Irongeek Button
Social-engineer-training Button

Help Irongeek.com pay for bandwidth and research equipment:

paypalpixle


See the ID Rules Before Us: FAL IAL AAL eh? Aaaagh!!! How, How, How, How? - (BSides Nashville 2018) (Hacking Illustrated Series InfoSec Tutorial Videos)

See the ID Rules Before Us: FAL IAL AAL eh? Aaaagh!!! How, How, How, How?

Bruce Wilson
usethedata

BSides Nashville 2018
http://bsidesnash.org

In July 2017, after many months of public comment and open discussion on github, the US National Institutes of Standards (NIST) released revision 3 of special publication 800-63: Digital Identity Guidelines. This was a huge revision that separated out what used to be a single level of assurance into three separate components: Identity Assurance Level, Authentication Assurance Level, and Federation Assurance Level. It gets rid of things many of thought were counterproductive, like arbitrary password complexity requirements and time-based forced password changes. It notes that a one time password via SMS has some value, but is also weak (though they backed away from calling it "deprecated"). It also adds some very interesting concepts, like "additional authenticators" and "supervised remote enrollment". For some, NIST 800-63 is something we have to follow. Others can look at it as guidance and a source of best practices. For all, it's a fairly long set of documents describing a complex subject (digital identity) that's at the absolute center of getting security right. So, let's spend some time working through NIST 800-63, look at these changes and new concepts, and see what separating identity from authentication from federation can mean for us.

Back to BSides Nashville 2018 list

Printable version of this article

15 most recent posts on Irongeek.com:


If you would like to republish one of the articles from this site on your webpage or print journal please contact IronGeek.

Copyright 2016, IronGeek
Louisville / Kentuckiana Information Security Enthusiast