Product Q&As
ForgeRock Identity Platform
ForgeRock Identity Cloud

How can ForgeRock assist with the digital identity guidelines described in NIST SP 800-63 (revision 3)?

Last updated Feb 8, 2022

The purpose of this article is to provide information on how key features of the ForgeRock solution can be used to achieve compliance with the National Institute of Standards and Technology (NIST) Special Publication 800-63 (revision 3).


Overview

The ForgeRock solution can assist with the standards described in the NIST Special Publication 800-63 (revision 3) in the following guidelines:

In summary:

  • SP 800-63A Enrollment & Identity Proofing guidelines are addressed through platform capabilities including registration, progressive profiling and identity proofing.
  • SP 800-63B Authentication & Lifecycle Management requirements are addressed through many key features of the platform, with authentication trees/journeys offering an excellent solution to achieve context-aware authentication and authorization services required for Authenticator Assurance Levels (AALs) 1-3. AAL3 can be achieved using ForgeRock's implementation of WebAuthn (FIDO2 support) plus one-time passcode (OTP), with or without the need for third-party hardware.
  • SP 800-63C Federation & Assertions guidelines are addressed through ForgeRock’s federated services based on open standards such as SAML, OpenID Connect (OIDC), OAuth 2.0 and User-Managed Access (UMA).

ForgeRock and NIST SP 800-63-3 guidelines

SP 800-63A Enrollment and Identity Proofing 

ForgeRock provides registration and progressive profiling services and works with major identity proofing services in order to acquire and record assurance levels for each of the attributes under ForgeRock’s management. Each of the attributes stored can have associated metadata indicating the asserted Identity Assurance Level (IAL) from the authoritative source. In addition, ForgeRock Directory Services can encrypt all personally identifiable information (PII) data based on Federal Information Processing Standards (FIPS) 140-2 algorithms.

Where appropriate, such as with some implementations of Identity Assurance Levels IAL1 and IAL2, ForgeRock’s self-registration can be used to ease administrator load and end user friction. Self-registration allows the applicant to register with an agency with minimal or no administrator interaction.

SP 800-63B Authentication and Lifecycle Management

ForgeRock provides context-aware authentication and authorization services that match NIST's notion of strong authentication being part but not the entirety of a comprehensive access management system.

The ForgeRock solution supports the notion of Authenticator Assurance Levels (AALs) with Access Management and Identity Gateway working together as a complete solution. This satisfies the requirement for providing risk-based and context-aware capabilities to adapt to evolving security requirements against a dynamic contextual session. AAL1-AAL3 requires single-factor and multi-factor combinations that allow users to choose authentication factors and, depending on the choice, may require the user to add one additional factor to achieve the highest assurance level, AAL3. ForgeRock's authentication trees/journeys offer an excellent solution to enable this complexity. 

ForgeRock can also help customers achieve AAL3 with the ForgeRock solution and FIDO2 capable devices or browsers. This can be achieved using ForgeRock's implementation of WebAuthn (FIDO2) plus one-time passcode (OTP), with or without the need for third-party hardware. Although third-party authenticators such as YubiKeys may be required by an implementation, as hardware matures and features including fingerprint readers become commonplace, the need for third-party hardware will diminish. Agencies that already possess or wish to pilot these more mature platforms can use ForgeRock as it exists today to achieve this advanced use case. 

See the following sections of this article for further information:

SP 800-63C Federation and Assertions 

Federation is built into the ForgeRock solution. ForgeRock’s federation services are based on open standards, such as SAML, OpenID Connect, OAuth 2.0 and User-Managed Access (UMA). These services provide value for both provider and consumer entities, which include: identity provider (IdP), service provider (SP), authorization server (AS), relying party (RP), and other types.

See Supported Federation Assurance Levels (FALs) for further information.

Supported authenticator requirements

Authenticator requirements described in SP 800-63B: 5 Authenticator and Verifier Requirements are supported by the ForgeRock solution, as follows:

Requirement Section ForgeRock solution
Memorized Secrets  5.1.1 Frontend and backend support.
Look-Up Secrets  5.1.2 Frontend and backend support. Supports WebAuthn recovery codes.
Out-of-Band Devices  5.1.3 Frontend and backend support. Works with ForgeRock Authenticator.
Single-Factor OTP Device 5.1.4 Frontend and backend support. Works with ForgeRock Authenticator, Google Authenticator, YubiKey 4 Series, YubiKey 5 Series, Yubico Security Key Series, and YubiKey FIPS Series.
Multi-Factor OTP Devices  5.1.5 Backend support only. Works with YubiKey 4 Series, YubiKey 5 Series, and YubiKey FIPS Series.
Single-Factor Cryptographic Software 5.1.6 Frontend and backend support. Supports WebAuthn with any device.
Single-Factor Cryptographic Device 5.1.7 Backend support only. Works with YubiKey 4 Series, YubiKey 5 Series, Yubico Security Key Series, and YubiKey FIPS Series.
Multi-Factor Cryptographic Software  5.1.8 Backend support only. Works with YubiKey 4 Series, YubiKey 5 Series, Yubico Security Key Series, and YubiKey FIPS Series.
Multi-Factor Cryptographic Devices  5.1.9 Backend support only. Works with YubiKey 4 Series, YubiKey 5 Series, Yubico Security Key Series, and YubiKey FIPS Series.

Authenticator Assurance Level 1 (AAL1)

Any one of the following will suffice for AAL1:

  • Memorized Secrets (Password, PIN, Knowledge-Based Authentication (KBA))
  • Look-Up Secrets (Printed or electronic list of OTPs or PINs or codes)
  • Out-of-Band Devices (Push authentication through a mobile app)
  • Single-Factor OTP Device (H/TOTP generators, YubiKeys, ForgeRock Authenticator or Google Authenticator)
  • Multi-Factor OTP Devices (PIN or biometrically protected H/TOTP generators, YubiKeys)
  • Single-Factor Cryptographic Software (Software-based FIDO, U2F)
  • Single-Factor Cryptographic Devices (YubiKey with FIDO, U2F)
  • Multi-Factor Cryptographic Software (WebAuthn)
  • Multi-Factor Cryptographic Devices (Personal Identity Verification (PIV) or Common Access Card (CAC))

Examples of achieving AAL1 with ForgeRock Intelligent Access:

  • Memorized Secrets - Username/Password:
  • Out-of-Band Devices - Push Authentication:

Authenticator Assurance Level 2 (AAL2)

Any one of the following single authenticator types will suffice for AAL2:

  • Multi-Factor OTP Devices (PIN or biometrically protected H/TOTP generators, YubiKeys)
  • Multi-Factor Cryptographic Software (WebAuthn)
  • Multi-Factor Cryptographic Devices (Personal Identity Verification (PIV) or Common Access Card (CAC))

Sufficient authenticator combinations (1st plus 2nd factors) are as follows:

  • 1st factor - Memorized Secret (Password, PIN, KBA), plus
  • 2nd factors - Look-Up Secret, Out-of-Band, Single-Factor OTP Devices, Single-Factor Crypto Software, Single-Factor Crypto Devices

Examples of achieving AAL2 with ForgeRock Intelligent Access:

  • AAL2 sufficient single authenticator types - Multi-Factor Cryptographic Software (WebAuthn):
  • AAL2 sufficient authenticator combination – Username/Password plus Push Authentication:

Authenticator Assurance Level 3 (AAL3)

Any of the following combinations will suffice for AAL3:

  • Multi-Factor Cryptographic Devices (PIV or CAC), or Single-Factor Cryptographic Devices (YubiKey using FIDO, U2F) plus Memorized Secrets (Password, PIN, KBA)
  • Single-Factor OTP Device (H/TOTP generators, YubiKeys, ForgeRock Authenticator or Google Authenticator) plus Multi-Factor Cryptographic Devices (PIV or CAC) or Multi-Factor Cryptographic Software (WebAuthn)
  • Single-Factor OTP Device (H/TOTP generators, YubiKeys, ForgeRock Authenticator or Google Authenticator) plus Single-Factor Cryptographic Software (Software based FIDO, 2F) plus Memorized Secrets (Password, PIN, KBA)

Examples of achieving AAL3 with ForgeRock Intelligent Access:

  • AAL3 sufficient authenticator combination – Username/Password plus YubiKey:
  • AAL3 sufficient authenticator combination – OATH (YubiKey) plus WebAuthn:

Supported Federation Assurance Levels (FALs)

The FAL describes requirements for how assertions are constructed and secured for a given transaction. These levels can be requested by an RP or required by the configuration of both the RP and the IdP for a given transaction.

ForgeRock meets the requirements for FAL1-3 described in 800-63C: 4 Federation Assurance Level (FAL) in the following ways:

FAL1: Bearer assertion, signed by IdP

Bearer assertion:

  • SAML 2.0 (WS-Fed) - IdP Web Browser SSO Profile, STS (Security Token Service)
  • OAuth 2.0 - AS, STS
  • OIDC 1.0 - AS, STS

Signed by IdP:

  • SAML 2.0 (WS-Fed)
  • OAuth 2.0
  • OIDC 1.0

FAL2: Bearer assertion, signed by IdP and encrypted to RP

Bearer assertion:

  • SAML 2.0 (WS-Fed) - IdP Web Browser SSO Profile, STS
  • OAuth 2.0 - AS, STS)
  • OIDC 1.0 - AS, STS

Signed by IdP:

  • SAML 2.0 (WS-Fed)
  • OAuth 2.0
  • OIDC 1.0

Encrypted to RP:

  • SAML 2.0 (WS-Fed)
  • OAuth 2.0
  • OIDC 1.0

FAL3: Holder of key assertion, signed by IdP and encrypted to RP

Holder of key assertion:

  • SAML 2.0 (WS-Fed) - STS
  • OAuth 2.0 - ASr (RFC 7800)
  • OIDC 1.0 - AS (RFC 7800), STS

Signed by IdP:

  • SAML 2.0 (WS-Fed)
  • OAuth 2.0
  • OIDC 1.0

Encrypted to RP:

  • SAML 2.0 (WS-Fed)
  • OAuth 2.0
  • OIDC 1.0

See Also

ForgeRock and NIST Special Publication (whitepaper)

NIST Special Publication 800-63 Revision 3

Is the ForgeRock Identity Platform FIPS 140-2 compliant?


Copyright and Trademarks Copyright © 2022 ForgeRock, all rights reserved.