NIST e-authentication spec out for comment

R. A. Hettinga rah at
Fri Jan 30 17:15:23 EST 2004


NIST e-authentication spec out for comment
By William Jackson,
GCN Staff
The National Institute of Standards and Technology is seeking public
comments on its draft recommendations for electronic authentication.
NIST Special Publication 800-63 follows up guidelines from the Office of
Management and Budget defining four levels of authentication assurance for
federal IT systems.
The levels indicate increasingly serious risks of authentication errors or
misuse of electronic credentials. Making an online reservation for a
national park campsite, for example, carries less risk than online filing
of financial information.
The guidelines present technical requirements for identity proofing,
tokens, remote authentication and assertion mechanisms at each level of
Level 1 requires no identity proofing and allows a wide range of
authentication technologies and tokens, including a simple personal ID
number. There is no requirement for Federal Information Processing
Standard-approved cryptography.

Level 2 requires some identity proofing and at least a password as a token.
FIPS-approved cryptography is required to thwart eavesdropping or hacker

Level 3 requires a high level of identity proofing and FIPS-approved
cryptography to protect the authentication token as well prevent
eavesdropping or attacks. Tokens can be either software or hardware.

Level 4 provides the highest practical remote network authentication
assurance. It is similar to Level 3 but requires hardware tokens with
cryptographic modules validated at FIPS 140-2 Level 2 or higher. "By
requiring a physical token, which cannot readily be copied and must be
unlocked with a password or biometric, this level ensures good, two-factor
remote authentication," NIST said.

NIST will accept comments on the proposed recommendations until March 15 at
eauth-comments at

© 1996-2004 Post-Newsweek Media, Inc. All Rights Reserved.

R. A. Hettinga <mailto: rah at>
The Internet Bearer Underwriting Corporation <>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list