This document discusses user authentication and NIST Special Publication 800-63, which provides guidelines for digital identity. It outlines four levels of authenticator assurance (AALs) and describes various types of authenticators that can be used, including passwords, one-time passwords, crypto devices, and biometrics. While no single authenticator is ideal, two-factor authentication is recommended to strengthen security. The document provides an overview of key concepts around digital identity authentication standards.

1. User Authentication
Overview
Jim Fenton
@jimfenton

2. Context
I’m a consultant to the National Institute of Standards
and Technology
Focusing on revising US Government digital identity
standards
Everything here is my own opinion; I don’t speak for
NIST!

3. About SP 800-63
NIST Special Publication
800-63, Digital Identity
Guidelines
Intended for federal
government use, but
also widely used
commercially and
internationally

4. Four-volume Set
Enrollment and
Identity Proofing
SP 800-63A
Authentication and
Lifecycle Management
SP 800-63B
Federation and Assertions
SP 800-63C
We will focus here

5. Authenticator Assurance
Levels (AALs)
AAL1 AAL2 AAL3
Authentication
Factors
1 2
2 (1 hardware-
based)
Reauthentication Monthly
12 hours /
30 min inactivity
12 hours /
15 min inactivity
Intent Not required Recommended Mandatory
Uses
Low-value
authentication w/no
personal data
General use
Critical
applications

6. Choose your own AAL

7. What’s an Authenticator?
A secret used to authenticate
Something containing an authentication secret
Often referred to as a “token” but that word is overused

8. Factors
There are three authentication factors:
Something you know (memorized secret)
Something you have
Something you are (biometric)
Authenticators may provide 1 or 2 of these

9. Authenticators
Memorized Secrets
Look-Up Secrets
Out-of-Band Device
Single-Factor OTP
Multi-Factor OTP
Single-Factor Crypto Device
Crypto Software
Multi-Factor Crypto Device

10. Memorized Secrets
Passwords, Passphrases, PINs: All memorized secrets
Something You Know

11. Password Guidance
Changes
Any printing Unicode character 😀 (but also Å) + space
Up to at least 64 characters long
No password composition rules (e.g., required digit)
Use dictionary to weed out common choices
No expiration
No hints or “security questions”

12. Look-Up Secrets
List of one-time passwords for account access
Not memorized so list is “something you have”
Typically too complex
Only used once anyway
Inexpensive solution for account recovery

13. Out-of-Band Devices
Independent communication channel
Verifies possession and control of specific hardware
Email doesn’t do this: not acceptable
Needs close binding to primary comm channel
Typically typing a secret received over secondary channel on
the primary channel
Make sure attackers can’t get user to approve the wrong thing

14. Restricted Authenticators
Use of telephone network (SMS, voice
calls)
Doesn’t prove possession strongly
enough
Acceptable for now with restrictions,
may not always be
Notice to user
Available alternatives

15. Single-Factor OTP
Device or app that generates one-time passcodes
Time-based (synced to verifier) or event-based (button)
Usable anywhere there is a keyboard or keypad
Can be phished (depends on user vigilance)
Uses symmetric crypto (verifier breach reveals secret)

16. Multi-Factor OTP
Single-factor OTP with addition of an activation factor
Activation factor can be memorized secret or biometric

17. Single-Factor
Crypto Devices
Hardware device that interfaces directly with user
endpoint
Typically USB, but increasingly NFC, BTLE
Usually requires software drivers on user endpoint
Range from OTP generation to challenge/response to
verifier impersonation resistance

18. Crypto software
Typically an X.509 client certificate/private key pair
If private key requires activation by a memorized secret,
considered multi-factor
Difficult to enforce rate limits on memorized secret
guessing attacks

19. Multi-Factor
Crypto Devices
Like single-factor crypto device, but requires activation
by memorized secret or biometric
Examples: PIV and CAC cards, other smart cards

20. Common Characteristics
Authentication intent
Require physical action by claimant
Protects against malware attacks on hardware
authenticators
Replay resistance
Output of authenticator is only valid for one authentication

21. Common Characteristics (2)
Verifier impersonation resistance
Output of authenticator is bound to a specific authentication
session, invalid elsewhere
Protects against phishing attacks
Verifier compromise resistance
Breach of data stored by verifier doesn’t allow an attacker to
authenticate
Example: Verifier has only subscribers’ public keys

22. What About Biometrics?
Some problems
Not based on a secret: fingerprints, etc easy to obtain
Presentation attacks (e.g., gummy bear fingerprint)
Probabilistic match, typically 0.1% false accept rate
Mitigations
Tight binding to specific physical authenticator
Authentication of sensor if separate
Incentives to include liveness detection

23. Summary
There is no single ideal authenticator - depends on use
case, endpoint type, and user
Passwords have definite limitations, but continue to be
important as “something you know”
Two-factor authentication should be used much more
widely than it is today

24. Questions?