NIST SPECIAL PUBLICATION 800-63-3 IMPLEMENTATION RESOURCES

NIST SPECIAL PUBLICATION 800-63-3

IMPLEMENTATION RESOURCES

July 1, 2020

This publication is available free of charge from:



Digital Identity Guidelines: Implementation Resources

NIST Special Publication 800-63-3, Digital Identity Guidelines, is an umbrella

publication that introduces the digital identity model described in the SP 800-63-3

document suite. It frames identity guidelines in three major areas:

? Enrollment and identity proofng (SP 800-63A)

? Authentication and lifecycle management (SP 800-63B)

? Federation and assertions (SP 800-63C)

In addition to introducing the detailed guidelines in these areas, SP 800-63-3 addresses

the factors involved in choosing the appropriate Identity Assurance Level (IAL),

Authentication Assurance Level (AAL), and Federation Assurance Level (FAL) for a

given application.

These implementation resources are provided pursuant to OMB memorandum M-1917. While these resources reference normative guidelines in the SP 800-63-3 document

suite and other documents, these resources are intended as informative implementation

guidance and are not normative. These implementation resources provide guidance for SP

800-63-3 in three parts: Part A addresses SP 800-63A, Part B addresses SP 800-63B, and

Part C addresses SP 800-63C. Section numbers are presented in parentheses in each part

which refer to the SP 800-63-3 volume corresponding to that part.

Comments on these guidelines are welcomed and can be submitted via email to digcomments@.

i

July 1, 2020

NIST Special Publication 800-63-3 Implementation

Resources

Table of Contents

A.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

1

A.2 Identity Proofng Process Documentation . . . . . . . . . . . . . . . . . . . .

2

A.3 Identity Resolution and Evidence Collection . . . . . . . . . . . . . . . . . .

4

A.4 Identity Validation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

A.5 Identity Verifcation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

A.6 Enrollment Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

A.7 Biometrics Collection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

A.8 Supervised Remote Identity Proofng . . . . . . . . . . . . . . . . . . . . . . 20

A.9 Use of Trusted Referees . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

A.10 IAL2 Remote Identity Proofng . . . . . . . . . . . . . . . . . . . . . . . . . 23

B.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

B.2 Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

B.3 Authenticator Assurance Levels . . . . . . . . . . . . . . . . . . . . . . . . . 33

B.4 Authenticators and Verifers . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

B.5 Authenticator Lifecycle Management . . . . . . . . . . . . . . . . . . . . . . 53

B.6 Session Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

C.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

C.2 Choosing Security Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . 60

C.3 Guidance for Relying Parties . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

C.4 Guidance for Identity Providers . . . . . . . . . . . . . . . . . . . . . . . . . 70

C.5 Example Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74

C.6 Educational Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78

List of Tables

Table A-3-1 Digital Collection Methods . . . . . . . . . . . . . . . . . . . . . . . . 6

Table A-3-2 Notional Strength of Evidence . . . . . . . . . . . . . . . . . . . . . . 8

Table A-4-1 Security Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

ii

Table A-5-1 Verifcation Methods and Strengths . . . . . . . . . . . . . . . . . . . 15

Table B-4-1 General Authenticator Requirements (1) . . . . . . . . . . . . . . . . . 46

Table B-4-2 General Authenticator Requirements (2) . . . . . . . . . . . . . . . . . 46

List of Figures

Fig. 1

Individual Identity Proofng Journey . . . . . . . . . . . . . . . . . . . . .

iii

1

SP 800-63-3 Implementation Resources

A.1 Introduction

NIST Special Publication 800-63A Enrollment and Identity Proofng provides detailed

requirements and controls for the enrollment and identity proofng of individuals

into digital identity systems. These resources provide informational guidance for the

implementation of services, controls and requirements presented in SP 800-63A. These

implementation resources should be read alongside SP 800-63A.

A.1.1 Identity Proofng

Identity proofng is the process by which a Credential Service Provider (CSP) collects and

verifes information about a person for the purpose of issuing credentials to that person, as

illustrated in Figure 1.

Figure 1. Individual Identity Proofng Journey

These identity proofng processes and associated controls and requirements are presented

in NIST SP 800-63A in order to achieve the following processing objectives:

? Resolve a claimed identity to a single, unique identity within the context of the

population of users served by the CSP.

? Validate

¨C that all evidence that is supplied is valid (correct) and genuine (not counterfeit

or misappropriated); and

¨C that the claimed identity exists in the real world.

? Verify that the claimed identity is associated with the real person supplying the

identity evidence.

1

................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download

To fulfill the demand for quickly locating and searching documents.

It is intelligent file search solution for home and business.

Literature Lottery

Related download
Related searches

©2024 5y1.org, Inc. All rights reserved.