Thanks for that, that is all that is needed to get the idea. (I was
hoping for some objective standard rather than a current-technology
taxonomy.)
iang
On 2/06/12 23:15 PM, Joe St Sauver wrote:
ianG asked:
#Would it be possible to describe in general words what LOA-1 thru 4 entails?
I hesitate to try to do so. The definitive answer can be found in
http://csrc.nist.gov/publications/nistpubs/800-63/SP800-63V1_0_2.pdf
and includes many subtle and important points, but just to focus solely
on the password/token requirement and vastly oversimplify things (ignoring
LOTS of other stuff that DOES really matter):
-- LOA-1: a password such that an attacker with no a priori knowledge of
the password will succeed in an in-band password guessing attack 1 in
1024 times (weak password auth)
-- LOA-2: as LOA-2, except 1 in 16,384 (stronger password auth)
-- LOA-3: requires multifactor auth (soft tokens are acceptable for this)
-- LOA-4: requires multifactor auth using a hard token (arguably, hard to
do LOA-4 at scale with anything other than smart cards/PKI USB hard
tokens)
But truly, a couple of paragraphs cannot do justice to the 64 pages of
NIST 800-63, and I'd urge you to refer to it directly if interested in
this topic.
Regards,
Joe
_______________________________________________
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
