The document summarizes the President's E-Government Initiative to establish guidelines for electronic authentication across federal agencies. It outlines four levels of identity assurance and requires agencies to assess authentication risks. Agencies must select authentication methods mapped to the appropriate assurance level based on the potential impacts of authentication errors for a given system, such as financial loss, privacy breaches, or civil violations. The guidance establishes deadlines for agencies to categorize existing systems under the new framework.
1. The President’s E-Government Initiative
E-Authentication Guidance
NIST KBA Symposium
February 9, 2004
Jeanette Thornton
The Office of Management and Budget 1
2. E-Authentication Goals
– Build and enable mutual trust needed to support
wide spread use of electronic interactions
between the public and Government, and across
Governments
– Minimize the burden on public when obtaining
trusted electronic services from the Government,
and across the governments
– Deliver common interoperable authentication
solutions, appropriately matching the levels of
risk and business needs
The President’s E-Government Initiatives 2
3. Areas of Focus
– Policy
– Technology: Architecture/Requirements
– Applications (bringing Applications on to a
shared service): Conducting a pilot
– Credential Providers (accrediting electronic
credential providers to they could be used
across govt.)
– FICC: Smart Cards/IDs for Federal
Employees
The President’s E-Government Initiatives 3
4. Part of a Larger Policy Framework
Community
Specific Policies
Federal Identity
Credentialing Component Policies Ongoing
Credential Assessment Interim version now final
Framework
Federal PKI Bridge
Expected final March 04
Certificate Policy
NIST Authentication
SP-800-63, Out for Comment Jan 29,
Technical Guidance 2004
E-Authentication Guidance
FINAL: OMB M-04-04, December 16, 2003
for Federal Agencies
The President’s E-Government Initiatives 4
5. Approaching Authentication…
Multi-Factor Token
PKI/ Digital Signature
Increased $ Cost
Knowledge-Based
Very
Pin/Password High
High
Click-wrap
Medium
Standard
Low
Access to Applying Obtaining Employee
Surfing the Screening
Protected for a Loan Govt.
Internet for a High
Website Online Benefits
Risk Job
Increased Need for Identity Assurance
The President’s E-Government Initiatives 5
6. OMB Authentication Guidance
– M-04-04 Signed by OMB Director on 12/16/2003
– Supplements OMB Guidance on implementation of
GPEA
– Establishes 4 identity authentication assurance
levels
– Requires agencies to conduct “e-authentication
risk assessments”
– Planned result is a more consistent application of
electronic authentication across the Federal
Government
The President’s E-Government Initiatives 6
7. Scope
Applies To:
– Remote authentication of human users of Federal agency
IT systems for e-government.
– Identification and analysis of the risks associated with each
step of the authentication process
Does Not Apply To:
– Authentication of servers, or other machines and network
components.
– Authorization -- the actions permitted of an identity after
authentication has taken place.
– Issues associated with “intent to sign,” or agency use of
authentication credentials as electronic signatures.
– Identifying which technologies should be implemented.
The President’s E-Government Initiatives 7
8. Definitions
– Authentication—process of establishing
confidence in user identities electronically
presented to an information system.
– Identity authentication—confirming a
person’s unique identity.
– Authorization—identifying the person’s
user permissions.
– Attribute authentication—confirming that
the person belongs to a particular group
(such as military veterans or U.S. citizens).
The President’s E-Government Initiatives 8
9. Risk Assessment Steps
1. Conduct a risk assessment of the e-government
system.
2. Map identified risks to the applicable assurance
level.
3. Select technology based on e-authentication
technical guidance.
4. Validate that the implemented system has
achieved the required assurance level.
5. Periodically reassess the system to determine
technology refresh requirements.
The President’s E-Government Initiatives 9
10. Assurance Levels
M-04-04:E-Authentication Guidance for
Federal Agencies
OMB Guidance establishes 4 authentication
assurance levels
Level 1 Level 2 Level 3 Level 4
Little or no Some confidence in High confidence in Very high
confidence in asserted identity asserted identity (e.g. confidence in the
asserted identity (e.g. PIN/Password) digital cert) asserted identity
(e.g. self identified (e.g. Smart Card)
user/password)
NIST SP800-63 Electronic Authentication
NIST technical guidance to match technology
implementation to a level
The President’s E-Government Initiatives 10
11. Categories of Harm and Impact
– Inconvenience, distress, or damage to
standing or reputation
– Financial loss or agency liability
– Harm to agency programs or public interests
– Unauthorized release of sensitive
information
– Personal safety
– Civil or criminal violations.
The President’s E-Government Initiatives 11
12. Maximum Potential Impacts
Assurance Level
Impact Profiles
Potential Impact Categories for
Authentication Errors 1 2 3 4
Inconvenience, distress or damage to Low Mod Mod High
standing or reputation
Financial loss or agency liability Low Mod Mod High
Harm to agency programs or public N/A Low Mod High
interests
Unauthorized release of sensitive N/A Low Mod High
information
Personal Safety N/A N/A Low Mod
High
Civil or criminal violations N/A Low Mod High
The President’s E-Government Initiatives 12
13. Other items covered
– Examples for each level
– Use of anonymous credentials
– Impact of the authentication process
– Considering costs and benefits
The President’s E-Government Initiatives 13
14. Effective Dates
– 90 days from completion of the final NIST
E-Authentication Technical Guidance—
New authentication systems should begin to
be categorized, as part of the system
design.
– December 15, 2004—Systems classified as
“major” should be categorized.
– September 15, 2005—All other existing
systems requiring user authentication should
be categorized.
The President’s E-Government Initiatives 14
15. What’s missing?
– Attribute authentication
– Knowledge based authentication
The President’s E-Government Initiatives 15