Episode 051: 09‐26‐2024 NIST Digital Identity Assurance Levels - GluuFederation/identerati-office-hours GitHub Wiki
Title: Flexibility of NIST Digital Identity Assurance Levels
- Host: Mike Schwartz, Founder/CEO Gluu
- Guest: Kenneth Myers, Dr. Identity Nerd
- Co-Host: Tom Clancy, CIDPRO, Principal Identity, Credential, and Access Management (ICAM) Engineer at MITRE
Description
NIST Special Publication 800-63-3 base volume is all about digital identity risk management including conducting a risk assessment. How do you conduct a digital identity risk assessment? Tune into this episode of the identerati office hours to learn everything you need to know.
Homework
Takeaways
-
800-63 version 3 presents a new concept of "harm categories" to help organizations determine the appropriate level of identity proofing, authentication and federation. We didn't mention this in the livestream, but it's sort of like the "impact" considerations of a threat model.
-
800-63 assurance levels into three parts, to oversimplify: identity proofing, authentication and federation. But when mapped against the harms, it seems uncommon that you'd have a different assurance level to mitigate any particular harm.
-
In a Zero Trust infrastructure, assurance level is a continuum--each resource may have a different requirement for assurance.
-
Using the highest possible assurance level is not always possible--to increase accessibility it may be acceptable to accept a lower assurance level. Also from a productivity standpoint, maximizing friction to increase assurance is expensive.