View Source

Introduction

This document is intended to aid institutions aspiring to meet the requirements of the InCommon Federation's Identity Assurance Profile (IAP) for Silver level of assurance using muilti-factor implementations. Only sections of the IAP where there is a challenge unique to multi-factor are specifically addressed.

IAP sections discussed in this document:

4.2.3 Credential Technology
- 4.2.3.1 Credential Unique Identifier
- 4.2.3.2 Resistance to Guessing Authentication Secret
- 4.2.3.3 Strong Resistance to Guessting Authentication Secret
- 4.2.3.4 Stored AUthentication Secrets
- 4.2.3.5 Protected Authentication Secrets
4.2.6.1 Identity Record Qualification

For more information about the InCommon Assurance program, terms and definitions, and links to the IAP and IAAF documents and the FAQ, see the Assurance Resources section

Preamble

Some institutions are exploring using multi-factor authentication technologies to meet InCommon Silver standards. Motivators include deficiencies in processes for identity proofing, insecure methods for distributing credentials, and non-compliant passwords for existing credentials. Implementing multi-factor in a way that complies with Silver will help improve processes and security.

Using multi-factor technologies to meet InCommon Silver requirements is a challenge because the IAP&nbsp;is designed to address credentials based on an Authentication Secret used for authentication of the subject to the IdP. A typical Authentication Secret&nbsp;is _something you know_ such as a password or passphrase.&nbsp;Additional factors - _something you have_ or _something you are_ \- are not addressed in the IAP.&nbsp;Section 4.2.3 of the IAP states, "If other Credentials are used to authenticate the Subject to the IdP, they must meet or exceed the effect of these requirements," and there are several references to NIST \[SP 800-63\] throughout this section. Therefore, institutions may wish to seek guidance from NIST \[SP 800-63\]&nbsp;to&nbsp;justify assertions&nbsp;that their&nbsp;multi-factor implementation meets or exceeds the requirements.
Tokens&nbsp;commonly used as _something you have_&nbsp;for multi-factor authentication are:

Out-of-band tokens
One-time password devices
X.509 digital certificates, either stored in software or on a hardware device

NIST \[SP 800-63\] categorizes single-factor and multi-factor tokens. A single-factor token that represents _something you have_&nbsp;must be used in combination with another factor - typically _something you know_ \- in order to achieve multi-factor authentication.&nbsp;A multi-factor&nbsp;token&nbsp;that represents _something you have_&nbsp;requires activatation through a second factor of authentication&nbsp;-&nbsp;either _something you know_ or _something you are._