The weakest link in the identity chain is moving from authentication to identification, a shift typical of compliance driven programs emphasizing authentication, and recognized by the newly drafted National Institute of Standards and Technology (NIST) eAuthentication standard. NIST 800-63-A, B, & C guidelines establish identity enrollment, proofing, authentication, and federation guidelines. In this blog, we discuss how shortfalls in Identity Assurance hurt investments in strong authentication so that understanding the relationship between identity and authentication assurance levels will improve identify and access management architectures to protect necessary investments.
Strong authentication with weak identity assurance leads to a false sense of security
Identity Proofing verifies that individuals are who they say they are. The measure of confidence and strength in the evidence and documentation supplied to provide an assurance level known as Identity Proofing Strength. For many organizations, weak identity proofing combined with strong authentication leads to a false sense of confidence in on-line identity. Thus, we recommend assessing strong authentication alongside a sufficient means of identity assurance.
Weakness in identity assurance can exist both in enterprise and consumer identity and access management architecture, so it’s important to look at both capabilities given the foundational value of identity as a key control and a control pre-requisite for many other controls.
A well-defined identity proofing process enables effective B2B2C relationships by improving trust across the supply chain. Working across those borders requires a reference for heterogeneous identity architectures as they pertain to assurance levels. Here are some simple examples of lower and higher assurance identification approaches:
Don’t invest in strong authentication without a minimum level of identity assurance
Without a minimum identity assurance level, what NIST calls Assurance Level 2 proofing, the vetting level of the user is not considered sufficient to invest in strong authentication. Such binding is not trustworthy and may assign expensive authenticators to individuals who are not, in fact, who they say they are.
Under certain circumstances (e.g. where no highly sensitive information is being accessed), strong authentication may not be required. This diversity in identity authentication can help manage cost and improve usability. If you look at your transactions for any given audience, you’ll find varying requirements for confidentiality.
Evidence provided about the identity presented, its strength, diversity factors, device data, geo-location, and consistency with historical patterns of use all help provide a level of confidence and trust. For example, organizations are adopting Knowledge Based Authentication to enhance identity assurance further. KBA is not the only approach and may not be the best for your customer interaction preferences.
Assurance levels should first be translated into business impacts and objectives
Risk-based authentication and risk-based assurance are not new ideas, yet they require a rigorous governance process and policy framework to consistently design and audit solutions for cyber-resilience. A great example of this lies in the FEDRAMP implementation of OMB -04-04 guidance based on the previous NIST 800-63 four levels of assurance (Figures A and B). Having assurance levels alone is not enough, they must be translated into business impacts and business objectives, and no reference can do that for your organization out-of-the-box. Such references should be factored into your specific standards and tailored to your organization’s business model; this is the role of security architecture.
Pair identity proofing and authentication assurance levels aligned to business needs
Business needs often allow for assurance levels that don’t match directly, such as high-grade authentication with anonymity, so it’s not always obvious and you need to look at each case from an architect’s point of view. These risk-based business decisions are permissible based on risk tolerance related to Identity Proofing Strength.
Consider risk-adaptable access controls to enhance user experience
You do not need to be at a high degree of identity assurance always. The reality of the way we live with technology as consumers are through frequent low-risk transactions. Your mobile phone may alert you to the progress of an Amazon shipment without disclosing specifics or payment information. Access controls should be aligned to operational needs and risk tolerance heuristics so that a ‘step-up’ in authentication only happens when needed. Risk-Adaptable Access Control (RAdAC) is such a form of risk-based authentication that can help here. RAdAC approaches are achieved using protocols such as XACML, where session information regarding authentication assurance and LDAP attributes regarding identity assurance is leveraged. It is important to profile each application’s criticality within your overarching risk framework.
Use mobile device ‘accelerators’ to further reduce authentication friction
Mobile device “accelerators” measure patterns of use such as eye movement, swipe activity, password entry cadence, signature recognition, and can build a level of assurance. Accelerators can remove the need for the next factor of information, and reduce authentication friction when the expected pattern is matched. Conversely, when fingerprinted patterns indicate a high probability the user is not who they say they are, a decision to block, or ask for out of band authentication, can be made. Remember though; you are building capabilities in an increasingly hostile environment where threat actors seek to undermine your investments as you make them.
Use threat modeling to risk-assess ‘out-of-band’ channels
Don’t assume your security solution is secure enough. It is important to have integrity built into out of band authentication channels when using this approach to identity proofing, as the channels are a core component of trust for the entire identity chain. To ensure their integrity, use threat modeling techniques to risk-assess each authentication channel used for identification. It is critical to protect channels against spoofing in your out of band channels while proofing and registering someone.
Then deploy proportionate controls to protect against identity theft
To address the communications integrity, consider standards from the Cloud Security Alliance (CSA), which maintains a matrix of controls to protect and encrypt the entire Identity and Access Management lifecycle. Channels containing id’s and passwords must be protected to avoid the prevailing pitfalls.
Also, remember to deploy Domain-Based Message Authentication Reporting and Conformance (DMARC) for email trustworthiness. DMARC will allow senders and receivers to monitor and protect email from fraudulent scenarios.
Another powerful concept in being able to triangulate identity of an individual through relationship management. The topic of identifier “Relationship Management” from the Kantara Initiative aims to register and validate all kinds of devices found on the Internet. Their vision for resilient digital identity is well described, and we recommend you keep an eye on it.