LOA Discussion -        

LoA vs. Identity Assurance Profiles (IAP)

- How to express LoA in AuthN attribute context

o   IdP

o   Service / SP

o   Credential

o   Runtime Event

- Registration (Silver) and "Re-Credentialing"

- LoA in SSO context

LoA (1,2,3,4) is hierarchical, whereas IAP does not (have to) follow a hierarchy

- Purple doesn't necessarily have a relationship to Bronze/Silver

- IAP may be much more dynamic (determination on the fly) than LoA

- Need to distinguish between LoA and IAPs

- LoA could be contained within an IAP (but not necessarily the reverse)

- An IAP could contain different levels of the following than a specific (NIST) LoA

o   ID-Proofing

o   Credentialing

-        Point about OUR understanding of Higher Ed versus the Feds

o   Currently a LoA could be mapped to an IAP (not the reverse)

o   That may not be true over time

-        LoA of an Attribute

o   How it's defined by an institution

o   How the attribute is granted/issued/determined

-        IAP requires many more background processes and documentation

-        "Silver" is certified in the Metadata, and not via the "attribute"

-        AuthN context is not "tied" to the IAP? (YES, by exerting SILVER)

-        AuthN context = Silver (tied to Silver IAP) - Class

o   In the SAML assertion

-        If higher LoA is required

o   Adjust IdP UI to request token information

o   Otherwise (lower LoA) UI requests username/password

-        Question whether using a higher-factor credential without verification of identity at a high enough level (ID-proofing)

-        Point is that SP needs to ask for what it needs relative to a LoA

-        Can't have too many L's of Assurance

-        AuthN context includes a lot of information about the credential?

-        List of schools that are already doing LoA work (for NIH, etc.)

User ID-proofed and LoA set (at some prior time) but that does not last forever!

Credentials were given LoA at a "point-in-time" (confidence)

Re-credentialing - without ID-proofing - invalidated? (in-person or not)

Identity-proofing and storing a document ID of Government Photo-ID

o   If "remote id-proofing" document number must be verified with issuing agency

Is the IAP (requirements) for Silver set too high (includes too much of older fed requirements.

"Where would you need LoA 2 in the NIH context"?

What types of "services" might require a higher LoA?

o   List of services?

o   General rule of thumb:

o   Access to information about "yourself" is lower level LoA

o   Access to information about "others" is higher level LoA

Failed password attempts reduces entropy of credential (through combining log entries of failed attempts)

Missing boxes for IAM Toolkit

            Risk assessment tool

            Better entropy calculator (tool)

Has anyone had their password reset questions (Challenge/response) audited for appropriate entropy? (Best Practices for Re-Credentialing)

  • No labels