Misuse of identity, especially through stolen passwords, is a primary source for cyber breaches. Enabling stronger processes to recognize a user's identity is a key component to securing an organization's information systems. Homeland Security Presidential Directive-12 (HSPD-12) mandated deployment of a common identity credential in 2004, which resulted in Personal Identity Verification (PIV) Cards and their supporting infrastructure. The goal was to eliminate wide variations in the quality and security of authentication mechanisms used across federal agencies as reported in chapter 1. Chapter 2 provides requirements for enrollment and identity proofing of applicants that wish to gain access to resources at each Identity Assurance Level (IAL). The requirements detail the acceptability, validation, and verification of identity evidence that will be presented by a subscriber to support their claim of identity.
Author(s): Damon Solis
Series: Privacy and Identity Protection
Publisher: Nova Science Publishers
Year: 2023
Language: English
Pages: 250
City: New York
Contents
Preface
Chapter 1
Derived Personal Identity Verification (PIV) Credentials0F*
Volume A: Executive Summary
Executive Summary
Challenge
Solution
Benefits
Volume B: Approach, Architecture, and Security Characteristics
Abstract
1. Summary
1.1. Challenge
1.2. Solution
1.3. Benefits
2. How to Use This Guide
3. Approach
3.1. Audience
3.2. Scope
3.3. Relationship to NIST SP 800-63-3
3.4. Assumptions
3.4.1. Modularity
3.4.2. Security
3.4.3. Existing Infrastructure
3.4.4. Architecture Components
3.4.4.1. Credential Management System
3.4.4.2. Public Key Infrastructure
3.4.4.3. Enterprise Mobility Management
3.4.4.4. Mobile Device
3.4.4.5. Authenticator
3.5. Risk Assessment
3.5.1. Threats
3.5.1.1. Other Threats
3.5.2. Vulnerabilities
3.5.2.1. Mobile Device Vulnerabilities
3.5.2.2. Network Vulnerabilities
3.5.3. Risk
3.5.4. Security Control Map
3.6. Technologies
3.6.1. Entrust Datacard
3.6.2. Intel Authenticate
3.6.3. Intercede
3.6.4. MobileIron
3.6.5. Verizon Shared Service Provider
3.6.6. Mobile End Points
3.6.7. Technology Mapping
4. Architecture
4.1. Architecture Description
4.2. Managed Architecture with EMM Integration
4.3. Hybrid Architecture for PIV and DPC Life-Cycle Management
5. Security Characteristic Analysis
5.1. Assumptions and Limitations
5.2. Build Testing
5.2.1. Managed Architecture Build Testing
5.2.1.1. Initial Issuance
5.2.1.2. Maintenance
5.2.1.3. Termination
5.2.1.4. Derived PIV Authentication Certificate Management
5.2.2. Hybrid Architecture Build Testing
5.2.2.1. Initial Issuance
5.2.2.2. Maintenance
5.2.2.3. Termination
5.2.2.4. Derived PIV Authentication Certificate Management
5.3. Scenarios and Findings
5.3.1. PR.AC-1: Identities and Credentials Are Issued, Managed, Verified, Revoked, and Audited for Authorized Devices, Users, and Processes
5.3.2. PR.AC-3: Remote Access Is Managed
5.3.3. PR.AC-6: Identities Are Proofed and Bound to Credentials and Asserted in Interactions
5.3.4. PR.AC-7: Users, Devices, and Other Assets Are Authenticated (e.g., Single-Factor, Multifactor) Commensurate with the Risk of the Transaction (e.g., Individuals’ Security and Privacy Risks and Other Organizational Risks)
5.3.5. PR.DS-2: Data in Transit Is Protected
5.3.6. PR.DS-5: Protections against Data Leaks Are Implemented
5.3.7. PR.IP-3: Configuration Change Control Processes Are in Place
5.4. Authenticator AAL Mapping
6. Future Build Considerations
Appendix A: List of Acronyms
Appendix B: Glossary
Appendix C. National Institute of Standards and Technology (NIST) Internal Report 8055 [10] Requirements Enumeration and Implementation Mappings
Appendix D: References
Volume C: How-To Guides
Abstract
1. Introduction
1.1. Practice Guide Structure
1.2. Build Overview
2. Product Installation Guides
2.1. Managed Service Architecture with Enterprise Mobility Management (EMM) Integration
2.1.1. Entrust Datacard IdentityGuard (IDG)
2.1.1.1. Identity Management Profiles
2.1.2. MobileIron Core
2.1.2.1. Installation
2.1.2.2. General MobileIron Core Setup
2.1.2.3. Configuration of MobileIron Core for DPC
2.1.2.3.1. Integration with Active Directory
2.1.2.3.2. Create a DPC Users Label
2.1.2.3.3. Implement MobileIron Guidance
2.1.3. DPC Life-Cycle Workflows
2.1.3.1. DPC Initial Issuance
2.1.3.1.1. Register Target Device with MobileIron
2.1.3.1.2. DPC Initial Issuance
2.1.3.2. DPC Maintenance
2.1.3.3. DPC Termination
2.2. Hybrid Architecture for PIV and DPC Life-Cycle Management
2.2.1. Intercede MyID CMS
2.2.1.1. Installation
2.2.1.2. Verizon Shared Service Provider (SSP) PKI Integration
2.2.1.3. Configuration for DPC
2.2.2. Intercede MyID Identity Agent
2.2.2.1. Installation
2.2.3. Intercede Desktop Client
2.2.3.1. Installation
2.2.4. Intercede Self-Service Kiosk
2.2.4.1. Installation
2.2.4.2. Configuration
2.2.5. Windows Client Installation for MyID and Intel Authenticate
2.2.5.1. Installing the MyID Self-Service Application
2.2.5.2. Installing the WSVC Service
2.2.5.3. Installing Prerequisites for Intel Authenticate
2.2.5.4. Installing the Intel Authenticate Client
2.2.5.5. Configuring Intel Authenticate
2.2.6. Intel Authenticate GPO
2.2.6.1. Preparing a Digital Signing Certificate
2.2.6.2. Creating a Profile
2.2.6.3. Creating a Shared Folder
2.2.6.4. Creating Windows Management Instrumentation (WMI) Filters for the GPOs
2.2.6.5. Creating a GPO to Discover Intel Authenticate
2.2.6.6. Creating a GPO to Install Intel Authenticate
2.2.6.7. Creating a GPO to Enforce the Policy
2.2.7. Intel Virtual Smart Card (VSC) Configuration
2.2.7.1. Configuring MyID for Intel VSC
2.2.7.2. Setting up a PIN Protection Key
2.2.7.3. Creating a Credential Profile
2.2.8. DPC Life-Cycle Workflows
2.2.8.1. Mobile Device Issuance Workflow
2.2.8.2. Intel Authenticate Issuance Workflow
2.2.8.2.1. Requesting a DPC for Intel VSC
2.2.8.2.2. Collecting the DPC
2.2.8.3. Maintenance Workflow
2.2.8.4. Termination Workflow
Appendix A. List of Acronyms
Chapter 2
Digital Identity Guidelines: Enrollment and Identity Proofing1F(
Abstract
1. Purpose
2. Introduction
2.1. Expected Outcomes of Identity Proofing
2.2. Identity Assurance Levels
3. Definitions and Abbreviations
4. Identity Assurance Level Requirements
4.1. Process Flow
4.2. General Requirements
4.3. Identity Assurance Level 1
4.4. Identity Assurance Level 2
4.4.1. IAL2 Conventional Proofing Requirements
4.4.1.1. Resolution Requirements
4.4.1.2. Evidence Collection Requirements
4.4.1.3. Validation Requirements
4.4.1.4. Verification Requirements
4.4.1.5. Presence Requirements
4.4.1.6. Address Confirmation
4.4.1.7. Biometric Collection
4.4.1.8. Security Controls
4.4.2. IAL2 Trusted Referee Proofing Requirements
4.5. Identity Assurance Level 3
4.5.1. Resolution Requirements
4.5.2. Evidence Collection Requirements
4.5.3. Validation Requirements
4.5.4. Verification Requirements
4.5.5. Presence Requirements
4.5.6. Address Confirmation
4.5.7. Biometric Collection
4.5.8. Security Controls
4.6. Enrollment Code
4.7. Summary of Requirements
5. Identity Resolution, Validation, and Verification
5.1. Identity Resolution
5.2. Identity Evidence Collection and Validation
5.2.1. Identity Evidence Quality Requirements
5.2.2. Validating Identity Evidence
5.3. Identity Verification
5.3.1. Identity Verification Methods
5.3.2. Knowledge-Based Verification Requirements
5.3.3. In-Person Proofing Requirements
5.3.3.1. General Requirements
5.3.3.2. Requirements for Supervised Remote In-Person Proofing
5.3.4. Trusted Referee Requirements
5.3.4.1. Additional Requirements for Minors
5.4. Binding Requirements
6. Derived Credentials
7. Threats and Security Considerations
7.1. Threat Mitigation Strategies
8. Privacy Considerations
8.1. Collection and Data Minimization
8.1.1. Social Security Numbers
8.2. Notice and Consent
8.3. Processing Limitation
8.4. Redress
8.5. Privacy Risk Assessment
8.6. Agency Specific Privacy Compliance
9. Usability Considerations
Assumptions
9.1. General User Experience Considerations During Enrollment and Identity Proofing
9.2. Pre-Enrollment Preparation
9.3. Enrollment Proofing Session
9.4. Post-Enrollment
References
General References
Standards
NIST Special Publications
Index
Blank Page
