米国NSAが「多要素認証サービスの選択と安全な使用」に関する連邦政府向けのガイダンスを公表していますね。。。

こんにちは、丸山満彦です。

米国NSAが「多要素認証サービスの選択と安全な使用」に関する連邦政府向けのガイダンスを公表していますね。。。各社のソリューション毎に表にまとめていて理解がしやすい感じですね。

• NIST SP800-63に対して一般的に使用されている各社の多要素認証（MFA）ソリューションをレビューしている。
• 国家安全保障システム、国防省、国防産業企業等のエンドユーザーが、どの多要素認証ソリューションを利用すべきか決める際に役立つ。
• あらゆるサービスの推奨事項として機能することを意図したものではない。（けど、民間事業者にも参考になるかも。。。）
• 侵害されたデバイスを防御できる認証手段がないため、デバイスが安全であることを確認することは別途重要である。
• セキュリティを確保するには、政府が提供する機器で常に多要素認証サービスを利用するか、一時的に安全なオペレーティングシステムを利用してください。
• どちらもできない場合は、低い権限を持つ別ユーザーアカウントを作成して作業する。

● NSA

・2020.09.22 NSA Releases Cybersecurity Guidance “Selecting and Safely Using Multifactor Authentication Services”

・[PDF] Selecting Secure Multi-factor Authentication Solutions

---

Criteria to consider when selecting a multi-factor authentication solution

To provide a complete and secure authentication solution for your organization, evaluate possible solutions against the following criteria:

1. Does the solution adequately protect the authenticator from common exploitation techniques? Most authentication solutions depend on secret keys that require integrity protection, protection from disclosure, and properly implemented secure random number generators and cryptography.
   
   
2. Does the solution ensure the validator is effective in confirming that a request for access is from the user bound to the authenticator? Confirming this binding requires proof-of-possession of ‘what you have’ and evidence that ‘what you know’ and/or ‘what you are’ have been confirmed.
   
   
3. Are communications among components of the authentication solution adequately protected using strong, well-known, and testable cryptographic standards? Communications need integrity protection, source authentication, and/or encryption to protect authentication evidence from modification or replay.
   
   
4. Does the solution provide support for managing the lifecycle of digital identities and authenticators? Organizations are responsible for the lifecycle management of digital identities. Solutions that support these activities can be more easily managed, and therefore often more securely managed.
   
   
5. If the solution authenticates a user’s request on behalf of a requested service, does the solution securely communicate that authentication to the requested service? Secure integration of an authentication solution into existing mechanisms ensures that the solution does not allow malicious actors to bypass authentication.

The detailed criteria used to answer these questions depend on the type of multi-factor authentication mechanism used.

SP 800-63-3 defines a number of single response multi-factor mechanisms, as well as combinations of single-factor mechanisms (referred to as multi-step authentication mechanisms) suitable for AAL 2 or AAL 3. The authenticator type can be implemented in a hardware device (e.g., a key-chain fob) or by software installed on a mobile device.

Single response, multi-factor authentication mechanisms require activation of the device, either with a PIN/password or biometric. The device provides ‘what you have’ and activation of the device implies that ‘what-you-know’ or ‘what-you-are’ has been verified.

On the other hand, multi-step authenticators often include a password to provide ‘what-you-know’ and another authenticator that provides ‘what-you-have’. Note that SP 800-63-3 Part B defines the requirements for PIN/password activation differently from the passwords that are used directly to provide ‘what-you-know’. PINs/passwords used for activation of an authenticator device are typically 6-to-8 characters and the device integrates thresholds to address password guessing attacks, whereas passwords used directly are required to be longer and have complexity requirements.

---

Duo、Google 、Microsoft、OKTA、OneLogin、RSA、Yubikeynのソリューションが挙げられていますね。。。

 

---

■ 参考

NIST’s “Digital Identity Guidelines” consists of the following three parts:

• SP 800-63-3 Part A defines identity vetting processes that are expected to be managed by the organization as part
  of their identity lifecycle management. Part A is not covered in this document.
  
  
• SP 800-63-3 Part B defines three authenticator assurance levels (AAL) for authenticators. Government Agencies
  require AAL 2 solutions for access to official information systems, and may require AAL 3 solutions for access to
  sensitive or mission critical information; solutions that do not align to SP 800-63-3, or which only provide AAL 1
  mechanisms, are not discussed in this document.
  
  
• SP 800-63 Part C discusses identity federation and defines three Federation Assurance Levels (FAL).

 

日本語版

https://openid-foundation-japan.github.io/800-63-3-final/index.ja.html

Document	Title	URL
SP 800-63-3	Digital Identity Guidelines	https://openid-foundation-japan.github.io/800-63-3-final/sp800-63-3.ja.html
SP 800-63A	Enrollment and Identity Proofing	https://openid-foundation-japan.github.io/800-63-3-final/sp800-63a.ja.html
SP 800-63B	Authentication and Lifecycle Management	https://openid-foundation-japan.github.io/800-63-3-final/sp800-63b.ja.html
SP 800-63C	Federation and Assertions	https://openid-foundation-japan.github.io/800-63-3-final/sp800-63c.ja.html