Understanding AAL and IAL2: Exploring Authentication Assurance Levels and Products Supporting the Standards
Authentication is a critical aspect of any security system, and ensuring that the right level of assurance is applied is crucial in protecting sensitive data. AAL and IAL2 are widely accepted standards that help organizations evaluate the trustworthiness of their authentication mechanisms.
The modern business landscape is highly dependent on technology, and as such, it's critical for companies to ensure their data and systems are protected against unauthorized access. With the rise in cyber threats, it has become essential for organizations to implement secure authentication methods. Multi-factor authentication (MFA) is one such method, which provides a higher level of security than traditional username and password authentication. However, not all MFA solutions are created equal, and it can be challenging to determine which solution is best for your organization. One way to measure the strength of MFA solutions is through Authenticator Assurance Level (AAL). In this article, we'll explore what AAL is, how it works, and its importance in choosing an MFA solution.
We'll also delve into the different AAL levels, how they differ, and the factors that determine which level is appropriate for your organization. Additionally, we'll explore how AAL fits into the larger context of identity and access management (IAM) and how it can work in tandem with other IAM standards such as Identity Assurance Level 2 (IAL2).
As businesses continue to move towards cloud-based technologies and remote work, the need for stronger security measures is becoming increasingly important. AAL can help organizations achieve this by providing a framework for selecting MFA solutions that meet their security needs. With the right AAL level, organizations can ensure that only authorized individuals are accessing their data and systems.
In the following sections, we'll explore AAL in greater depth and discuss how it can be used to strengthen the security of your organization's data and systems. We'll also look at some of the products that support AAL and how they can help you implement stronger authentication methods.
Definitions
- Authenticator Assurance Level (AAL): A measure of the strength of authentication provided by a multi-factor authentication (MFA) solution. It measures the level of assurance that an authenticator is bound to the individual claiming to use it.
- Identity Assurance Level 2 (IAL2): A standard for identity proofing that requires authentication of two or more identity factors to provide a higher level of assurance that the person creating or accessing an account is who they claim to be.
- Multi-Factor Authentication (MFA): A security process that requires users to provide two or more authentication factors to gain access to an application or system. Authentication factors can include something the user knows (e.g., a password), something the user has (e.g., a mobile device), or something the user is (e.g., biometric data).
- Identity and Access Management (IAM): A framework of policies and technologies that ensure the proper people have access to the appropriate resources and data within an organization. IAM involves verifying the identity of users who access applications and resources and controlling their access based on their permissions.
- Authentication: The process of verifying the identity of an individual or device. Authentication factors can include something the user knows (e.g., a password), something the user has (e.g., a mobile device), or something the user is (e.g., biometric data).
- Identity Proofing: The process of verifying the identity of an individual before allowing them access to a system or application. This can involve verifying the individual's identity documents, performing a background check, or authenticating the individual's biometric data.
- Replay-Resistant Authentication: An authentication mechanism that protects against replay attacks, which involve intercepting and reusing a valid authentication request to gain access to a system or application. Replay-resistant authentication mechanisms use methods such as timestamps or one-time codes to prevent these types of attacks.
Relationships
AAL and IAL2 are both important components of a strong identity and access management strategy. AAL measures the strength of the authentication provided by MFA solutions, while IAL2 measures the level of assurance in the identity proofing process.
AAL and IAL2 work together to provide stronger authentication and identity assurance. AAL provides the strength of the authentication mechanism while IAL2 provides the assurance that the identity of the user has been verified through multiple factors.
IAL2 requires authentication of two or more identity factors, which is typically provided through MFA solutions. By requiring multiple factors, IAL2 provides a higher level of assurance that the person creating or accessing an account is who they claim to be.
AAL can be used to measure the strength of the MFA solution used to provide the identity factors required for IAL2. A higher AAL level indicates a stronger MFA solution, which can contribute to a higher level of identity assurance overall.
The use of risk-based authentication can also be a factor in the relationship between AAL and IAL2. Depending on the risk associated with a particular transaction, a higher AAL level or stronger authentication factors may be required to meet the IAL2 standard.
Implementing AAL and IAL2 standards can help organizations meet regulatory compliance requirements and protect against identity theft and other security threats. By implementing these standards, organizations can ensure that only authorized individuals have access to sensitive data and systems.
Current Products and Solutions
There are a variety of products and solutions available to support AAL and IAL2 standards. Here are a few examples:
- Okta: Okta is a cloud-based identity management platform that provides support for AAL and IAL2 standards. Okta offers a range of MFA options, including SMS-based one-time passwords, push notifications, and biometric factors like facial recognition and fingerprint scanning.
- Keycloak: Keycloak is an open-source identity and access management solution that supports AAL and IAL2 standards. Keycloak offers a variety of authentication options, including MFA and risk-based authentication, as well as support for identity federation and social login.
- Microsoft Azure Active Directory: Microsoft's cloud-based identity management platform provides support for AAL and IAL2 standards. Azure AD offers a range of MFA options, including text messages, phone calls, and mobile app notifications. Azure AD also offers support for risk-based authentication and conditional access policies.
- Duo Security: Duo Security is a cloud-based MFA solution that provides support for AAL and IAL2 standards. Duo offers a range of authentication options, including push notifications, one-time passwords, and biometric factors like fingerprint scanning. Duo also offers support for risk-based authentication and conditional access policies.
| Product | MFA Options | AAL Support | IAL2 Support |
|---|---|---|---|
| Okta | Push Notification, Biometric Factors | AAL2 | IAL2 |
| Keycloak | FIDO U2F, Biometric Factors | AAL2 | IAL2 |
| Azure AD | Mobile App Notifications | AAL2 | IAL2 |
| Duo Security | Push Notifications, Biometric Factors | AAL2 | IAL2 |
Note: AAL2 refers to the second level of authentication assurance provided by NIST's AAL standard, which includes MFA with cryptographic hardware tokens or biometrics. IAL2 refers to the second level of identity assurance provided by NIST's IAL standard, which includes identity proofing with identity documents and verification of personal data.
AAL3 Support in Current Products
To support AAL3, each of the products would need to provide authentication mechanisms that meet the requirements for the third level of authentication assurance specified by NIST's AAL standard. AAL3 requires multifactor authentication with proof of possession of a key through a cryptographic hardware token or a biometric factor that meets certain criteria.
For example, Okta, Keycloak, Azure AD, and Duo Security would need to provide support for cryptographic hardware tokens that meet FIPS 140-2 or FIPS 140-3 standards, or biometric factors that meet NIST SP 800-63B guidelines. Additionally, they would need to implement appropriate measures to prevent account sharing, replay attacks, and other security threats.
| Product | AAL3 Cryptographic Hardware |
|---|---|
| Duo Security | YubiKey 5, Nitrokey FIDO2, Feitian MultiPass FIDO2 |
| Okta | YubiKey 5, Thales SafeNet OTP Display Card |
| Keycloak | YubiKey 5, Nitrokey FIDO2, Google Titan Security Key |
Note: Note that these are just a few examples and there may be other AAL3 cryptographic hardware options supported by these products.
Using a Phone as an AAL3 Solution
Some newer smartphones have a built-in secure element for storing and processing cryptographic keys, and can be used as a hardware token for MFA. This means that a phone can potentially meet the AAL3 requirement for cryptographic hardware if it supports this capability.
For example, Google Pixel 3 and later models have a Titan M security chip that provides hardware-based protection for sensitive data, including cryptographic keys. This secure element can be used for authentication purposes, and Google has integrated this capability with their own identity and access management (IAM) platform, Google Cloud Identity. Users can use their Pixel phones as a security key for Google IAM, providing AAL3-level authentication.
Similarly, Apple iPhones with the A12 Bionic chip or later models have a secure enclave that provides hardware-based protection for cryptographic operations. This secure element can be used to store private keys and perform cryptographic operations, and can be used as a second factor for authentication with certain services. For example, with iCloud Keychain, users can use their iPhones as a security key for two-factor authentication, providing AAL3-level authentication.
It's worth noting that not all phone models support this capability, and even if a phone does support it, it may not be compatible with all IAM or authentication platforms. Users should check with their service provider or IAM platform to confirm if their phone is supported for AAL3 authentication.
Implementing support for AAL3 would require significant investments in hardware, software, and security measures, as well as rigorous testing and validation to ensure that the authentication mechanisms meet the requirements of the standard. It would also require close collaboration with regulatory bodies and standards organizations to ensure compliance with relevant regulations and guidelines.
Overall, supporting AAL3 would be a complex and challenging task for any product or solution, but it could provide significant benefits in terms of enhanced security and regulatory compliance.
References
- National Institute of Standards and Technology (NIST). (2017). Digital Identity Guidelines: Authentication and Lifecycle Management (Special Publication 800-63B).
- Okta. (n.d.). Authentication Assurance Levels. Retrieved from https://www.okta.com/authentication-protocols/authentication-assurance-levels/
- OneLogin. (n.d.). Authentication Assurance Levels (AAL) Explained. Retrieved from https://www.onelogin.com/learn/authentication-assurance-levels-aal-explained
- Duo Security. (n.d.). Identity Assurance Level (IAL). Retrieved from https://duo.com/docs/identity/identity-assurance-level