INFO5301 NIST Digital Identity Guidelines
Exercise 2:
What does Authentication Assurance levels (AALs) measure? How many abstraction AALs
are introduced by the NIST policy document?
Answer: AALs measure the strength of an authentication transaction. A higher AAL
implies stronger authentication, hence a malicious actor will require more resources and
capabilities to subvert the authentication process
3
Exercise 3:
Match the description with the corresponding AAL.
1. Requires either single-factor authentication or multifactor authentication using a wide
range of prevailing authentication technologies. The claimant should prove the pos-
session and control of the authenticator via a secure authentication protocol.
2. Requires the proof of possession and control of two distinct authentication factors
through secure authentication protocols. Approved cryptographic techniques are re-
quired beyond this level.
3. Is based on proof of possession of a key through a cryptographic protocol. Should use
a hardware-based authenticator and an authenticator that provides verifier imperson-
ation resistance.
AAL s:
• AAL 1
• AAL 2
• AAL 3
Answer: AAL 1, AAL 2, AAL 3
Exercise 4:
List 3 types of Authenticator types permitted in each of the authenticator assurance level.
Answer:
• AAL 1- Memorized secret, Look-up secret, SF OTP device
• AAL 2- MF OTP device, MF crypto device or software, Memorized secret plus SF
crypto device/ software
Information Security Management Page 2of 9