The National Institute of Standards and Technology (NIST) has technologically defined the four levels of security proposed by the OMB for electronic user verification. The four escalating levels of sensitive information designate higher levels of security using “PINs", tokens (passwords), remote authentication mechanisms, and assertion mechanisms. NIST Special Publication 800-63, “Electronic Authentication Guideline” defines the technology to be used at each level described by OMB.


“Level 1 requires no identity proofing and allows any type of token, including a simple PIN. Little effort to protect the session from offline attacks or eavesdroppers is required.

Level 2 requires some identity proofing. Passwords are accepted, but not PINs. Attacks and eavesdropping are prevented using cryptographic methods meeting Federal Information Processing Standard 140-2 requirements.

Level 3 requires stringent identity proofing and multi-factor authentication, typically a password or biometric factor used in combination with a software or hardware token, in addition to FIPS-validated cryptography.

Level 4 is the highest level of assurance, requiring multi-factor authentication with a hardware token. Cryptography in the hardware token must be validated at FIPS 140-2 level 2 overall, with level 3 validation for physical security. Critical data being transferred must be authenticated with a key generated by the authentication process.”

For more information see: http://gcn.com/vol1_no1/daily-updates/26502-1.html