SP 800-63-3 is an update to NIST's digital identity guidelines. It introduces a new framework that separates assurance levels into three components: Identity Assurance Level (IAL), Authenticator Assurance Level (AAL), and Federation Assurance Level (FAL). This provides more flexibility and granularity over the previous version's single Level of Assurance (LOA). The document outlines the recommended requirements and mappings between the new IAL, AAL, FAL framework and the legacy LOA model from SP 800-63-2.

1. SP 800-63-3
- Digital Authentication Guideline -
Nov Matake

2. Nov Matake
• OpenID Foundation Japan
•
•
• WG
• #idcon
• OAuth.jp
• YAuth.jp

3. GOAL
• SP 800-63-2
• SP 800-63-3
• SP 800-63-3
• SP 800-63

4. https://openid-foundation-japan.github.io/800-63-3/

5. • SP 800-63-3 (@nov)
• Digital Authentication Guideline
• SP 800-63A (@sami_mkw_ + @nov)
• Enrollment & Identity Proofing
• SP 800-63B (@kthrtty + @hitok_)
• Authentication & Lifecycle Management
• SP 800-63C (@nov)
• Federation & Assertions

6. https://github.com/openid-foundation-japan/800-63-3
SP 800-63-3
https://github.com/usnistgov/800-63-3

7. SP 800-63-3
- Digital Authentication Guideline -

8. SP 800-63-3
• M-04-04 Level of Assurance (LOA) 3
• Identity Assurance Level (IAL)
• Authenticator Assurance Level (AAL)
• Federation Assurance Level (FAL)
• Assurance Level
• Assurance Level
• IAL=63A / AAL=63B / FAL=63C

9. SP 800-63-2
• 5 LOA Lv1-Lv4
• Identity Proofing
• Token
• Token and Credential Management
• Authentication Process
• Assertion
• 63-2 1 Level (LOA)
• 63-3 1 Level (LOA) 3 Level (xAL)

10. Identity Assurance Level (IAL)
• Identity Proofing Assurance Level
• Lv.1
• Identity Proofing
• Lv.2
• Identity Proofing
• Lv.3
• Identity Proofing

11. Authenticator Assurance Level
(AAL)
• Authentication Process Assurance Level
• Authenticator
• Lv.1
• Single Factor Authentication OK
• Lv.2
• Two Factor Authentication
• 2 Authenticator Software OK
• Lv.3
• Hardware Authenticator Two Factor Authentication

12. Federation Assurance Level
(FAL)
• ...
• Assertion
• (ID Token etc.)
• Artifact (a.k.a. Handle / Assertion Reference)
• Assertion (Authorization Code etc.)
• Front-channel Presentation
• Assertion User Agent Assertion (Implicit Flow
etc.)
• Back-channel Presentation
• User Agent Artifact Assertion (Code Flow etc.)

13. Federation Assurance Level
(FAL)
• Federation Assurance Level
• Federation Assertion / Artifact
• Lv.1
• Front-channel / Back-channel Assertion
• Lv.2
• Lv1 Front-channel Assertion
• Lv.3
• Lv.2 Back-channel Assertion
• Lv.4
• Lv.3 Holder-of-Key Assertion (Proof-of-Posession)

14. Recommended M-04-04 Requirements
LOA IAL AAL FAL
1 1 1, 2 or 3 1, 2, 3 or 4
2 1 or 2 2 or 3 2, 3 or 4
3 1 or 2 2 or 3 2, 3 or 4
4 1, 2 or 3 3 3 or 4
Legacy M-04-04 Requirements
LOA IAL AAL FAL
1 1 1 1
2 2 2 or 3 2
3 2 2 or 3 2
4 3 3 4

15. Legacy M-04-04 Requirements
(SP 800-63-2 )
↓
↓
Identity Proofing LOA1
LOA1

16. Recommended M-04-04 Requirements
(SP 800-63-3 )
↓
↓
Identity Proofing (IAL 1)
(AAL 2) LOA 3

17. LOA 3
IAL, AAL, FAL

18. LOA
LOA
IAL, AAL, FAL