Assurance

["Jones, Mark B" <>]

We seem to be well positioned to do LoA 3 & 4 on hard crypto tokens.
We have a modest deployment of USB tokens here.  I find them easier to deal 
with than OTP tokens.

-----Original Message-----
From: 

 
[mailto:]
 On Behalf Of Joe St Sauver
Sent: Tuesday, March 13, 2012 2:10 PM
To: 

Subject: Re: [Assurance] silver and two-factor ...

"Jones, Mark B" 
<>
 commented:

#Perhaps the interest in two-factor is actually an indication of the 
#need for Gold assurance?

Just to get one latent issue explicitly onto the table, I would note
that not all two-factor solutions are equal, at least not if the 
Assurance Program's "metal levels" are going to be mapped to NIST
800-63 LOA's.

Thus, choice of a soft cryptographic token, or a one time password device,
or a hard cryptographic token, would be satisfactory for 800-63 LOA-3 (and 
what we might arguably assume will be "Gold").

LOA-4, however, mandates use of a *hard* cryptographic token and that 
significantly reduces the options for whatever authentication technology
will be used for whatever we call what will be beyond Gold ("Platinum"?).

In fact, I'd argue that the ONLY practical option that exists for LOA-4
is PKI hard tokens/smart cards, at least as I read NIST 800-63. (see 
SP800-63 v 1.0.2 at PDF page 44-48)

Regards,

Joe