
The NIST 800-63 Electronic Authentication Guidelines provide technical recommendations for remote electronic authentication to Federal IT system.
The OMB guidance, E-Authentication Guidance for Federal Agencies, [OMB 04-04] defines four levels of authentication, Levels 1 to 4, in terms of the consequences of the authentication errors and misuse of credentials. The NIST 800-63 guidance provides specific technical requirements for each of the four levels of assurance.
| Level 1 | Little or no confidence in the asserted identity’s validity. A single factor token (often a password) is required. |
| Level 2 | Some confidence in the asserted identity’s validity. A single factor token (often a password) is required. |
| Level 3 | High confidence in the asserted identity’s validity. A minimum of two authentication factors is required. Three kinds of tokens may be used: • “soft” cryptographic token, which has the key stored on a general-purpose computer, • “hard” cryptographic token, which has the key stored on a special hardware device, and • “one-time password” device token |
| Level 4 | Very high confidence in the asserted identity’s validity. A minimum of two authentication factors is required. This level is similar to Level 3 except that only “hard” cryptographic tokens are allowed. This level requires a physical token, which cannot readily be copied, and operator authentication at Level 2 and higher, and ensures good, two-factor remote authentication. |
Depending on the implementation, the PhoneFactor service can meet all of the requirements for Level 3 or 4 Assurance as stated in the NIST Electronic Authentication Guideline (Draft Special Publication 800-63-1).