INFO5301 NIST Digital Identity Guidelines
4. B
5. A
6. C
Exercise 7:
Mark the following statements True orFalse
1. Memorized secrets should have at least 8 characters if chosen by the subscriber, and at
least 6 characters if chosen randomly by the CSP or verifier.
2. When establishing or changing a memorized secret, the user can pick any secret within
the character-level constraint, and the verifier is not required to cross check the new
secret with any other database.
3. For look-up secrets with less than 112 bits of entropy shall be salted and hashed with
a suitable one-way key derivatio function while those with less than 64 bits of entropy
shall be implemented with additional rate limiting mechanisms to limit the failed au-
thentication attempts
4. Out-of-Band verifiers will establish a uniquely addressable distinct secondary com-
munications channel such as PSTN, VOIP or email separate from the primary channel.
The claimant will be required to either transfer secret from primary to the secondary
channel or vice-versa or to approve the authentication secret received through both
channels.
5. Single-Factor OTP authenticator output is obtained by securely combining the device’s
symmetric key and nounce using a hash function or an approved block cipher.
6. Multi-Factor OTP authenticators operate similar to SF OTP authenticators, except that
it requires an additional factor (biometric or memorized secret) to obtain the OTP . The
verification will not be completed unless it is established that the authenticator is a
multi-factor device.
Answer:
1. True
2. False - The verifiers shall compare the prospective secrets against a database with com-
monly used, expected or compromised words.
3. True
4. False - Methods that do not prove possession of a specific device such as email or VOIP
shall not be used for out-of-band authentication
5. True
Information Security Management Page 4of 9