It’s obvious that stronger credentials allow for access to more sensitive information. And the Pan-Canadian model emphasizes that the identity-proofing portion of the Registration Processes must be equally strong to ensure that credentials are issued (and subsequently used) by the right person.
The Credential Strength in the model is a combination of the number of factors and the strength of each individual factor. Three factors are described: something you know, something you have and something you are. These are consistent with industry standard definitions.
With respect to multiple factors, the model makes a good point: multi-factor authentication is not always stronger that single-factor. Two weak factors (e.g. PIN and PC geolocation) may not be as useful as a single factor that is very strong (e.g. certain biometrics).
A factor’s strength needs to be assessed based on:
- its fixity to a person, unique factors that can only be attributed to a single individual (think biometric)
- its distinctiveness, unique attributes that by definition are distinct (think government identifiers)
- its permanence, the degree to which a factor is permanently linked to the individual (think life history ‘secrets’)
Here is a good quote from the strategy: “Selection of the authentication factors to be applied to a credential depends on the level of assurance required for a given transaction.” In other words, if you are protecting an asset and it requires High identity assurance, you almost certainly will need multiple factors to achieve High credential strength.
One last point: the Operational Diligence of the IAM environment comes into play here. The model defines this as the privacy, security, audit, compliance and other processes that ensure the integrity of the overall system. Environments that lack appropriate rigour cannot be used to deliver higher-value services. In other words, if your IT shop has a weak record for availability, or has failed multiple security audits, you may need to improve the operations before implementing IAM above Level 2.
There is a good table on page 110 of the strategy, adapted from the Identity, Authentication & Authorization Working Group (IAAWG) Guidelines, that identifies different types of credentials and their relative strength. This table can be used to support decisions around what type of credential should be used for low, medium and high
- Password or PIN — Low strength.
- User ID and Strong Password — also Low strength. This is because both factors are ‘something you know’ and therefore this combination is still single-factor authentication.
- Strong Password and SMS Text PIN — Medium strength, due to two different factors being used.
- Password and Biometric — High strength, one weak and one (potentially) very strong factor combined provide the overall strength.
- Password, Biometric with PKI Certificate and Hardware Token — Very High strength; it would be hard to dispute the identity of the individual presenting this combination…
I’ve done some similar mapping of authentication schemes and come up with similar results. Putting this sort of table together for your organization is necessary if you are to consistently and accurately determine credential strength for your IdM initiatives.
An important thing to repeat is that the credential strength needs to be consistent with your registration and identity proofing processes. If these are aligned then you can, for example, allow access to an application with a High information security classification using a High strength credential.
Next: Putting it Together.