In order to satisfy the requirements of a given Authenticator Assurance Level (AAL), a claimant SHALL be authenticated with at least a given level of strength to be recognized as a subscriber. The result of an authentication process is an identifier, that MAY be pseudonymous, that SHALL be used each time that subscriber authenticates to that relying party. Optionally, other attributes that identify the subscriber as a unique person may also be provided.
Detailed normative requirements for authenticators and verifiers at each AAL are provided in Section 5.
FIPS 140 requirements are satisfied by [FIPS 140-2] or newer revisions.
Table 4-1 lists strict adherence to M-04-04 Level of Assurance, mapping the corresponding Authenticator Assurance Levels.
Table 4-1. Legacy M-04-04 AAL Requirements
| M-04-04 Level of Assurance (LOA) | Authenticator Assurance Level (AAL) |
|---|---|
| 1 | 1 |
| 2 | 2 or 3 |
| 3 | 2 or 3 |
| 4 | 3 |
However, Table 4-2 shows the expanded set of AALs that are allowable to meet M-04-04 Levels of Assurance. Agencies SHALL select the corresponding AAL based on the assessed M-04-04 LOA.
Table 4-2. Recommended M-04-04 AAL Requirements
| M-04-04 Level of Assurance | Authenticator Assurance Level |
|---|---|
| 1 | 1, 2 or 3 |
| 2 | 2 or 3 |
| 3 | 2 or 3 |
| 4 | 3 |
AAL 1 provides some assurance that the claimant controls the authenticator registered to a subscriber. AAL 1 uses single-factor authentication using a wide range of available authentication technologies. Successful authentication requires that the claimant prove through a secure authentication protocol that he or she possesses and controls the authenticator.
Authenticator Assurance Level 1 permits the use of any of the following authenticator types, defined in Section 5:
Cryptographic authenticators used at AAL 1 SHALL use approved cryptography. Software-based authenticators that operate within the context of a general purpose operating system MAY, where practical, attempt to detect compromise of the platform in which they are running (e.g., by malware or “jailbreak”) and SHOULD decline to operate when such a compromise is detected.
Communication between the claimant and channel (the primary channel in the case of an Out of Band authenticator) SHALL be via an authenticated protected channel to provide confidentiality of the authenticator output and resistance to man-in-the-middle attacks.
Verifiers operated by government agencies at AAL 1 SHALL be validated to meet the requirements of [FIPS 140] Level 1.
In order to be valid at AAL 1, authentication assertions SHALL meet the requirements defined in SP 800-63C. Bearer assertions MAY be used.
At AAL 1, reauthentication of the subscriber SHOULD be repeated at least once per 30 days, regardless of user activity.
The CSP SHOULD employ appropriately tailored security controls from the low baseline of security controls defined in [SP 800-53] or equivalent industry standard and SHOULD ensure that the minimum assurance requirements associated with the low baseline are satisfied.
The CSP shall comply with their respective records retention policies in accordance with applicable laws and regulations. If the CSP opts to retain records in the absence of any legal requirements, the CSP SHALL conduct a privacy risk assessment to determine how long any records should be retained.
AAL 2 provides high confidence that the claimant controls the authenticator registered to a subscriber. Two different authentication factors are required. Approved cryptographic techniques are required at AAL 2 and above.
At AAL 2, it is required to have (a) a multi-factor authenticator, or (b) a combination of two single-factor authenticators. Authenticator requirements are specified in Section 5.
When a multi-factor authenticator is used, any of the following may be used:
When a combination of two single-factor authenticators is used, it SHALL include a Memorized Secret authenticator and one possession-based (“something you have”) authenticator from the following list:
Note: The requirement for a memorized secret authenticator above derives from the need for two different types of authentication factors to be used. All biometric authenticators compliant with this specification are multi-factor, so something you know (a memorized secret) is the remaining possibility.
Cryptographic authenticators used at AAL 2 SHALL use approved cryptography. Authenticators procured by government agencies SHALL be validated to meet the requirements of [FIPS 140] Level 1. Software-based authenticators that operate within the context of a general purpose operating system MAY, where practical, attempt to detect compromise of the platform in which they are running (e.g., by malware or “jailbreak”) and SHOULD decline to operate when such a compromise is detected.
Communication between the claimant and channel (the primary channel in the case of an Out of Band authenticator) SHALL be via an authenticated protected channel to provide confidentiality of the authenticator output and resistance to man-in-the-middle attacks.
Verifiers operated by government agencies at AAL 2 SHALL be validated to meet the requirements of [FIPS 140] Level 1.
In order to be valid at AAL 2, authentication assertions SHALL meet the requirements defined in SP 800-63C. Bearer assertions MAY be used.
At AAL 2, authentication of the subscriber SHALL be repeated at least once per 12 hours, regardless of user activity. Reauthentication of the subscriber SHALL be repeated following no more than 30 minutes of user inactivity. The CSP MAY prompt the user to cause activity just before the inactivity timeout, if desired. Reauthentication MAY use a single authentication factor.
The CSP SHOULD employ appropriately tailored security controls from the moderate baseline of security controls defined in [SP 800-53] or equivalent industry standard and SHOULD ensure that the minimum assurance requirements associated with the moderate baseline are satisfied.
CSPs shall comply with their respective records retention policies in accordance with whatever laws and/or regulations apply to those entities. If the CSP opts to retain records in the absence of any legal requirements, the CSP SHALL conduct a privacy risk assessment to determine how long any records should be retained.
AAL 3 provides very high confidence that the claimant controls the authenticator registered to a subscriber. Authentication at AAL 3 is based on proof of possession of a key through a cryptographic protocol. AAL 3 is similar to AAL 2 except that a “hard” cryptographic authenticator that also provides verifier impersonation resistance is required.
Authentication Assurance Level 3 requires the use of one of three kinds of hardware devices:
All cryptographic device authenticators used at AAL 3 SHALL be verifier impersonation resistant as described in section 5.2.5.
Communication between the claimant and channel SHALL be via an authenticated protected channel to provide confidentiality of the authenticator output and resistance to man-in-the-middle attacks. At least one authenticator used in each AAL 3 authentication SHALL be verifier impersonation resistant as described in Section 5.2.5.
Multi-factor authenticators used at AAL 3 SHALL be hardware cryptographic modules validated at [FIPS 140] Level 2 or higher overall with at least [FIPS 140] Level 3 physical security. Single-factor cryptographic devices used at AAL 3 SHALL be validated at [FIPS 140] Level 1 or higher overall with at least [FIPS 140] Level 3 physical security.
Verifiers at AAL 3 SHALL be validated at [FIPS 140] Level 1 or higher.
In order to be valid at AAL 3, authentication assertions SHALL meet the requirements of proof-of-possession assertions as defined in SP 800-63C.
At AAL 3, authentication of the subscriber SHALL be repeated at least once per 12 hours, regardless of user activity. Reauthentication of the subscriber SHALL be repeated following a period of no more than 15 minutes of user inactivity. Reauthentication SHALL use both authentication factors. The verifier MAY prompt the user to cause activity just before the inactivity timeout.
The CSP SHOULD employ appropriately tailored security controls from the high baseline of security controls defined in [SP 800-53] or an equivalent industry standard and SHOULD ensure that the minimum assurance requirements associated with the high baseline are satisfied.
The CSP SHALL comply with their respective records retention policies in accordance with whatever laws and/or regulations apply to those entities. If the CSP opts to retain records in the absence of any legal requirements, the CSP SHALL conduct a privacy risk assessment to determine how long any records should be retained.
The CSP SHOULD employ appropriately tailored privacy controls defined in [SP 800-53] or equivalent industry standard.
CSPs SHALL NOT use or disclose information about authenticators for any purpose other than conducting authentication or to comply with law or legal process, unless the CSP provides clear notice and obtains consent from the subscriber for additional uses. CSPs MAY NOT make consent a condition of the service. Care SHALL be taken to ensure that use of such information is limited to its original purpose for collection. If the use of such information does not fall within uses related to authentication or to comply with law or legal process, the CSP SHALL provide notice and obtain consent from the subscriber. This notice SHOULD follow the same principles as described in Notice and Consent in SP 800-63A Section 8.2 and SHOULD not be rolled up into a legalistic privacy policy or general terms and conditions. Rather, if there are uses outside the bounds of these explicit purposes, the subscriber SHOULD be provided with a meaningful way to understand the purpose for additional uses, and the opportunity to accept or decline.
Regardless of whether the CSP is an agency or private sector provider, the following requirements apply to the agency offering or using the authentication service:
(Non-normative; refer to preceding sections for normative requirements)
Table 4-3 summarizes the requirements for each of the authenticator assurance levels:
Table 4-3. AAL Summary of Requirements
| Requirement | AAL 1 | AAL 2 | AAL 3 |
|---|---|---|---|
| Permitted authenticator types | Memorized Secret; Look-up Secret; Out of Band; SF OTP Device; MF OTP Device; SF Crypto Software; SF Crypto Device; MF Crypto Software; MF Crypto Device |
MF OTP Device; MF Crypto Software; MF Crypto Device; or memorized secret plus: • Look-up Secret • Out of Band • SF OTP Device • SF Crypto Software • SF Crypto Device |
MF Crypto Device SF Crypto Device plus Memorized Secret |
| FIPS 140 verification | Level 1 (Government agency verifiers) | Level 1 (Government agency authenticators and verifiers) | Level 2 overall (MF authenticators) Level 1 overall (verifiers and SF Crypto Devices) Level 3 physical security (all authenticators) |
| Assertions | Bearer or proof of possession | Bearer or proof of possession | Proof of possession only |
| Reauthentication | 30 days | 12 hours or 30 minutes inactivity; may use one authentication factor | 12 hours or 15 minutes inactivity; shall use both authentication factors |
| Security controls | [SP 800-53] Low Baseline (or equivalent) | [SP 800-53] Moderate Baseline (or equivalent) | [SP 800-53] High Baseline (or equivalent) |
| MITM resistance | Required | Required | Required |
| Verifier impersonation resistance | Not required | Not required | Required |