1. Author of Record Digital Identity Management Sub-Workgroup October 24, 2012

2. Meeting Etiquette Please announce your name each time prior to making comments or suggestions during the call Remember: If you are not speaking keep your phone on mute Do not put your phone on hold – if you need to take a call, hang up and dial in again when finished with your other call –Hold = Elevator Music = very frustrated speakers and participants This meeting, like all of our meetings, is being recorded –Another reason to keep your phone on mute when not speaking! Feel free to use the “Chat” or “Q&A” feature for questions or comments NOTE: This meeting is being recorded and will be posted on the esMD Wiki page after the meeting From S&I Framework to Participants: Hi everyone: remember to keep your phone on mute 2

3. Agenda 3 TopicPresenter Authentication Credential OverviewDebbie Bucci Overview of the DEA Interim RuleDebbie Bucci

4. Authentication Credentials LOA3/LOA4 Oct 24, 2012

5. Authentication is the process of establishing confidence that an individual who uses a credential that is known to the system (e.g., login name, digital certificate) is indeed the person to whom the credential was issued –Three types of authenticators: Something you know (e.g., password) Something you have (e.g., smartcard, hard token, mobile phone) Something you are (e.g., fingerprint) –Multi-factor authentication requires more than one type –Authentication is performed when a user logs into a system and may be required again within a given session –Credential – binds the identity to the token Authentication

6. 800-63-1 Matrix Memorized Secret Token Pre­registered Knowledge Look-up Secret Out of BandSF OTP SF Crypto MF Softwar e Crypto MF OTP MF Crypto­ Memorized Secret Token Level 2 Level 3 Level 4 Pre-registered Knowledge Token XLevel 2Level 3 Level 4 Look-up Secret Token XXLevel 2 Level 3Level 4 Out of Band Token XXXLevel 2 Level 3Level 4 SF OTP DeviceXXXXLevel 2 Level 3Level 4 SF Cryptographic Device XXXXXLevel 2Level 3Level 4 MF Software Cryptographic Token XXXXXXLevel 3Level 4 MF OTP DeviceXXXXXXXLevel 4 MF Cryptographic Device XXXXXXXXLevel 4

7. Shared secret between user and credential provider Something you know Examples –Active Directory Passwords –WiFi Passphrases –PIN Memorized Secret Tokens

8. Challenge/Response Pre-registered responses or images Set of shared secrets Something you know Examples I forgot my password setup Transaction information - “what was the amount of your last payment to your phone company” Pre Registered Knowledge Tokens

9. Electronic or physical set of shared secrets often printed on paper or plastic –the user is asked to provide a subset of characters printed on the card Something you have Examples Entrust Grid Cards DualShield GridID Look-up secret Tokens

10. Physical token that can receive a secret for one time use Something you have Examples SMS message on a registered cell phone Out of Band Tokens

11. Hardware device Something you have Examples RSA key fob token Credit card password generator Single Factor One-Time Password (OTP) Device

12. Hardware device that performs crypto operation on input provided to the device Does not require a second factor Generally a signed message Something you have Examples PKI certificate Single Factor Cryptographic Device

13. Key is stored on a disk or soft media and requires activation Does not require a second factor Generally a signed message Something you have and something you know Examples PKI certificate + PIN Multi-Factor Cryptographic Device

14. OTP hardware device that requires activation via PIN or biometric Something you have and something you know /or something you are Examples Verizon or Symmantec OTP offering DAON IdentityX Multi-Factor OTP

15. Hardware device that contains protected key that requires activation through a second factor Possession of device and control of key Something you have and something you know or something you are Examples PIV PIV-I ATM cards Multi-Factor Cryptographic Device

16. Requires the practitioner to authenticate to the application using an authentication protocol that uses two of the following three factors: 1.Something only the practitioner knows, such as a password or response to a challenge question. 2.Something the practitioner is, biometric data such as a fingerprint or iris scan. 3.Something the practitioner has, a device (hard token) separate from the computer to which the practitioner is gaining access. DEA Interim Rule

17. Biometrics –Consulted extensively with NIST for recommendation –DEA did not specify type as to allow for greatest flexibility and adaptation for new technologies in the future Hard token must meet FIPS 140-2 –New hard token or provide credential for an existing token –Must be separate from the machine used to access application –Delivered thru 2 channels (mail, telephone, email) Would consider an alternative that does not diminish safety and security of the system Not to be confused with certificates needed to dispense controlled substances although that DEA number/certificate information needs to be associated with the signing DEA Interim Rule