Authentication risk and threat models are constantly shifting, pushing requirements toward an identity assurance layer 3 (IAL3) with hardware-anchored verification. Traditional knowledge-based and SMS one-time passwords no longer suffice as viable authentication mechanisms; for federated authentication to work efficiently it must include phishing-resistant authenticators.
Verification
Nist ial3 verification involves validating evidence that supports a claim of identity by physically matching it against evidence presented or biometrically matching information on evidence with biometric characteristics of an applicant.
These guidelines introduce a new and more structured DIRM process that goes beyond enterprise risk evaluation to consider mission delivery, trust from users and individual user concerns (such as equity and privacy issues). They also formally introduce remote identity proofing for AAL2 as well as user-controlled wallet models like FIDO Passkeys or mobile driver's licenses for user control.
Guidelines published by NIST 800-63-4 establish a set of assurance levels (xALs), from self-asserted (IAL1) to AAL3 (strong cryptographic device-based authentication that resists phishing and man-in-the-middle attacks), with nist 800-63-4 ial3 compliance being an objective measure to achieve. With our comprehensive identity verification and FIDO certified passwordless authentication capabilities supporting it directly, HYPR's comprehensive identity verification ensures maximum assurance that a claimed digital identity corresponds with an actual real world person xAL ensures ensure maximum assurance.
Compliance
The National Institute of Standards and Technology's digital identity guidelines offer a central framework for security and privacy. It includes three levels of assurance: Identity Assurance Levels (IAL), Authentication Assurance Levels (AAL), and Federated Assurance Levels (FAL).
The core principles remain unchanged, yet these guidelines have been modernized to address modern attacks. For instance, they now explicitly require phishing-resistant methods like FIDO Passkeys for higher assurance levels as well as formalizing remote identity proofing support. Furthermore, more explicit guidance has been added regarding subscriber-controlled wallets and verifiable credentials.
Guidelines also detail requirements for reaching IAL2 and IAL3 through chat, video, facial recognition with liveness detection, document authentication, step-up reproofing based on risk, step-down reproofing, step-up reproofing and step-up reproofing based on risk. This allows organizations to balance business and security objectives while simultaneously lowering cyber liability insurance costs and operational expenses from password resets; additionally continuous ial3 identity verification software beyond point-in-time checks helps meet FISMA and NIST RMF requirements for robust cybersecurity - making this essential strategic imperative both within federal agencies and private organizations alike.
High Identity Proofing
NIST SP 800-63-4 marks an essential transition from checklist-based requirements to risk-based Digital Identity Risk Management (DIRM) framework, prioritizing strong authentication protocols which effectively prevent against unauthorised access and identity fraud. This strategic shift can be seen through its revamping of assurance levels IAL, AAL and FAL to more accurately represent how confidently an IdP or CSP (verifier) makes assertions about RPs in federated environments.
Reworked criteria also mandate moving away from SMS and email OTP verification methods such as FIDO Passkeys for higher AAL levels; liveness detection now validates human presence at time of verification to prevent spoofing attempts, along with remote fedramp high identity proofing as well as mobile driver's licenses as credible evidence sources formally introduced by NIST. It is critical that your identity verification software adheres to these changes for compliance.
Fedramp
NIST creates information security standards and guidelines in accordance with its statutory authority under the Federal Information Security Modernization Act of 2014 (44 U.S.C 3551 et seq, Public Law 113-283). These standards and guidelines apply to all Federal systems but should not be applied directly to national security systems without approval by those responsible.
NIST 800-63-4 creates a more systematic DIRM process and enhances risk management by moving beyond enterprise to explicitly consider impacts on mission delivery, user trust and individual users (including equity and privacy).
Furthermore, the standard strengthens FALs by deprecating email OTP authentication methods, downgrading SMS authentication to SMS-only authentication methods such as FIDO Passkeys as official methods in AAL2 and AAL3, and mandating cryptographic binding in federated transactions as well as supporting remote identity proofing officially.Get detailed information on ial3 requirements by clicking here or visiting our site.
Comments