Your SlideShare is downloading. ×
Thornton   e authentication guidance
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.


Saving this for later?

Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime - even offline.

Text the download link to your phone

Standard text messaging rates apply

Thornton e authentication guidance


Published on

xác thực 2 yếu tố

xác thực 2 yếu tố

  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


  • 1. The President’s E-Government Initiative E-Authentication Guidance NIST KBA Symposium February 9, 2004 Jeanette ThorntonThe Office of Management and Budget 1
  • 2. E-Authentication Goals – Build and enable mutual trust needed to support wide spread use of electronic interactions between the public and Government, and across Governments – Minimize the burden on public when obtaining trusted electronic services from the Government, and across the governments – Deliver common interoperable authentication solutions, appropriately matching the levels of risk and business needsThe President’s E-Government Initiatives 2
  • 3. Areas of Focus– Policy– Technology: Architecture/Requirements– Applications (bringing Applications on to a shared service): Conducting a pilot– Credential Providers (accrediting electronic credential providers to they could be used across govt.)– FICC: Smart Cards/IDs for Federal EmployeesThe President’s E-Government Initiatives 3
  • 4. Part of a Larger Policy Framework Community Specific Policies Federal Identity Credentialing Component Policies Ongoing Credential Assessment Interim version now final Framework Federal PKI Bridge Expected final March 04 Certificate Policy NIST Authentication SP-800-63, Out for Comment Jan 29, Technical Guidance 2004 E-Authentication Guidance FINAL: OMB M-04-04, December 16, 2003 for Federal AgenciesThe President’s E-Government Initiatives 4
  • 5. Approaching Authentication… Multi-Factor Token PKI/ Digital Signature Increased $ Cost Knowledge-Based Very Pin/Password High High Click-wrap Medium Standard Low Access to Applying Obtaining Employee Surfing the Screening Protected for a Loan Govt. Internet for a High Website Online Benefits Risk Job Increased Need for Identity AssuranceThe President’s E-Government Initiatives 5
  • 6. OMB Authentication Guidance– M-04-04 Signed by OMB Director on 12/16/2003– Supplements OMB Guidance on implementation of GPEA– Establishes 4 identity authentication assurance levels– Requires agencies to conduct “e-authentication risk assessments”– Planned result is a more consistent application of electronic authentication across the Federal GovernmentThe President’s E-Government Initiatives 6
  • 7. ScopeApplies To:– Remote authentication of human users of Federal agency IT systems for e-government.– Identification and analysis of the risks associated with each step of the authentication processDoes Not Apply To:– Authentication of servers, or other machines and network components.– Authorization -- the actions permitted of an identity after authentication has taken place.– Issues associated with “intent to sign,” or agency use of authentication credentials as electronic signatures.– Identifying which technologies should be implemented.The President’s E-Government Initiatives 7
  • 8. Definitions– Authentication—process of establishing confidence in user identities electronically presented to an information system.– Identity authentication—confirming a person’s unique identity.– Authorization—identifying the person’s user permissions.– Attribute authentication—confirming that the person belongs to a particular group (such as military veterans or U.S. citizens).The President’s E-Government Initiatives 8
  • 9. Risk Assessment Steps1. Conduct a risk assessment of the e-government system.2. Map identified risks to the applicable assurance level.3. Select technology based on e-authentication technical guidance.4. Validate that the implemented system has achieved the required assurance level.5. Periodically reassess the system to determine technology refresh requirements.The President’s E-Government Initiatives 9
  • 10. Assurance Levels M-04-04:E-Authentication Guidance for Federal Agencies OMB Guidance establishes 4 authentication assurance levels Level 1 Level 2 Level 3 Level 4 Little or no Some confidence in High confidence in Very high confidence in asserted identity asserted identity (e.g. confidence in the asserted identity (e.g. PIN/Password) digital cert) asserted identity (e.g. self identified (e.g. Smart Card) user/password) NIST SP800-63 Electronic Authentication NIST technical guidance to match technology implementation to a levelThe President’s E-Government Initiatives 10
  • 11. Categories of Harm and Impact– Inconvenience, distress, or damage to standing or reputation– Financial loss or agency liability– Harm to agency programs or public interests– Unauthorized release of sensitive information– Personal safety– Civil or criminal violations.The President’s E-Government Initiatives 11
  • 12. Maximum Potential Impacts Assurance Level Impact Profiles Potential Impact Categories for Authentication Errors 1 2 3 4Inconvenience, distress or damage to Low Mod Mod Highstanding or reputationFinancial loss or agency liability Low Mod Mod HighHarm to agency programs or public N/A Low Mod HighinterestsUnauthorized release of sensitive N/A Low Mod HighinformationPersonal Safety N/A N/A Low Mod HighCivil or criminal violations N/A Low Mod HighThe President’s E-Government Initiatives 12
  • 13. Other items covered– Examples for each level– Use of anonymous credentials– Impact of the authentication process– Considering costs and benefitsThe President’s E-Government Initiatives 13
  • 14. Effective Dates– 90 days from completion of the final NIST E-Authentication Technical Guidance— New authentication systems should begin to be categorized, as part of the system design.– December 15, 2004—Systems classified as “major” should be categorized.– September 15, 2005—All other existing systems requiring user authentication should be categorized.The President’s E-Government Initiatives 14
  • 15. What’s missing?– Attribute authentication– Knowledge based authenticationThe President’s E-Government Initiatives 15