Anil John
Making Digital Services Secure and Trustworthy

Anil John

Protecting Personal Data with Multi-Factor Authentication and Identity Proofing

 Tweet  Share  Comment  Print  Email

The need for multiple factors of authentication in the current environment is something that many can agree on. But does that impact how we do web site authentication risk assessment? What other aspects of token and credential choice are impacted?

I am both fascinated and occasionally bemused by how folks sometimes make relatively simple things complex. So wanted to share how I am looking at this shift.

BTW, even the U.S. Government has gotten into the act with the recent Executive Order:

... ensure that all agencies making personal data accessible to citizens through digital applications require the use of multiple factors of authentication and an effective identity proofing process ...

EO on Improving the Security of Consumer Financial Transactions

[ While I am a civil servant in my job persona, I don’t live in the realm where the policy gods do battle. As such I do not have any special insight, input or visibility into executive orders or associated policies and implementation plans. These are, as always, my personal opinions and do not represent my employer’s view in any way. If you think it does, that would be … silly! ]

Determining risk posed by authentication errors

The typical evaluation sequence, based on OMB M-04-04 E-Authentication Guidance for Federal Agencies (PDF), involves conducting a risk assessment, mapping risks to an applicable assurance level impact profile, selecting appropriate credentials based on technical guidance and validating the system has met the required assurance level; rinse and repeat.

I’ve written extensively about this before, so won’t repeat it here, other than noting that the risk assessment process does not need to change, and that:

  1. Sensitive information (a.k.a. personal data) comes into the picture at impact level 2
  2. Requirement to identity proof comes into the picture at impact level 2

Credentials that can support the needed assurance level

Given the above, the changes that need to happen can be encapsulated in one simple statement:

Single factor credentials are no longer sufficient to mitigate the risks associated with a level 2 assurance level impact profile.

As always, details matter. So paying attention to the implementation details of multi-factor authentication will become particularly important.


Did you find this interesting? Don't miss any new posts. Sign up to automatically receive them now!

I will never share, rent, or sell your information to anyone. Cancel anytime.

This blog post first appeared on Anil John | Blog ( The opinions expressed here are my own and do not represent my employer’s view in any way.

By on |

Continue The Conversation ...

I would love to know your thoughts on this blog post. Please leave a comment below!

I am a Public Interest Technologist. I help technical leaders make digital services secure and trustworthy. Learn more »

Free Updates

I will never share, rent, or sell your information to anyone