INFO5301 NIST Digital Identity Guidelines
• AAL 3- MF crypto device, SF crypto device plus memorized secret, SF OTP device plus
MF crypto device/ software, SF OPT device plus SF crypto software plus Memorized
secret
Exercise 5:
What are the re-authentication periods and conditions for the AALs as recommended by
NIST?
Answer:
• AAL 1- 30 days
• AAL 2- 12 hours or 30 minutes of inactivity. May use one authentication factor
• AAL 3- 12 hours or 15 minutes inactivity. Should use both authentication factors
Exercise 6:
Select the answer with the correct Authenticator assurance level/ combination for the fol-
lowing statements.
1. MitM Resistance is required in the levels,
2. Verifier-impersonation resistance is required in the levels,
3. Verifier-compromise resistance is required in the levels,
4. Replay resistance is required in the levels,
5. Authentication intent is required in the levels,
6. Records retention policy and privacy controls are required in
• A. AAL 3 only
• B. AAL 2 and 3
• C. All levels
Answer:
1. C
2. A
3. A
Information Security Management Page 3of 9