Digital Insanity: Exploring the Flexibility of NIST Digital Identity Assurance Levels

Abstract

NIST Special Publication 800-63-3 presents a new risk management concept on digital identity. It includes various harm categories to determine an appropriate assurance level for identity proofing, authentication, and federation. These three distinct approaches are highlighted to give flexibility in protecting systems. This paper explores if this is a realized flexibility by developing a tool to test assurance level and component flexibility. It also identifies appropriate MFA levels given different levels of risks and makes three recommendations to help improve the adoption of the NIST digital identity guidelines.