SlideShare ist ein Scribd-Unternehmen logo

OMB E-Authentication Guidance Levels

Hai Nguyen
Hai Nguyen

The document summarizes the President's E-Government Initiative to establish guidelines for electronic authentication across federal agencies. It outlines four levels of identity assurance and requires agencies to assess authentication risks. Agencies must select authentication methods mapped to the appropriate assurance level based on the potential impacts of authentication errors for a given system, such as financial loss, privacy breaches, or civil violations. The guidance establishes deadlines for agencies to categorize existing systems under the new framework.

1 von 15
Downloaden Sie, um offline zu lesen
The President’s E-Government Initiative E-Authentication Guidance NIST KBA Symposium February 9, 2004 Jeanette Thornton The Office of Management and Budget 1
E-Authentication Goals – Build and enable mutual trust needed to support wide spread use of electronic interactions between the public and Government, and across Governments – Minimize the burden on public when obtaining trusted electronic services from the Government, and across the governments – Deliver common interoperable authentication solutions, appropriately matching the levels of risk and business needs The President’s E-Government Initiatives 2
Areas of Focus – Policy – Technology: Architecture/Requirements – Applications (bringing Applications on to a shared service): Conducting a pilot – Credential Providers (accrediting electronic credential providers to they could be used across govt.) – FICC: Smart Cards/IDs for Federal Employees The President’s E-Government Initiatives 3
Part of a Larger Policy Framework Community Specific Policies Federal Identity Credentialing Component Policies Ongoing Credential Assessment Interim version now final Framework Federal PKI Bridge Expected final March 04 Certificate Policy NIST Authentication SP-800-63, Out for Comment Jan 29, Technical Guidance 2004 E-Authentication Guidance FINAL: OMB M-04-04, December 16, 2003 for Federal Agencies The President’s E-Government Initiatives 4
Approaching Authentication… Multi-Factor Token PKI/ Digital Signature Increased $ Cost Knowledge-Based Very Pin/Password High High Click-wrap Medium Standard Low Access to Applying Obtaining Employee Surfing the Screening Protected for a Loan Govt. Internet for a High Website Online Benefits Risk Job Increased Need for Identity Assurance The President’s E-Government Initiatives 5
OMB Authentication Guidance – M-04-04 Signed by OMB Director on 12/16/2003 – Supplements OMB Guidance on implementation of GPEA – Establishes 4 identity authentication assurance levels – Requires agencies to conduct “e-authentication risk assessments” – Planned result is a more consistent application of electronic authentication across the Federal Government The President’s E-Government Initiatives 6
Scope Applies To: – Remote authentication of human users of Federal agency IT systems for e-government. – Identification and analysis of the risks associated with each step of the authentication process Does Not Apply To: – Authentication of servers, or other machines and network components. – Authorization -- the actions permitted of an identity after authentication has taken place. – Issues associated with “intent to sign,” or agency use of authentication credentials as electronic signatures. – Identifying which technologies should be implemented. The President’s E-Government Initiatives 7
Definitions – Authentication—process of establishing confidence in user identities electronically presented to an information system. – Identity authentication—confirming a person’s unique identity. – Authorization—identifying the person’s user permissions. – Attribute authentication—confirming that the person belongs to a particular group (such as military veterans or U.S. citizens). The President’s E-Government Initiatives 8
Risk Assessment Steps 1. Conduct a risk assessment of the e-government system. 2. Map identified risks to the applicable assurance level. 3. Select technology based on e-authentication technical guidance. 4. Validate that the implemented system has achieved the required assurance level. 5. Periodically reassess the system to determine technology refresh requirements. The President’s E-Government Initiatives 9
Assurance Levels M-04-04:E-Authentication Guidance for Federal Agencies OMB Guidance establishes 4 authentication assurance levels Level 1 Level 2 Level 3 Level 4 Little or no Some confidence in High confidence in Very high confidence in asserted identity asserted identity (e.g. confidence in the asserted identity (e.g. PIN/Password) digital cert) asserted identity (e.g. self identified (e.g. Smart Card) user/password) NIST SP800-63 Electronic Authentication NIST technical guidance to match technology implementation to a level The President’s E-Government Initiatives 10
Categories of Harm and Impact – Inconvenience, distress, or damage to standing or reputation – Financial loss or agency liability – Harm to agency programs or public interests – Unauthorized release of sensitive information – Personal safety – Civil or criminal violations. The President’s E-Government Initiatives 11
Maximum Potential Impacts Assurance Level Impact Profiles Potential Impact Categories for Authentication Errors 1 2 3 4 Inconvenience, distress or damage to Low Mod Mod High standing or reputation Financial loss or agency liability Low Mod Mod High Harm to agency programs or public N/A Low Mod High interests Unauthorized release of sensitive N/A Low Mod High information Personal Safety N/A N/A Low Mod High Civil or criminal violations N/A Low Mod High The President’s E-Government Initiatives 12
Other items covered – Examples for each level – Use of anonymous credentials – Impact of the authentication process – Considering costs and benefits The President’s E-Government Initiatives 13
Effective Dates – 90 days from completion of the final NIST E-Authentication Technical Guidance— New authentication systems should begin to be categorized, as part of the system design. – December 15, 2004—Systems classified as “major” should be categorized. – September 15, 2005—All other existing systems requiring user authentication should be categorized. The President’s E-Government Initiatives 14
What’s missing? – Attribute authentication – Knowledge based authentication The President’s E-Government Initiatives 15

Empfohlen

20120208 Strategical approach to tacle cybercrime & the botnet threat
20120208 Strategical approach to tacle cybercrime & the botnet threat20120208 Strategical approach to tacle cybercrime & the botnet threat
20120208 Strategical approach to tacle cybercrime & the botnet threatLuc Beirens
 
S nandakumar
S nandakumarS nandakumar
S nandakumarIPPAI
 
20120329 Cybercrime threats on e-world
20120329 Cybercrime threats on e-world20120329 Cybercrime threats on e-world
20120329 Cybercrime threats on e-worldLuc Beirens
 
Don zaal a 11.15 11.45 fccu
Don zaal a 11.15 11.45 fccuDon zaal a 11.15 11.45 fccu
Don zaal a 11.15 11.45 fccuwebwinkelvakdag
 
Undgå sikkerhedstrusler med Security Intelligence. Filip Schepers, IBM
Undgå sikkerhedstrusler med Security Intelligence. Filip Schepers, IBMUndgå sikkerhedstrusler med Security Intelligence. Filip Schepers, IBM
Undgå sikkerhedstrusler med Security Intelligence. Filip Schepers, IBMIBM Danmark
 
Over the Air 2011 Security Workshop
Over the Air 2011 Security Workshop Over the Air 2011 Security Workshop
Over the Air 2011 Security Workshop Ericsson Labs
 
idOnDemand | Article | Looking For An ID Solution? Get It From idOnDemand!
idOnDemand | Article | Looking For An ID Solution? Get It From idOnDemand!idOnDemand | Article | Looking For An ID Solution? Get It From idOnDemand!
idOnDemand | Article | Looking For An ID Solution? Get It From idOnDemand!Identive
 
IBM Software Day 2013. Defending against cyber threats with security intellig...
IBM Software Day 2013. Defending against cyber threats with security intellig...IBM Software Day 2013. Defending against cyber threats with security intellig...
IBM Software Day 2013. Defending against cyber threats with security intellig...IBM (Middle East and Africa)
 

Empfohlen

20120208 Strategical approach to tacle cybercrime & the botnet threat
20120208 Strategical approach to tacle cybercrime & the botnet threat20120208 Strategical approach to tacle cybercrime & the botnet threat
20120208 Strategical approach to tacle cybercrime & the botnet threatLuc Beirens
 
S nandakumar
S nandakumarS nandakumar
S nandakumarIPPAI
 
20120329 Cybercrime threats on e-world
20120329 Cybercrime threats on e-world20120329 Cybercrime threats on e-world
20120329 Cybercrime threats on e-worldLuc Beirens
 
Don zaal a 11.15 11.45 fccu
Don zaal a 11.15 11.45 fccuDon zaal a 11.15 11.45 fccu
Don zaal a 11.15 11.45 fccuwebwinkelvakdag
 
Undgå sikkerhedstrusler med Security Intelligence. Filip Schepers, IBM
Undgå sikkerhedstrusler med Security Intelligence. Filip Schepers, IBMUndgå sikkerhedstrusler med Security Intelligence. Filip Schepers, IBM
Undgå sikkerhedstrusler med Security Intelligence. Filip Schepers, IBMIBM Danmark
 
Over the Air 2011 Security Workshop
Over the Air 2011 Security Workshop Over the Air 2011 Security Workshop
Over the Air 2011 Security Workshop Ericsson Labs
 
idOnDemand | Article | Looking For An ID Solution? Get It From idOnDemand!
idOnDemand | Article | Looking For An ID Solution? Get It From idOnDemand!idOnDemand | Article | Looking For An ID Solution? Get It From idOnDemand!
idOnDemand | Article | Looking For An ID Solution? Get It From idOnDemand!Identive
 
IBM Software Day 2013. Defending against cyber threats with security intellig...
IBM Software Day 2013. Defending against cyber threats with security intellig...IBM Software Day 2013. Defending against cyber threats with security intellig...
IBM Software Day 2013. Defending against cyber threats with security intellig...IBM (Middle East and Africa)
 
Facing the Challenge of Enrolment
Facing the Challenge of EnrolmentFacing the Challenge of Enrolment
Facing the Challenge of EnrolmentArab Federation for Digital Economy
 
RSA 2012 Presentation: Information Protection
RSA 2012 Presentation: Information ProtectionRSA 2012 Presentation: Information Protection
RSA 2012 Presentation: Information ProtectionSymantec
 
Recent Work
Recent WorkRecent Work
Recent WorkAmberStar
 
Managing IT security and Business Ethics
Managing IT security and Business EthicsManaging IT security and Business Ethics
Managing IT security and Business EthicsRahul Sharma
 
Sept 2012 data security & cyber liability
Sept 2012 data security & cyber liabilitySept 2012 data security & cyber liability
Sept 2012 data security & cyber liabilityDFickett
 
2012 Skills Based Summit - Thomson Reuters Workplace Efficiencies
2012 Skills Based Summit - Thomson Reuters Workplace Efficiencies2012 Skills Based Summit - Thomson Reuters Workplace Efficiencies
2012 Skills Based Summit - Thomson Reuters Workplace EfficienciesSnapper83
 
Leading Practices in Information Security & Privacy
Leading Practices in Information Security & PrivacyLeading Practices in Information Security & Privacy
Leading Practices in Information Security & PrivacyDonny Shimamoto
 
The Insider Threat
The Insider ThreatThe Insider Threat
The Insider Threatillustro
 
C02
C02C02
C02newbie2019
 
Mis3rd
Mis3rdMis3rd
Mis3rdgopalnb
 
Iaetsd cyber crimeand
Iaetsd cyber crimeandIaetsd cyber crimeand
Iaetsd cyber crimeandIaetsd Iaetsd
 
Finger print
Finger printFinger print
Finger printsandycracker93
 
Identity cues two factor data sheet
Identity cues two factor data sheetIdentity cues two factor data sheet
Identity cues two factor data sheetHai Nguyen
 
Towards Patient Controlled Privacy
Towards Patient Controlled PrivacyTowards Patient Controlled Privacy
Towards Patient Controlled PrivacyOwen Sacco
 
Security in e-commerce
Security in e-commerceSecurity in e-commerce
Security in e-commerceSensePost
 
Cyber Security: User Access Pitfalls, A Case Study Approach
Cyber Security: User Access Pitfalls, A Case Study Approach Cyber Security: User Access Pitfalls, A Case Study Approach
Cyber Security: User Access Pitfalls, A Case Study Approach Aviva Spectrum™
 
Green Security
Green SecurityGreen Security
Green SecurityShahar Geiger Maor
 
E-commerce Security
E-commerce SecurityE-commerce Security
E-commerce SecurityLindsey Landolfi
 
Joanna Belbey Presentation - BDI 10/20/11 Insurance Social Communications Lea...
Joanna Belbey Presentation - BDI 10/20/11 Insurance Social Communications Lea...Joanna Belbey Presentation - BDI 10/20/11 Insurance Social Communications Lea...
Joanna Belbey Presentation - BDI 10/20/11 Insurance Social Communications Lea...Business Development Institute
 
Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...
Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...
Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...Security B-Sides
 
Introduction to Digital signatures
Introduction to Digital signaturesIntroduction to Digital signatures
Introduction to Digital signaturesRohit Bhat
 
Digital Signature
Digital SignatureDigital Signature
Digital Signaturesaurav5884
 

Weitere ähnliche Inhalte

Was ist angesagt?

RSA 2012 Presentation: Information Protection
RSA 2012 Presentation: Information ProtectionRSA 2012 Presentation: Information Protection
RSA 2012 Presentation: Information ProtectionSymantec
 
Managing IT security and Business Ethics
Managing IT security and Business EthicsManaging IT security and Business Ethics
Managing IT security and Business EthicsRahul Sharma
 
Sept 2012 data security & cyber liability
Sept 2012 data security & cyber liabilitySept 2012 data security & cyber liability
Sept 2012 data security & cyber liabilityDFickett
 
2012 Skills Based Summit - Thomson Reuters Workplace Efficiencies
2012 Skills Based Summit - Thomson Reuters Workplace Efficiencies2012 Skills Based Summit - Thomson Reuters Workplace Efficiencies
2012 Skills Based Summit - Thomson Reuters Workplace EfficienciesSnapper83
 
Leading Practices in Information Security & Privacy
Leading Practices in Information Security & PrivacyLeading Practices in Information Security & Privacy
Leading Practices in Information Security & PrivacyDonny Shimamoto
 
The Insider Threat
The Insider ThreatThe Insider Threat
The Insider Threatillustro
 
Iaetsd cyber crimeand
Iaetsd cyber crimeandIaetsd cyber crimeand
Iaetsd cyber crimeandIaetsd Iaetsd
 
Identity cues two factor data sheet
Identity cues two factor data sheetIdentity cues two factor data sheet
Identity cues two factor data sheetHai Nguyen
 
Towards Patient Controlled Privacy
Towards Patient Controlled PrivacyTowards Patient Controlled Privacy
Towards Patient Controlled PrivacyOwen Sacco
 
Security in e-commerce
Security in e-commerceSecurity in e-commerce
Security in e-commerceSensePost
 
Cyber Security: User Access Pitfalls, A Case Study Approach
Cyber Security: User Access Pitfalls, A Case Study Approach Cyber Security: User Access Pitfalls, A Case Study Approach
Cyber Security: User Access Pitfalls, A Case Study Approach Aviva Spectrum™
 
Joanna Belbey Presentation - BDI 10/20/11 Insurance Social Communications Lea...
Joanna Belbey Presentation - BDI 10/20/11 Insurance Social Communications Lea...Joanna Belbey Presentation - BDI 10/20/11 Insurance Social Communications Lea...
Joanna Belbey Presentation - BDI 10/20/11 Insurance Social Communications Lea...Business Development Institute
 
Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...
Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...
Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...Security B-Sides
 

Was ist angesagt? (20)

Facing the Challenge of Enrolment
Facing the Challenge of EnrolmentFacing the Challenge of Enrolment
Facing the Challenge of Enrolment
 
RSA 2012 Presentation: Information Protection
RSA 2012 Presentation: Information ProtectionRSA 2012 Presentation: Information Protection
RSA 2012 Presentation: Information Protection
 
Recent Work
Recent WorkRecent Work
Recent Work
 
Managing IT security and Business Ethics
Managing IT security and Business EthicsManaging IT security and Business Ethics
Managing IT security and Business Ethics
 
Sept 2012 data security & cyber liability
Sept 2012 data security & cyber liabilitySept 2012 data security & cyber liability
Sept 2012 data security & cyber liability
 
2012 Skills Based Summit - Thomson Reuters Workplace Efficiencies
2012 Skills Based Summit - Thomson Reuters Workplace Efficiencies2012 Skills Based Summit - Thomson Reuters Workplace Efficiencies
2012 Skills Based Summit - Thomson Reuters Workplace Efficiencies
 
Leading Practices in Information Security & Privacy
Leading Practices in Information Security & PrivacyLeading Practices in Information Security & Privacy
Leading Practices in Information Security & Privacy
 
The Insider Threat
The Insider ThreatThe Insider Threat
The Insider Threat
 
C02
C02C02
C02
 
Mis3rd
Mis3rdMis3rd
Mis3rd
 
Iaetsd cyber crimeand
Iaetsd cyber crimeandIaetsd cyber crimeand
Iaetsd cyber crimeand
 
Finger print
Finger printFinger print
Finger print
 
Identity cues two factor data sheet
Identity cues two factor data sheetIdentity cues two factor data sheet
Identity cues two factor data sheet
 
Towards Patient Controlled Privacy
Towards Patient Controlled PrivacyTowards Patient Controlled Privacy
Towards Patient Controlled Privacy
 
Security in e-commerce
Security in e-commerceSecurity in e-commerce
Security in e-commerce
 
Cyber Security: User Access Pitfalls, A Case Study Approach
Cyber Security: User Access Pitfalls, A Case Study Approach Cyber Security: User Access Pitfalls, A Case Study Approach
Cyber Security: User Access Pitfalls, A Case Study Approach
 
Green Security
Green SecurityGreen Security
Green Security
 
E-commerce Security
E-commerce SecurityE-commerce Security
E-commerce Security
 
Joanna Belbey Presentation - BDI 10/20/11 Insurance Social Communications Lea...
Joanna Belbey Presentation - BDI 10/20/11 Insurance Social Communications Lea...Joanna Belbey Presentation - BDI 10/20/11 Insurance Social Communications Lea...
Joanna Belbey Presentation - BDI 10/20/11 Insurance Social Communications Lea...
 
Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...
Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...
Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...
 

Andere mochten auch

Introduction to Digital signatures
Introduction to Digital signaturesIntroduction to Digital signatures
Introduction to Digital signaturesRohit Bhat
 
Digital Signature
Digital SignatureDigital Signature
Digital Signaturesaurav5884
 
ESRA IRS Briefing 20150519
ESRA IRS Briefing 20150519ESRA IRS Briefing 20150519
ESRA IRS Briefing 20150519K6 Partners
 
Whitepaper E Kyc By Inflow
Whitepaper E Kyc By InflowWhitepaper E Kyc By Inflow
Whitepaper E Kyc By Inflowcsantos41132011
 
Mygov Registraion and voting user guide for Varanasi
Mygov Registraion and voting user guide for VaranasiMygov Registraion and voting user guide for Varanasi
Mygov Registraion and voting user guide for VaranasiAmit Mishra
 
Securing e-Government Web Portal Access Using Enhanced Authentication System
Securing e-Government Web Portal Access Using Enhanced Authentication SystemSecuring e-Government Web Portal Access Using Enhanced Authentication System
Securing e-Government Web Portal Access Using Enhanced Authentication SystemHamdi Jaber
 
Introduction To Digital Signatures
Introduction To Digital SignaturesIntroduction To Digital Signatures
Introduction To Digital SignaturesRobert Talbert
 
Digital signature introduction
Digital signature introductionDigital signature introduction
Digital signature introductionAsim Neupane
 
Digital signatures
Digital signaturesDigital signatures
Digital signaturesIshwar Dayal
 
Digital certificates
Digital certificates Digital certificates
Digital certificates Sheetal Verma
 
Digital signature
Digital signatureDigital signature
Digital signatureAJAL A J
 
Seminar ppt on digital signature
Seminar ppt on digital signatureSeminar ppt on digital signature
Seminar ppt on digital signaturejolly9293
 
Digital signature & eSign overview
Digital signature & eSign overviewDigital signature & eSign overview
Digital signature & eSign overviewRishi Pathak
 
ELECTRONIC DATA INTERCHANGE
ELECTRONIC DATA INTERCHANGE ELECTRONIC DATA INTERCHANGE
ELECTRONIC DATA INTERCHANGE alraee
 

Andere mochten auch (18)

Introduction to Digital signatures
Introduction to Digital signaturesIntroduction to Digital signatures
Introduction to Digital signatures
 
Digital Signature
Digital SignatureDigital Signature
Digital Signature
 
ESRA IRS Briefing 20150519
ESRA IRS Briefing 20150519ESRA IRS Briefing 20150519
ESRA IRS Briefing 20150519
 
Whitepaper E Kyc By Inflow
Whitepaper E Kyc By InflowWhitepaper E Kyc By Inflow
Whitepaper E Kyc By Inflow
 
Mygov Registraion and voting user guide for Varanasi
Mygov Registraion and voting user guide for VaranasiMygov Registraion and voting user guide for Varanasi
Mygov Registraion and voting user guide for Varanasi
 
Digital signatures and e-Commerce
Digital signatures and e-CommerceDigital signatures and e-Commerce
Digital signatures and e-Commerce
 
Securing e-Government Web Portal Access Using Enhanced Authentication System
Securing e-Government Web Portal Access Using Enhanced Authentication SystemSecuring e-Government Web Portal Access Using Enhanced Authentication System
Securing e-Government Web Portal Access Using Enhanced Authentication System
 
Introduction To Digital Signatures
Introduction To Digital SignaturesIntroduction To Digital Signatures
Introduction To Digital Signatures
 
Digital Certificate
Digital CertificateDigital Certificate
Digital Certificate
 
Digital signature introduction
Digital signature introductionDigital signature introduction
Digital signature introduction
 
Digital signature
Digital signatureDigital signature
Digital signature
 
Digital signatures
Digital signaturesDigital signatures
Digital signatures
 
Digital certificates
Digital certificates Digital certificates
Digital certificates
 
Digital signature
Digital signatureDigital signature
Digital signature
 
Digital signature
Digital signatureDigital signature
Digital signature
 
Seminar ppt on digital signature
Seminar ppt on digital signatureSeminar ppt on digital signature
Seminar ppt on digital signature
 
Digital signature & eSign overview
Digital signature & eSign overviewDigital signature & eSign overview
Digital signature & eSign overview
 
ELECTRONIC DATA INTERCHANGE
ELECTRONIC DATA INTERCHANGE ELECTRONIC DATA INTERCHANGE
ELECTRONIC DATA INTERCHANGE
 

Ähnlich wie OMB E-Authentication Guidance Levels

User Authentication for Government
User Authentication for GovernmentUser Authentication for Government
User Authentication for GovernmentCarahsoft
 
Jips v07 no1_paper17_2
Jips v07 no1_paper17_2Jips v07 no1_paper17_2
Jips v07 no1_paper17_2Hai Nguyen
 
Jips v07 no1_paper17_3
Jips v07 no1_paper17_3Jips v07 no1_paper17_3
Jips v07 no1_paper17_3Hai Nguyen
 
Mature Digital Trust Infrastructure - Are we there yet?
Mature Digital Trust Infrastructure - Are we there yet?Mature Digital Trust Infrastructure - Are we there yet?
Mature Digital Trust Infrastructure - Are we there yet?sorenpeter
 
Eds user authenticationuser authentication methods
Eds user authenticationuser authentication methodsEds user authenticationuser authentication methods
Eds user authenticationuser authentication methodslapao2014
 
Stronger/Multi-factor Authentication for Enterprise Applications
Stronger/Multi-factor Authentication for Enterprise ApplicationsStronger/Multi-factor Authentication for Enterprise Applications
Stronger/Multi-factor Authentication for Enterprise ApplicationsRamesh Nagappan
 
Wayfs and Strays - Jonathan Richardson
Wayfs and Strays - Jonathan RichardsonWayfs and Strays - Jonathan Richardson
Wayfs and Strays - Jonathan RichardsonEduserv
 
Jips v07 no1_paper17
Jips v07 no1_paper17Jips v07 no1_paper17
Jips v07 no1_paper17Hai Nguyen
 
SG(Signgate) PKI Abroad Business
SG(Signgate) PKI Abroad Business SG(Signgate) PKI Abroad Business
SG(Signgate) PKI Abroad Business Jinhwan Shin
 
Sp800 63 v1-0_2
Sp800 63 v1-0_2Sp800 63 v1-0_2
Sp800 63 v1-0_2Hai Nguyen
 
IDENTITY PLATFORMS: How central, flexible, deployment of multiple authenticat...
IDENTITY PLATFORMS: How central, flexible, deployment of multiple authenticat...IDENTITY PLATFORMS: How central, flexible, deployment of multiple authenticat...
IDENTITY PLATFORMS: How central, flexible, deployment of multiple authenticat...Entrust Datacard
 
FIDO & Strong Authentication Technology Landscape
FIDO & Strong Authentication Technology LandscapeFIDO & Strong Authentication Technology Landscape
FIDO & Strong Authentication Technology LandscapeFIDO Alliance
 
Strong authentication implementation guide
Strong authentication implementation guideStrong authentication implementation guide
Strong authentication implementation guideNis
 
PACE-IT, Security+ 6.3: Introduction to Public Key Infrastructure (part 1)
PACE-IT, Security+ 6.3: Introduction to Public Key Infrastructure (part 1)PACE-IT, Security+ 6.3: Introduction to Public Key Infrastructure (part 1)
PACE-IT, Security+ 6.3: Introduction to Public Key Infrastructure (part 1)Pace IT at Edmonds Community College
 
Why and how to implement strong authentication on the web cartes 2010 - pat...
Why and how to implement strong authentication on the web cartes 2010 - pat...Why and how to implement strong authentication on the web cartes 2010 - pat...
Why and how to implement strong authentication on the web cartes 2010 - pat...Keynectis
 
PACE-IT, Security+ 6.3: Introduction to Public Key Infrastructure (part 2)
PACE-IT, Security+ 6.3: Introduction to Public Key Infrastructure (part 2)PACE-IT, Security+ 6.3: Introduction to Public Key Infrastructure (part 2)
PACE-IT, Security+ 6.3: Introduction to Public Key Infrastructure (part 2)Pace IT at Edmonds Community College
 

Ähnlich wie OMB E-Authentication Guidance Levels (20)

User Authentication for Government
User Authentication for GovernmentUser Authentication for Government
User Authentication for Government
 
Identity Assertions Draftv5
Identity Assertions Draftv5Identity Assertions Draftv5
Identity Assertions Draftv5
 
Jips v07 no1_paper17_2
Jips v07 no1_paper17_2Jips v07 no1_paper17_2
Jips v07 no1_paper17_2
 
Jips v07 no1_paper17_3
Jips v07 no1_paper17_3Jips v07 no1_paper17_3
Jips v07 no1_paper17_3
 
Mature Digital Trust Infrastructure - Are we there yet?
Mature Digital Trust Infrastructure - Are we there yet?Mature Digital Trust Infrastructure - Are we there yet?
Mature Digital Trust Infrastructure - Are we there yet?
 
Eds user authenticationuser authentication methods
Eds user authenticationuser authentication methodsEds user authenticationuser authentication methods
Eds user authenticationuser authentication methods
 
Stronger/Multi-factor Authentication for Enterprise Applications
Stronger/Multi-factor Authentication for Enterprise ApplicationsStronger/Multi-factor Authentication for Enterprise Applications
Stronger/Multi-factor Authentication for Enterprise Applications
 
Wayfs and Strays - Jonathan Richardson
Wayfs and Strays - Jonathan RichardsonWayfs and Strays - Jonathan Richardson
Wayfs and Strays - Jonathan Richardson
 
Jips v07 no1_paper17
Jips v07 no1_paper17Jips v07 no1_paper17
Jips v07 no1_paper17
 
SG(Signgate) PKI Abroad Business
SG(Signgate) PKI Abroad Business SG(Signgate) PKI Abroad Business
SG(Signgate) PKI Abroad Business
 
ISACA ISSA Presentation
ISACA ISSA PresentationISACA ISSA Presentation
ISACA ISSA Presentation
 
Cybersecurity Slides
Cybersecurity SlidesCybersecurity Slides
Cybersecurity Slides
 
Sp800 63 v1-0_2
Sp800 63 v1-0_2Sp800 63 v1-0_2
Sp800 63 v1-0_2
 
IDENTITY PLATFORMS: How central, flexible, deployment of multiple authenticat...
IDENTITY PLATFORMS: How central, flexible, deployment of multiple authenticat...IDENTITY PLATFORMS: How central, flexible, deployment of multiple authenticat...
IDENTITY PLATFORMS: How central, flexible, deployment of multiple authenticat...
 
FIDO & Strong Authentication Technology Landscape
FIDO & Strong Authentication Technology LandscapeFIDO & Strong Authentication Technology Landscape
FIDO & Strong Authentication Technology Landscape
 
FirstNet ICAM
FirstNet ICAMFirstNet ICAM
FirstNet ICAM
 
Strong authentication implementation guide
Strong authentication implementation guideStrong authentication implementation guide
Strong authentication implementation guide
 
PACE-IT, Security+ 6.3: Introduction to Public Key Infrastructure (part 1)
PACE-IT, Security+ 6.3: Introduction to Public Key Infrastructure (part 1)PACE-IT, Security+ 6.3: Introduction to Public Key Infrastructure (part 1)
PACE-IT, Security+ 6.3: Introduction to Public Key Infrastructure (part 1)
 
Why and how to implement strong authentication on the web cartes 2010 - pat...
Why and how to implement strong authentication on the web cartes 2010 - pat...Why and how to implement strong authentication on the web cartes 2010 - pat...
Why and how to implement strong authentication on the web cartes 2010 - pat...
 
PACE-IT, Security+ 6.3: Introduction to Public Key Infrastructure (part 2)
PACE-IT, Security+ 6.3: Introduction to Public Key Infrastructure (part 2)PACE-IT, Security+ 6.3: Introduction to Public Key Infrastructure (part 2)
PACE-IT, Security+ 6.3: Introduction to Public Key Infrastructure (part 2)
 

Mehr von Hai Nguyen

Sp 29 two_factor_auth_guide
Sp 29 two_factor_auth_guideSp 29 two_factor_auth_guide
Sp 29 two_factor_auth_guideHai Nguyen
 
Session 7 e_raja_kailar
Session 7 e_raja_kailarSession 7 e_raja_kailar
Session 7 e_raja_kailarHai Nguyen
 
Securing corporate assets_with_2_fa
Securing corporate assets_with_2_faSecuring corporate assets_with_2_fa
Securing corporate assets_with_2_faHai Nguyen
 
Scc soft token datasheet
Scc soft token datasheetScc soft token datasheet
Scc soft token datasheetHai Nguyen
 
Rsa two factorauthentication
Rsa two factorauthenticationRsa two factorauthentication
Rsa two factorauthenticationHai Nguyen
 
Quest defender provides_secure__affordable_two-factor_authentication_for_okla...
Quest defender provides_secure__affordable_two-factor_authentication_for_okla...Quest defender provides_secure__affordable_two-factor_authentication_for_okla...
Quest defender provides_secure__affordable_two-factor_authentication_for_okla...Hai Nguyen
 
Pg 2 fa_tech_brief
Pg 2 fa_tech_briefPg 2 fa_tech_brief
Pg 2 fa_tech_briefHai Nguyen
 
Ouch 201211 en
Ouch 201211 enOuch 201211 en
Ouch 201211 enHai Nguyen
 
N ye c-rfp-two-factor-authentication
N ye c-rfp-two-factor-authenticationN ye c-rfp-two-factor-authentication
N ye c-rfp-two-factor-authenticationHai Nguyen
 
Multiple credentials-in-the-enterprise
Multiple credentials-in-the-enterpriseMultiple credentials-in-the-enterprise
Multiple credentials-in-the-enterpriseHai Nguyen
 
Mobile authentication
Mobile authenticationMobile authentication
Mobile authenticationHai Nguyen
 
Ijcsi 9-4-2-457-462
Ijcsi 9-4-2-457-462Ijcsi 9-4-2-457-462
Ijcsi 9-4-2-457-462Hai Nguyen
 
Hotpin datasheet
Hotpin datasheetHotpin datasheet
Hotpin datasheetHai Nguyen
 
Ds netsuite-two-factor-authentication
Ds netsuite-two-factor-authenticationDs netsuite-two-factor-authentication
Ds netsuite-two-factor-authenticationHai Nguyen
 
Datasheet two factor-authenticationx
Datasheet two factor-authenticationxDatasheet two factor-authenticationx
Datasheet two factor-authenticationxHai Nguyen
 
Cryptomathic white paper 2fa for banking
Cryptomathic white paper 2fa for bankingCryptomathic white paper 2fa for banking
Cryptomathic white paper 2fa for bankingHai Nguyen
 
Citrix sb 0707-lowres
Citrix sb 0707-lowresCitrix sb 0707-lowres
Citrix sb 0707-lowresHai Nguyen
 

Mehr von Hai Nguyen (20)

Sp 29 two_factor_auth_guide
Sp 29 two_factor_auth_guideSp 29 two_factor_auth_guide
Sp 29 two_factor_auth_guide
 
Sms based otp
Sms based otpSms based otp
Sms based otp
 
Session 7 e_raja_kailar
Session 7 e_raja_kailarSession 7 e_raja_kailar
Session 7 e_raja_kailar
 
Securing corporate assets_with_2_fa
Securing corporate assets_with_2_faSecuring corporate assets_with_2_fa
Securing corporate assets_with_2_fa
 
Scc soft token datasheet
Scc soft token datasheetScc soft token datasheet
Scc soft token datasheet
 
Rsa two factorauthentication
Rsa two factorauthenticationRsa two factorauthentication
Rsa two factorauthentication
 
Quest defender provides_secure__affordable_two-factor_authentication_for_okla...
Quest defender provides_secure__affordable_two-factor_authentication_for_okla...Quest defender provides_secure__affordable_two-factor_authentication_for_okla...
Quest defender provides_secure__affordable_two-factor_authentication_for_okla...
 
Pg 2 fa_tech_brief
Pg 2 fa_tech_briefPg 2 fa_tech_brief
Pg 2 fa_tech_brief
 
Ouch 201211 en
Ouch 201211 enOuch 201211 en
Ouch 201211 en
 
N ye c-rfp-two-factor-authentication
N ye c-rfp-two-factor-authenticationN ye c-rfp-two-factor-authentication
N ye c-rfp-two-factor-authentication
 
Multiple credentials-in-the-enterprise
Multiple credentials-in-the-enterpriseMultiple credentials-in-the-enterprise
Multiple credentials-in-the-enterprise
 
Mobile authentication
Mobile authenticationMobile authentication
Mobile authentication
 
Ijcsi 9-4-2-457-462
Ijcsi 9-4-2-457-462Ijcsi 9-4-2-457-462
Ijcsi 9-4-2-457-462
 
Hotpin datasheet
Hotpin datasheetHotpin datasheet
Hotpin datasheet
 
Gambling
GamblingGambling
Gambling
 
Ds netsuite-two-factor-authentication
Ds netsuite-two-factor-authenticationDs netsuite-two-factor-authentication
Ds netsuite-two-factor-authentication
 
Datasheet two factor-authenticationx
Datasheet two factor-authenticationxDatasheet two factor-authenticationx
Datasheet two factor-authenticationx
 
Csd6059
Csd6059Csd6059
Csd6059
 
Cryptomathic white paper 2fa for banking
Cryptomathic white paper 2fa for bankingCryptomathic white paper 2fa for banking
Cryptomathic white paper 2fa for banking
 
Citrix sb 0707-lowres
Citrix sb 0707-lowresCitrix sb 0707-lowres
Citrix sb 0707-lowres
 

OMB E-Authentication Guidance Levels

  • 1. The President’s E-Government Initiative E-Authentication Guidance NIST KBA Symposium February 9, 2004 Jeanette Thornton The Office of Management and Budget 1
  • 2. E-Authentication Goals – Build and enable mutual trust needed to support wide spread use of electronic interactions between the public and Government, and across Governments – Minimize the burden on public when obtaining trusted electronic services from the Government, and across the governments – Deliver common interoperable authentication solutions, appropriately matching the levels of risk and business needs The President’s E-Government Initiatives 2
  • 3. Areas of Focus – Policy – Technology: Architecture/Requirements – Applications (bringing Applications on to a shared service): Conducting a pilot – Credential Providers (accrediting electronic credential providers to they could be used across govt.) – FICC: Smart Cards/IDs for Federal Employees The President’s E-Government Initiatives 3
  • 4. Part of a Larger Policy Framework Community Specific Policies Federal Identity Credentialing Component Policies Ongoing Credential Assessment Interim version now final Framework Federal PKI Bridge Expected final March 04 Certificate Policy NIST Authentication SP-800-63, Out for Comment Jan 29, Technical Guidance 2004 E-Authentication Guidance FINAL: OMB M-04-04, December 16, 2003 for Federal Agencies The President’s E-Government Initiatives 4
  • 5. Approaching Authentication… Multi-Factor Token PKI/ Digital Signature Increased $ Cost Knowledge-Based Very Pin/Password High High Click-wrap Medium Standard Low Access to Applying Obtaining Employee Surfing the Screening Protected for a Loan Govt. Internet for a High Website Online Benefits Risk Job Increased Need for Identity Assurance The President’s E-Government Initiatives 5
  • 6. OMB Authentication Guidance – M-04-04 Signed by OMB Director on 12/16/2003 – Supplements OMB Guidance on implementation of GPEA – Establishes 4 identity authentication assurance levels – Requires agencies to conduct “e-authentication risk assessments” – Planned result is a more consistent application of electronic authentication across the Federal Government The President’s E-Government Initiatives 6
  • 7. Scope Applies To: – Remote authentication of human users of Federal agency IT systems for e-government. – Identification and analysis of the risks associated with each step of the authentication process Does Not Apply To: – Authentication of servers, or other machines and network components. – Authorization -- the actions permitted of an identity after authentication has taken place. – Issues associated with “intent to sign,” or agency use of authentication credentials as electronic signatures. – Identifying which technologies should be implemented. The President’s E-Government Initiatives 7
  • 8. Definitions – Authentication—process of establishing confidence in user identities electronically presented to an information system. – Identity authentication—confirming a person’s unique identity. – Authorization—identifying the person’s user permissions. – Attribute authentication—confirming that the person belongs to a particular group (such as military veterans or U.S. citizens). The President’s E-Government Initiatives 8
  • 9. Risk Assessment Steps 1. Conduct a risk assessment of the e-government system. 2. Map identified risks to the applicable assurance level. 3. Select technology based on e-authentication technical guidance. 4. Validate that the implemented system has achieved the required assurance level. 5. Periodically reassess the system to determine technology refresh requirements. The President’s E-Government Initiatives 9
  • 10. Assurance Levels M-04-04:E-Authentication Guidance for Federal Agencies OMB Guidance establishes 4 authentication assurance levels Level 1 Level 2 Level 3 Level 4 Little or no Some confidence in High confidence in Very high confidence in asserted identity asserted identity (e.g. confidence in the asserted identity (e.g. PIN/Password) digital cert) asserted identity (e.g. self identified (e.g. Smart Card) user/password) NIST SP800-63 Electronic Authentication NIST technical guidance to match technology implementation to a level The President’s E-Government Initiatives 10
  • 11. Categories of Harm and Impact – Inconvenience, distress, or damage to standing or reputation – Financial loss or agency liability – Harm to agency programs or public interests – Unauthorized release of sensitive information – Personal safety – Civil or criminal violations. The President’s E-Government Initiatives 11
  • 12. Maximum Potential Impacts Assurance Level Impact Profiles Potential Impact Categories for Authentication Errors 1 2 3 4 Inconvenience, distress or damage to Low Mod Mod High standing or reputation Financial loss or agency liability Low Mod Mod High Harm to agency programs or public N/A Low Mod High interests Unauthorized release of sensitive N/A Low Mod High information Personal Safety N/A N/A Low Mod High Civil or criminal violations N/A Low Mod High The President’s E-Government Initiatives 12
  • 13. Other items covered – Examples for each level – Use of anonymous credentials – Impact of the authentication process – Considering costs and benefits The President’s E-Government Initiatives 13
  • 14. Effective Dates – 90 days from completion of the final NIST E-Authentication Technical Guidance— New authentication systems should begin to be categorized, as part of the system design. – December 15, 2004—Systems classified as “major” should be categorized. – September 15, 2005—All other existing systems requiring user authentication should be categorized. The President’s E-Government Initiatives 14
  • 15. What’s missing? – Attribute authentication – Knowledge based authentication The President’s E-Government Initiatives 15