Introduction
This document is intended to aid institutions aspiring to meet the requirements of the InCommon Federation's Identity Assurance Profile (IAP) for Silver level of assurance using muilti-factor implementations. Only sections of the IAP where there is a challenge unique to multi-factor are specifically addressed.
IAP sections discussed in this document:
- 4.2.3 Credential Technology
- 4.2.3.1 Credential Unique Identifier
- 4.2.3.2 Resistance to Guessing Authentication Secret
- 4.2.3.3 Strong Resistance to Guessting Authentication Secret
- 4.2.3.4 Stored AUthentication Secrets
- 4.2.3.5 Protected Authentication Secrets
- 4.2.6.1 Identity Record Qualification
For more information about the InCommon Assurance program, terms and definitions, and links to the IAP and IAAF documents and the FAQ, see the Assurance Resources section
Preamble
Some institutions are exploring using multi-factor authentication technologies to meet InCommon Silver standards. Motivators include deficiencies in processes for identity proofing, insecure methods for distributing credentials, and non-compliant passwords for existing credentials. Implementing multi-factor in a way that complies with Silver will help improve processes and security.
Using multi-factor technologies to meet InCommon Silver requirements is a challenge because the IAP is designed to address credentials based on an Authentication Secret used for authentication of the subject to the IdP. A typical Authentication Secret is something you know such as a password or passphrase. Additional factors - something you have or something you are - are not addressed in the IAP. Section 4.2.3 of the IAP states, "If other Credentials are used to authenticate the Subject to the IdP, they must meet or exceed the effect of these requirements," and there are several references to NIST [SP 800-63] throughout this section. Therefore, institutions may wish to seek guidance from NIST [SP 800-63] to justify assertions that their multi-factor implementation meets or exceeds the requirements.
Tokens commonly used as something you have for multi-factor authentication are:
- Out-of-band tokens
- One-time password devices
- X.509 digital certificates, either stored in software or on a hardware device
NIST [SP 800-63] categorizes single-factor and multi-factor tokens. A single-factor token that represents something you have must be used in combination with another factor - typically something you know - in order to achieve multi-factor authentication. A multi-factor token that represents something you have requires activatation through a second factor of authentication - either something you know or something you are.