Assurance

["Jones, Mark B" <>]

The risk assessment concludes that the "Federation Manager is a 
moderate-impact system" and it references the "Potential Impact Categories 
for Authentication Errors" table from OMB M-04-04, but does not say which LoA 
was identified.  It looks to me that "moderate-impact" could land it in LoA 2 
or LoA 3 depending on which risk categories earned the system as a whole the 
moderate-impact designation.  Did a "required LoA" result from this risk 
assessment?

 

-----Original Message-----
From: 

 
[mailto:]
 On Behalf Of Tom Scavo
Sent: Thursday, November 29, 2012 4:08 PM
To: 

Subject: Re: [Assurance] silver, 2-factor, password requirements


> I'm not sure what you mean by "legal identity". 

According to the IAP, "Identity proofing in this IAP is based on 
government-issued ID or public records," so I'm referring to the identity 
information obtained as a result of that identity proofing process.

> To me the question
> of what LoA is required is answered by evaluating the risk to your 
> application as described in OMB M-04-04.  For example what are the 
> consequences of someone impersonating a valid user or a valid user 
> claiming that their credential was not under their control to avoid 
> accountability.

We already did a risk assessment for our app:

https://spaces.internet2.edu/x/OIjNAQ

Two-factor authentication has been identified as a possible control. The cost 
of a 2FA deployment has fallen dramatically in the last year, so that's the 
direction we're heading.

> If you don't care about the ability to hold the user accountable isn't 
> Bronze sufficient?  If you do care, relaxing identity proofing seems 
> counterproductive.

The user isn't the responsible party in this case since we have a signed 
agreement with the user's organization. This is basically how it works with 
most (all?) SaaS apps.

Tom