- SP 800-63-3 – Digital Identity Guidelines
- SP 800-63A – Enrollment and Identity Proofing
- SP 800-63B – Authentication and Lifecycle Management
- SP 800-63C – Federation and Assertions
- Risk-based or adaptive authentication systems evaluate a host of user, system, and environmental attributes; other such signals; and behavioral profiles to make an authentication decision.
- IP address, geolocation, time of day, transaction type, mouse movements, keystroke, and variances from typical usage norms are some of the signals used in these systems.
- These solutions do not currently count as a valid authenticator in and of themselves, as this information does not necessarily constitute a “secret,” and most solutions leverage proprietary ways of making an authentication decision.
- “risk-based” and “adaptive” techniques are considered added controls to digital authentication.
Permitted Authenticator Types
AAL1 authentication SHALL occur by the use of any of the following authenticator types:
- Memorized Secret
- Look-Up Secret
- Out-of-Band Devices
- Single-Factor One-Time Password (OTP) Device
- Multi-Factor OTP Device
- Single-Factor Cryptographic Software
- Single-Factor Cryptographic Device
- Multi-Factor Cryptographic Software
- Multi-Factor Cryptographic Device
Out-of-band Device Authentication
NIST SP 800-63B does not allow the use of email as a channel for single or multi-factor authentication processes. This is specified in Section 18.104.22.168, Out-of-Band Authenticators:
[Authentication] methods that do not prove possession of a specific device, such as voice-over-IP (VOIP) or email, SHALL NOT be used for out-of-band authentication.
Knowledge-based authentication (KBA)
- Knowledge-based authentication (KBA), sometimes referred to as “security questions”, is no longer recognized as an acceptable authenticator by SP 800-63.
- This was formerly permitted and referred to as a “pre-registered knowledge token” in SP 800-63-2 and earlier editions.
- The ease with which an attacker can discover the answers to many KBA questions, and relatively small number of possible choices for many of them, cause KBA to have an unacceptably high risk of successful use by an attacker.