This is the second post in the “Ten Reasons to Love Passwordless” blog series. Last time, we talked about the flexibility and multi-platform benefits of FIDO2 open standards based technology. The second reason to love passwordless is it brings the highest levels of security to your organization. Passwordless multifactor authentication (MFA) eliminates the need to memorize passwords and as such makes it 99.9% harder to compromise an account. Using built-in crypto keys in your software or hardware from passwordless solutions, you get the security assurance that meets the highest standards. Helping our customers achieve these MFA goals is music to my ears!
Security assurance with NIST (800-63)
Let’s start with the National Institute of Standards and Technology (NIST) which develops the technical requirements for US federal agencies implementing identity solutions. NIST’s 800-63 Digital Identity Guidelines Authentication Assurance Levels (AAL) is a mature framework used by federal agencies, organizations working with federal agencies, healthcare, defense, finance, and other industry associations around the world as a baseline for a more secure identity and access management (IAM) approach. How does passwordless and multifactor authentication align with NIST’s requirement? And how can the required AALs be met?
Before diving into the details, let us align some terminology:
- Authentication – The process of verifying the identity of a subject.
- Authentication factor – Something you know, something you have, or something you are: Every authenticator has one or more authentication factors.
- Authenticator – Something the subject possesses and controls that is used to authenticate the subject’s identity.
Multifactor authentication can be achieved by either a multifactor authenticator or by a combination of multiple single factor authenticators. A multifactor authenticator requires two authentication factors to execute a single authentication transaction.
Multifactor authentication using two single factor authenticators
The illustration below shows how a multifactor authentication can be performed using a memorized secret (something you know) authenticator along with an out of band (something you have) authenticator. The user performs two independent authentication transactions with Azure AD.
Multifactor authentication using a single multifactor authenticator
The illustration below shows how a multifactor authentication is performed using a single multifactor cryptographic authenticator requiring one authentication factor (something you know or something you are) to unlock a second authentication factor (something you have). The user uses a single authentication transaction with Azure AD.
Microsoft Passwordless Authenticators mapped to NIST 800-63 AALs
Microsoft passwordless authenticators allow multifactor authentication using a single authenticator and eliminate the dependency on memorized secret (password) authenticator and the associated password attacks (see Your Pa$$word doesn’t matter).
NIST Authenticator type
Multi-factor cryptographic hardware (with TPM)
Multi-factor cryptographic software (without TPM)
Multi-factor cryptographic hardware (Android)
Multi-factor cryptographic software (iOS)
Multi-factor cryptographic hardware
*FIDO2 Security Key partners such as Feitian, Thales (formerly Gemalto), TrustKey (formerly eWBM), and Yubico, are in the process of certifying their FIDO2 security keys with FIPS 140.
Federal agencies, organizations working with federal agencies and organizations in regulated industries seeking Federal Information Processing Standards 140 (FIPS 140) verification are advised to reference Achieving National Institute of Standards and Technology Authenticator Assurance Levels with the Mic… and conduct risk assessment and evaluation before accepting these authenticators as AAL2/3.
Check out the other posts in this series:
Learn more about Microsoft identity:
@Sue Bohn This is a fantastic summary of standards going in to the passwordless solutions to assure the best security possible.
We have seen more factors like
- How you Behave (Behavioural authentication)
- How you sound &
- Who knows you (authentication by reference like social authentication)
Are there any NIST standards for the above methods as well?
We have invented Association-Based-Authentication, which uses PKI and complies with FIPS 140-2 L1.
Can you please share what level FIDO2 Security Key partners should certify with? This will be very valuable for us.
For AAL3 a single factor authenticator it needs to be FIPS140 general 1 phisical 3 Certified. For a multi-factor authenticator it needs to be FIPS140 general 2 phisical 3 Certified.
There are aditional NIST standards for biometric authenticators around FAR and presentation stack resistance on biometric multi-factor authenticators.
Wow! I love that we’re now going passwordless.
In the world of capability theory, we’ve also got terms for this authentication flow. We authenticate to our powerbox, which holds capabilities – that is, credentials unique to and associated with a resource – that we can then use. In this case, an authenticator is a powerbox, and you can get all the secure UI benefits of dealing with capabilities rather than passwords. Really looking forward to using this when dealing with microsoft services.
Great article 🙂 Thanks for spreading the good word about passwordless… maybe one day some people will listen 🙂
Happy Azure Stacking!!!
@AjitHatti, these are great questions.
NIST standards covering biometrics as authentication factors:
NIST includes under biometrics physical characteristics (e.g., fingerprint, iris, facial characteristics) and behavioral characteristics (e.g., typing cadence).
Both classes are considered biometric modalities, although they may differ in the extent to which they establish authentication intent as described in NIST SP 800-63B Section 5.2.9.
Due to reasons listed under NIST SP 800-63B Section 5.2.3 the use of biometrics is restricted to be used only as part of a multi-factor authentication with a physical authenticator (something you have) and not accepted as an authenticator by itself.
In addition NIST SP 800-207 Zero Trust Architecture details the role behavioral attributes in dynamic policies for determining access.
FIPS 140-2 validation for FIDO2 security keys:
FIDO2 security keys are classified as multi-factor cryptographic hardware authenticator and as such can be used at AAL3.
To be used at AAL3 the FIDO2 security keys need to be FIPS 140 Level 2 overall (or higher) and FIPS 140 Level 3 Physical Security (or higher)
To be used at AAL2 by government agencies FIDO2 security keys are required to be FIPS 140 Level 1 overall. This is not a requirement for non-governmental agencies.
© Microsoft. This article was originally published by Microsoft Azure Active Directory Identity Blog. You can find the original article here.