Skip to Content.
Sympa Menu

assurance - RE: [Assurance] silver and two-factor ...

Subject: Assurance

List archive

RE: [Assurance] silver and two-factor ...


Chronological Thread 
  • From: "Jones, Mark B" <>
  • To: "" <>
  • Subject: RE: [Assurance] silver and two-factor ...
  • Date: Tue, 13 Mar 2012 14:14:52 -0500
  • Accept-language: en-US
  • Acceptlanguage: en-US

We seem to be well positioned to do LoA 3 & 4 on hard crypto tokens.
We have a modest deployment of USB tokens here. I find them easier to deal
with than OTP tokens.

-----Original Message-----
From:


[mailto:]
On Behalf Of Joe St Sauver
Sent: Tuesday, March 13, 2012 2:10 PM
To:

Subject: Re: [Assurance] silver and two-factor ...

"Jones, Mark B"
<>
commented:

#Perhaps the interest in two-factor is actually an indication of the
#need for Gold assurance?

Just to get one latent issue explicitly onto the table, I would note
that not all two-factor solutions are equal, at least not if the
Assurance Program's "metal levels" are going to be mapped to NIST
800-63 LOA's.

Thus, choice of a soft cryptographic token, or a one time password device,
or a hard cryptographic token, would be satisfactory for 800-63 LOA-3 (and
what we might arguably assume will be "Gold").

LOA-4, however, mandates use of a *hard* cryptographic token and that
significantly reduces the options for whatever authentication technology
will be used for whatever we call what will be beyond Gold ("Platinum"?).

In fact, I'd argue that the ONLY practical option that exists for LOA-4
is PKI hard tokens/smart cards, at least as I read NIST 800-63. (see
SP800-63 v 1.0.2 at PDF page 44-48)

Regards,

Joe



Archive powered by MHonArc 2.6.16.

Top of Page