ianG asked: #Would it be possible to describe in general words what LOA-1 thru 4 entails?
I hesitate to try to do so. The definitive answer can be found in http://csrc.nist.gov/publications/nistpubs/800-63/SP800-63V1_0_2.pdf and includes many subtle and important points, but just to focus solely on the password/token requirement and vastly oversimplify things (ignoring LOTS of other stuff that DOES really matter): -- LOA-1: a password such that an attacker with no a priori knowledge of the password will succeed in an in-band password guessing attack 1 in 1024 times (weak password auth) -- LOA-2: as LOA-2, except 1 in 16,384 (stronger password auth) -- LOA-3: requires multifactor auth (soft tokens are acceptable for this) -- LOA-4: requires multifactor auth using a hard token (arguably, hard to do LOA-4 at scale with anything other than smart cards/PKI USB hard tokens) But truly, a couple of paragraphs cannot do justice to the 64 pages of NIST 800-63, and I'd urge you to refer to it directly if interested in this topic. Regards, Joe _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
