[Wg-p3] letter (final version)
Susan.Landau at Sun.COM
Mon Sep 7 05:27:11 PDT 2009
On 09/04/09 22:52, Bob Pinheiro wrote:
> Could you perhaps clarify design criteria #2: "Prioritize candidate
> technologies that have the capability to enable citizens access across
> all relevant LoAs."
> If it turns out that open government applications for citizens extend
> across Levels of Assurance 1 - 3, is it being proposed to prioritize
> those authentication technologies that would be appropriate at all 3
> levels? In addition to passwords (which could be used as one
> authentication factor at all 3 levels), a second authentication factor
> at LoA 3 could include one-time password tokens, as well as both
> "soft" and "hard" crypto tokens (X.509 certificates stored on a USB
> token or the user's computer). [Table 7 page 43 of NIST 800-63 Rev1
> shows which technologies combine to provide different assurance levels.]
> What would be the criteria for prioritizing these alternatives?
This is premature to answer here, but clearly usability and simplicity
are part of it. The point being made here is that a candidate
technology that can only be used at on LoA is one that is difficult for
users and therefore will ultimately not be a good security solution.
> Also, the newly formed User Login Experience WG might be able to help
> address problems related to minimizing the complexity of interacting
> with the complete set of citizen- facing applications.
Yes. There may be other criteria as well, but clearly user experience
is an important aspect here. Thanks.
More information about the Wg-p3