Authentication Assurance Levels

The authentication service defines confidence in authentication using Authenticator Assurance Levels (AALs), ranging from level 1 to 3.

Authenticator Assurance level 1

AAL 1 provides some assurance that a person controls the authenticator linked to their user account. The user must at least identify themselves using at least one of the following authenticators :

• Passkey (SF Passkey device or MF Passkey Device (if protected by pin or bio ) , possession)

• Password (Memorized Secret, knowledge)

• Email ()

• SMS

• Email

• Voice

• Authenticator App (SF OTP device or MF OTP Device (if protected by pin or bio), possession)

A User Authentication session must not last longer than 30 days, regardless of activity, with session termination after this time limit and records of these sessions will be stored according to your retention policies.

Authenticator Assurance level 2

Authenticator Assurance level 3

Additional considerations

When handling personally identifiable information (PII), we strongly recommend using at least AAL2.

• AAL1: At this level, the system has some confidence that the person controls an authenticator linked to their user account. The person can use one or more methods to verify their identity. They need to prove they have control over the authenticator using a secure process.

• AAL2: This level is more secure and gives high confidence that the person controls their authenticator. To verify their identity, the person must provide two different types of authentication (like something they know, such as a password, and something they have, like a phone). The authentication must be secure and use trusted methods, including cryptographic techniques (complex security methods).

• AAL3: This is the highest level of security, offering very high confidence that the person controls their authenticator. To verify their identity, the person must use a physical device (like a security key) and prove they possess it using cryptographic protocols (methods to securely exchange information). At this level, the person must prove control of two different types of authentication factors, and all methods used must be highly secure and include cryptography.

AAL2 provides high confidence that the claimant controls authenticator(s) bound to the subscriber’s account. Proof of possession and control of two distinct authentication factors is required through secure authentication protocol(s). Approved cryptographic techniques are required at AAL2 and above.

AAL3 provides very high confidence that the claimant controls authenticator(s) bound to the subscriber’s account. Authentication at AAL3 is based on proof of possession of a key through a cryptographic protocol. AAL3 authentication SHALL use a hardware-based authenticator and an authenticator that provides verifier impersonation resistance — the same device MAY fulfill both these requirements. In order to authenticate at AAL3, claimants SHALL prove possession and control of two distinct authentication factors through secure authentication protocol(s). Approved cryptographic techniques are required.

The Authenticator Assurance Levels (AALs) define the required security and factors for user authentication.

Reauthentication

Periodic reauthentication of subscriber sessions SHALL be performed as described in Section 7.2. At AAL3, authentication of the subscriber SHALL be repeated at least once per 12 hours during an extended usage session, regardless of user activity, as described in Section 7.2. Reauthentication of the subscriber SHALL be repeated following any period of inactivity lasting 15 minutes or longer. Reauthentication SHALL use both authentication factors. The session SHALL be terminated (i.e., logged out) when either of these time limits is reached. The verifier MAY prompt the user to cause activity just before the inactivity timeout.

Man In the Middle Resistance

Table 4-1 AAL Summary of Requirements