NIEF TPAT | TIP: NIEF Simple Authenticator Assurance Profile for Data Categories with HIGH Risk Impact

NIEF Simple Authenticator Assurance Profile for Data Categories with HIGH Risk Impact, v1.0

NIEF authenticator assurance profile for access to categories of data whose highest risk impact level (among confidentiality risk, integrity risk, and availability risk) is LOW. Derived from NIST Special Publication 800-63B Authenticator Assurance Level 3 (AAL3) requirements, excluding security controls and privacy controls. Intended for use in conjunction with appropriate NIEF profiles for security and privacy controls.

Identifier

https://trustmark.nief.org/tpat/tips/nief-simple-authenticator-assurance-profile-for-data-categories-with-high-risk-impact/1.0/

Publication Date

2021-08-28

Issuing Organization

NIEF (https://nief.org/) View Contact

NIEF Support

help@nief.org

No telephone

No Mailing Address

Keywords

NIEF, Authenticator Assurance, AAL3, HIGH

Legal Notice

This artifact is published by the National Identity Exchange Federation (NIEF). This artifact and the information contained herein is provided on an "AS IS" basis, and NIEF disclaims all warranties, express or implied, including but not limited to any warranty that the use of the information herein will not infringe any rights or any implied warranties or merchantability or fitness for a particular purpose. In addition, NIEF disclaims legal liability for any loss incurred as a result of the use or reliance on the document or the information contained herein.

Tree View
Details View

Trust Expression:

TIP_ref9 and TIP_ref10 and TIP_ref11 and TIP_ref12 and TD_ref1 and (TD_ref2.fips_level >= 1) and TD_ref3 and (TD_ref4.max_session_duration_seconds <= 43200) and (TD_ref5.inactivity_timeout_seconds <= 900) and (TD_ref5.reauthn_requires_all_factors == "true") and TD_ref6 and TD_ref7 and TD_ref8

References (12)

TIP NIST SP 800-63B AAL3 Permitted Authenticators, v1.0
Description	Profile of requirements related to permitted authenticator types that a Credential Service Provider (CSP) must satisfy to comply with NIST Special Publication 800-63B, Digital Identity Guidelines: Authentication and Lifecycle Management, at Authenticator Assurance Level 3 (AAL3).
ID	TIP_ref9

TIP NIST SP 800-63B AAL3 General Authenticator Requirements, v1.0
Description	Profile of general authenticator requirements that a Credential Service Provider (CSP) must satisfy to comply with NIST Special Publication 800-63B, Digital Identity Guidelines: Authentication and Lifecycle Management, at Authenticator Assurance Level 3 (AAL3).
ID	TIP_ref10

TIP NIST SP 800-63B Authenticator Lifecycle Management, v1.0
Description	Profile of authenticator lifecycle management requirements that a Credential Service Provider (CSP) must satisfy to comply with NIST Special Publication 800-63B, Digital Identity Guidelines: Authentication and Lifecycle Management.
ID	TIP_ref11

TIP NIST SP 800-63B Session Management, v1.0
Description	Profile of session management requirements that a Credential Service Provider (CSP) must satisfy to comply with NIST Special Publication 800-63B, Digital Identity Guidelines: Authentication and Lifecycle Management.
ID	TIP_ref12

TD Authentication - Use of Authenticated Protected Channel between Claimant and Verifier, v1.0
Description	All communications during authentication between the claimant and verifier must use authenticated and protected channels.
ID	TD_ref1
Provider Reference

TD FIPS 140 Cryptographic Verifier Validation for Overall Security, v1.0
Description	Approved cryptography verifiers must be used to ensure overall system security. Systems should be validated for FIPS 140 compliance level.
ID	TD_ref2
Provider Reference

TD CSP Compliance with Applicable Records Retention Policies, v1.0
Description	Credential Service Providers (CSPs) must comply with records retention policies as appropriate for the organization, including adhering to applicable laws, regulations, and policies. CSPs must also inform their subscribers of their records retention policy.
ID	TD_ref3
Provider Reference

TD Authentication - Enforcement of an Acceptable Maximum Session Duration, v1.0
Description	All sessions must have a maximum acceptable duration that must be enforced to qualify for AAL1, AAL2, or AAL3.
ID	TD_ref4
Provider Reference

TD Authentication - Enforcement of Periodic Subscriber Reauthentication, v1.0
Description	Subscribers must reauthenticate after periods of inactivity according to the AAL being operated at.
ID	TD_ref5
Provider Reference

TD Authentication - Risk Assessment for Side Channel Attacks Against Hardware-Based Authenticators and Verifiers, v1.0
Description	Credential Service Providers using hardware based authenticators should document their resistance to side channel attacks within their risk assessment.
ID	TD_ref6
Provider Reference

TD Authentication - No Allowance of Unlocking a Mobile Device as a Valid Authentication Factor, v1.0
Description	Unlocking a smart phone device must not be considered an authentication factor, as a verifier cannot verify this was done.
ID	TD_ref7
Provider Reference

TD Authentication - Verification of Authenticator Satisfaction of Biometric Sensor and Performance Requirements, v1.0
Description	All biometric sensors and processes used as part of an authenticator must meet performance requirements specified in NIST 800-63-3
ID	TD_ref8
Provider Reference

Sources (2)

NIEF	National Identity Exchange Federation
NIST SP 800-63B	NIST Special Publication 800-63B, Digital Identity Guidelines: Authentication and Lifecycle Management. June 2017. Available at https://doi.org/10.6028/NIST.SP.800-63b.

Also available as XML or JSON