...
- Roger presented the issue he has found in the 63A criteria related to the use of KBV. He commented that the NIST 800-63A specifications points to Section 5.3.2 to address KBV for IAL2. The heading specifically says: “The following requirements apply to the identity verification steps for IAL2…” 2. Kantara SAC version 3 does not carry the requirements of Section 5.3.2 allocated for KBV compliance (those items are marked n/a).
Scott said that
KBV that why it is not listed as strong.- José added that
...
one of the NIST objectives was that to define a level of assurance at which KBV was not sufficient, so that´s why KBV is not defined as strong, and you need at least one strong. So he believes it´s intentional.
Jose added that KBV is used when you try to resolve a unique identity.
RW commented that it applies to validation. Section 5.3.1 Identity Verification Methods points to Table 5.3 The second sentence says: “The CSP SHALL adhere to the requirements in Section 5.3.2 if KBV is used to verify an identity”. Appears to have an omission. We need to look at section 5.3.1. There is no mandate to use KBV so there is no KI specific criteria for it. We need to determine where and in what conditions should be invoked. In Table 5.3 there is no reference to KVB in strong (only in fair).
- Offer guidance
- IAWG agreed to reach out NIST and raise the issue to get their feedback.
Action items: Reach out to NIST and share the issue.
Update on Identity Proofing and Verification Use Cases Discussion Group
...