TraitWare NIST 800-63-3 Compliance

TraitWare NIST 800-63-3 Compliance

September 2021

This document identifies the assurance levels that the various components of the TraitWare Authentication Platform adhere to as defined in NIST 800-63-3/A/B/C.

SP 800-63A Enrollment and Identity Proofing

TraitWare can be used with IAL1, IAL2, and IAL3. The choice of which IAL (Identity Assurance Level) to use is determined by the business rules of the service provider using the services of TraitWare. TraitWare does not perform the proofing process but does provide tools to help enroll an applicant.

Below we provide suggested best practices to bind a proofed applicant (now a subscriber) to an authenticator:

These practices assume the subscriber has been on-boarded into the TraitWare Authentication Server (TAS) and that the subscriber has been proofed at the desired IAL of the service provider. Activation codes used to bind the identity of a subscriber to an authenticator are created when a subscriber is on-boarded into the TAS. Thus, the activation codes represent the proofed identity of a subscriber and should be carefully handled to reflect the needs and risk assessment of the chosen IAL.

IAL1 – An activation code is sent to a subscriber by email. The subscriber should scan the emailed activation code (QR) with their authenticator (TraitWare App) or enter the numerical activation code into the app.

IAL2 – An activation code is sent to a subscriber by email. The subscriber should scan the emailed activation code (QR) with their authenticator (TraitWare App) or enter the numerical activation code into the app.

IAL3 – An activation code is presented to a subscriber that has been physically verified. The subscriber should scan the presented activation code (QR) with their authenticator (TraitWare app) or enter a provided numerical activation code in the presence of the verifier. Additionally, the verifier should verify that the mobile device used as an authenticator belongs to the subscriber. If email is used to send an activation code, an administrator MAY verify that the intended subscriber received the activation code by email and activated the intended authenticator. This type of verification MAY be performed in person or by the established remote-proofing guidelines. Note: 800-63B 6.1.1 states that, ‘If enrollment and binding cannot be completed in a single physical encounter or electronic transaction (i.e., within a single protected session), the following methods SHALL be used to ensure that the same party acts as the applicant throughout the processes…the applicant SHALL identify themselves in each new binding transaction by presenting a temporary secret which was either established during a prior transaction, or sent to the applicant’s phone number, email address, or postal address of record.’[1]  Thus, it appears it is not a requirement that the binding is performed in person or in a remote session as long as the email was established during the proofing process and that the required secret is temporary.

Activation codes are valid for 24 hours once provided to a subscriber via email. Although the binding transaction secret (activation codes) do not have a mandated expiration, TraitWare has chosen to follow enrollment activation code guidelines provided in 800-63A –[2]

Each business should evaluate the risk impact any security breach may produce. FIPS 199 should be used as guidance to assess that risk.[3]  IAL1 is required for areas risk-assessed as low impact. IAL2 is required for areas risk-assessed as moderate impact. IAL3 is required for areas risk-assessed as high impact.

SP 800-63B Authentication and Lifecycle Management

TraitWare is a Multi-factor Cryptographic Software Authenticator and offers AAL2.

Informationally, AAL3 devices are either pure hardware Authenticators or include software that is under the complete control of the issuer. By definition, mobile devices (iPhone or Android) are not able to meet AAL3 because their manufacturers control the embedded OS.

TraitWare meets and often exceeds the various requirements of AAL2 as included in the TraitWare Software Authenticator, often adhering to the AAL3 requirements when possible.

The AAL2 requirements TraitWare meets or exceeds:

  • Proof of possession of a key through a cryptographic protocol (secp256r1). TraitWare signs a rotating nonce during authentication attempts. This cryptographic protocol meets FIPS 140-2 Level 1.[4]  The keys are stored in the Secure Enclave on iOS and in the KeyStore on Android devices.
  • Two distinct authentication factors
    • Cryptographic token (always used as a first factor)
    • Biometric Factor – the minimum required FMR is 1 in 1000
      • Fingerprint – FMR 1 in 50,000
      • Face – FMR 1 in 1 million for FaceID
    • PhotoAuth Sequence (5 out of 24 images)
      • Selecting 5 of 24 images provides a higher mathematical complexity (entropy) than choosing the NIST required minimum secret for level AAL2, which must be at least 6 digits in length out of 10 possible digits. The PhotoAuth complexity is higher than a NIST minimum 6 digit PIN by roughly a factor of 10.
  • Verifier Impersonation (MiTM) Resistance (TLS with certificate pinning)
  • Communication via an authenticated protected channel (TLS)
  • Rate-limiting for failed login attempts (3 failed attempts locks the account)
  • Authenticator sessions end when exiting the app or after a period of inactivity lasting 5 minutes, whichever occurs first
  • Replay Resistance (use of a rotating nonce)
  • Authentication Intent (use of fingerprint or entering PhotoAuth sequence, a user action to scan QR or accept login attempt request)
  • Revocation – The authenticator can be immediately revoked or suspended if an administrator is notified of a compromise
  • Randomize option for PhotoAuth® to prevent shoulder surfing.
  • Records Retention Policy.
  • Privacy Controls per NIST 800-53.

Identity Risk Management

Additionally, per 800-63 4.3.1, ‘…other types of information, such as location data or device identity, may be used by an RP or verifier to evaluate the risk in a claimed identity, but they are not considered authentication factors.’[5]

TraitWare uses device identity (device user traits) as an additional risk factor in approving an authentication. Location data may also be used to restrict the allowed locations for an authentication to take place.

Account Recovery Requirements

Administrators should follow steps as outlined in the previous proofing and enrollment section pursuant to (800-63B  A new activation code will be created to bind the previously proofed identity to a new TraitWare authenticator app.

TraitWare is currently developing separate biometric recovery and email recovery solutions to provide a subscriber self-recovery options while adhering to IAL2 requirements.

SP 800-63C Federation and Assertions

TraitWare currently supports SAML, OpenID Connect, and Microsoft ADFS for use in federation.  This falls under FAL1. FAL1 is generally the highest assurance offered by service providers, such as Microsoft and Google.

Requirements for FAL1:

  • Allows for the subscriber to enable the RP to receive a bearer assertion
  • The assertion is signed by the IdP using approved cryptography.