Skip to content

Commit fdd2d8c

Browse files
andreashappeandreashappe
authored
Update c7-secure-digital-identities.md
1 parent eb52501 commit fdd2d8c

File tree

1 file changed

+1
-3
lines changed

1 file changed

+1
-3
lines changed

docs/the-top-10/c7-secure-digital-identities.md

+1-3
Original file line numberDiff line numberDiff line change
@@ -13,9 +13,7 @@ The [NIST Special Publication 800-63B: Digital Identity Guidelines (Authenticati
1313

1414
NIST 800-63b describes three levels of authentication assurance called Authentication Assurance Level (AAL):
1515

16-
- **Level 1 : Passwords**: The first level, AAL level 1 is reserved for lower-risk applications that do not contain PII or other private data. At AAL level 1 only single-factor authentication is required, typically through the use of a password (something you know). The security of passwords (or credentials in general) is of utmost importance, this includes both secure storage (using a key-derivation function and such) as well as corresponding processes, e.g. having a secure password-reset flow.
17-
- **Level 2 : Multi-Factor Authentication**: NIST 800-63b AAL level 2 is reserved for higher-risk applications that contain "self-asserted PII or other personal information made available online." At AAL level 2 multi-factor authentication is required including OTP or other forms of multi-factor implementation.
18-
- **Level 3 : Cryptographic Based Authentication**: NIST 800-63b Authentication Assurance Level 3 (AAL3) is required when the impact of compromised systems could lead to personal harm, significant financial loss, harm the public interest or involve civil or criminal violations. AAL3 requires authentication that is "based on proof of possession of a key through a cryptographic protocol." This type of authentication is used to achieve the strongest level of authentication assurance. This is typically done through hardware cryptographic modules. When developing web applications, this will commonly lead to WebAuthn or PassKeys.
16+
#### Level 1 : Passwords: The first level, AAL level 1 is reserved for lower-risk applications that do not contain PII or other private data. At AAL level 1 only single-factor authentication is required, typically through the use of a password (something you know). The security of passwords (or credentials in general) is of utmost importance, this includes both secure storage (using a key-derivation function and such) as well as corresponding processes, e.g. having a secure password-reset flow.
1917

2018
#### Level 2 : Multi-Factor Authentication
2119

0 commit comments

Comments
 (0)