A new business partner is applying for a VPN account in your company to work remotely. However, the password settings for partners are the same as those for employees. As a security professional, you consider the risk is higher for remote partners than inside workers, and the system administrator should provision password settings at a stricter and fine-grained level. A system administrator created a new account, generated a password randomly, and text him a URL in his mobile phone to activate the account. Which of the following should be considered most in terms of the provisioning process?
A. Identity Assurance Levels (IAL)
B. Authenticator Assurance Levels (AAL)
C. Federation Assurance Levels (FAL)
D. Evaluation Assurance Levels (EAL)
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is A. Identity Assurance Levels (IAL).
The strength of a password DOES relate to Authenticator Assurance Levels (AAL). However, “on the internet, nobody knows you’re a dog.” When creating or provisioning a new account, it is more important to focus on proofing the applicant’s identity. That is, the identity shall be unique. Its attributes shall be authentic, genuine, and accurate. The applicant shall be linked to a real-life subject. Identity proofing is the primary concern of Identity Assurance Levels (IAL).