3. ®
14 years of expertise in Data Protection
40+ projects establishing trusted ecosystems:
▪ Strong Authentication,
▪ Identity Management,
▪ Access Governance,
▪ Information Protection.
Security specialist @ EXFO, R&D
To keep in touch:
https://twitter.com/IdentityMonk
https://ca.linkedin.com/in/jflombardo
https://x-iam.com
Or as a member/supporter of:
4. ®
References for this talk:
• NIST SP 800-63-3:
https://pages.nist.gov/800-63-3/
• November 2018 IDPro newsletter:
https://idpro.org
17. ®
Resolve Validate Verify
Collection of
Identity Evidence
is performed
Trustfulness of
Identity Evidence
is established
Link between the
Identity Evidence
and the claimant is
assured
18. ®
Resolve Validate Verify
IAL1
IAL2
IAL3
0 or more self-
attribute can be
collected
• 1x SUPERIOR
• 1x IAL2 STRONG
• 2x STRONG
• 1x STRONG +
2x FAIR
• 2x SUPERIOR
• 1x SUPERIOR +
1x IAL2 STRONG
• 2x STRONG +
1 FAIR
Should
include
biometric
enrolment
Must
include
biometric
enrolment
• Use process
matching IV
• Confirm Address
of record
• Use process
matching IV
• Confirm Address
of record
• On site or remote
• AoR validation to
be adapted to the
situation
Strong Verify
Superior Verify
• On site
• AoR cannot be
self asserted
• AoR validation
using OTP
26. ®
(USA)
NIST SP800-63-3
(Canada)(Australia)
NeAF
(UK) (Norway)
FANR
(EU)
IDABC STORK2.0 eIDAS
(ISO)
29003 / 29115
(USA)
M-04-04
IAL 1
AAL 1
AAL 2
IAL 2 AAL 2
IAL 3 AAL 3
Low
Substans
ial
High
LOA 1
LOA 2
LOA 3
LOA 4
LOA 1
LOA 2
LOA 3
LOA 4
QAA 1
QAA 2
QAA 3
QAA 4
IAL/CAL 1
IAL/CAL 2
IAL/CAL 3
IAL/CAL 4
Lvl1
Lv2
Lvl 3
Lvl 4
Lvl 1
Lvl 2
Lvl 3
Minimal
Low
Moderate
High 4
2/3
1
Substans
ial
High
Minimal
Low
Moderate
High
Little
Low
References:
NIST SP-800-63-3 Section 2 Table 1
Improving Usability of Password Management with Standardized Password Policies
by Bander AlFayyadh, Per Thorsheim, Audun Jøsang and Henning Klevjer
Matrix of Trust is given as generalizing guidance
devil is in the details, use with caution
GPG45/RSDOPS
27. ®
Taxonomy
proposal as
a guide
to VoT(*)
P
C
M
A
Identity
Proofing
Credential
Usage
Credential
Management
Assertion
Presentation
.N633
.N633
.N633
.N633
Level Reference
(*)Reference: https://tools.ietf.org/html/rfc8485