NIST Special Publication 800-63-4 is the basis of any risk-based Digital Identity Risk Management (DIRM) framework, and specifically endorses phishing-resistant multifactor authentication and FIDO Passkeys as the new standard in authentication.
Version four retains the three identity assurance levels IAL, AAL, and FAL but modifies requirements to address modern security technologies like MFA that is resistant to phishing and subscriber-controlled wallets. Furthermore, version four offers remote, unattended identity verification as well as formalizing pathways leading to reaching IAL2.
NIST IAL3 Verification
Nist ial3 verification, authentication and federated identity management are essential security components of online transactions. NIST defines Identity Assurance Levels (IALs) to indicate how certain it is that a claimed identity matches up with one in real life; lower levels allow self-asserted identities while higher ones necessitate more substantial evidence and stringent ial3 identity verification software processes.
NIST 800-63-4 marks an important shift away from checklist-based requirements towards risk-based Digital Identity Risk Management framework, which allows agencies to dynamically select an Identity Assurance Level, Authentication Assurance Level, or Federation Assurance Level depending on business and privacy risks as well as mission requirements.
Attaining IAL3 requires two methods. First is in-person attended identity proofing by a CSP agent similar to how guards inspect documents before allowing you into certain offices; and secondly is supervised remote fedramp high identity proofing with high resolution video monitor connected via agency controlled device such as kiosk or tablet and supervised by trained agent at other end of video stream.
NIST IAL3 Compliance
NIST offers three levels of assurance; IAL3 being their highest. Businesses requiring more extreme security levels typically opt for this level.
Information that requires high levels of protection against threats such as phishing, social engineering and brute force attacks as well as administrative access to servers, systems or security data; or access that would lead to the compromise of personal information which could impact multiple people are amongst those that fall into this category.
Businesses can quickly achieve nist 800-63-4 ial3 compliance through the use of a kiosk with live agents present during proofing sessions, much like how guards may review visitors or employees entering some office buildings. Each kiosk is loaded with the Trustswiftly app or single no code page which launches the proofing process and allows agents to record videos, photos and device checks while verifying people in real time - offering less costly yet faster deployment options than guards or traditional verification.
NIST IAL3 FedRAMP High Identity Proofing
NIST 800-63-4 provides guidance for evaluating and selecting assurance levels for identity proofing, authentication and federation systems. The guidelines include both normative and informative text to assist organizations in managing risks associated with digital identity systems that could cause harm to individuals, their organization, other organizations or even nation states.
NIST advises RPs to evaluate the impact of failure at each assurance level and to assess its costs, benefits, and risks before choosing one or more tiers as appropriate for each transaction. An RP may decide against identity proofing for certain transactions where potential errors have insignificant effects or when accepting self-asserted attributes is more cost effective.
An RP that elects for the IAL3 pathway must present superior-strength identity evidence to a trained agent in an attended identity proofing session that is monitored, audited, logged, and audited. Communication between claimant and verifier MUST take place over an authenticated protected channel to protect confidentiality of authentication output as well as prevent AitM attacks.
NIST IAL3 Fraud Prevention
Businesses looking to implement IAL3 could consider using kiosks that can be attended in real-time by CSP agents - much like how security guards inspect credentials before admitting people into some office buildings - that can connect live to Trust Swiftly via an iOS or Android device, opening the no code proofing process of Trust Swiftly.
This approach helps limit highly scalable attacks, protect synthetic identities and enable the CSP to verify the authenticity of a person's actions by performing risk-scoring analytics and reproofing enrollment processes. An agent may also limit access based on factors like authentication attempts made and number of phishing-resistant authenticators in use; see [SP800-63A] for further details and normative requirements related to subscriber accounts as well as authenticator management - including authenticator selection processes.