ForgeRock and NIST

Special Publication 800-63-3

A paper by Rob Miller and Kelvin Brewer, with content from Steven Jarosz and Volker Scheuber, as well as key
contributions from the ForgeRock Public Sector staff

Table of Contents
Introduction  2
NIST’s Digital Identity Guidelines (SP 800-63-3)  2
Introduction to the Forgerock Platform  3
ForgeRock and NIST SP 800-63A  5
Enrollment and Identity Proofing   5
ForgeRock and NIST SP 800-63B  6
Authentication and Lifecycle Management   6
Authenticator Requirements Supported by ForgeRock  6
Authenticator Assurance Level 1 – AAL1  7
Examples of Achieving AAL1 Using ForgeRock Intelligent Access  8
Authenticator Assurance Level 2 – AAL2  9
Examples of Achieving AAL2 Using ForgeRock Intelligent Access  9
Authenticator Assurance Level 3 – AAL3  11
Examples of Achieving AAL3 Using ForgeRock Intelligent Access  11
ForgeRock and NIST SP 800-63C  13
Federation and Assertions   13
Closing Thoughts  14
Introduction identity claim. To achieve IAL2, the identity must exist in the
real world and evidence must be provided to support the
identity claim. IAL3 requires physical presence for identity
Positively identifying a digital entity is not easy. NIST’s SP
proofing.
800-63-3 actually says, “Digital Identity is hard.” ForgeRock’s
Identity Platform, the most complete and flexible identity NIST SP 800-63B, subtitled Authentication and Lifecycle
management solution in the industry, provides government Management, details how to securely authenticate an
agencies with an easy-to-use, simple-to-understand individual to a credential service provider (CSP) to access
interface while handling the “hard” work of digital identity digital services. Based on risk and proof of possession of
management behind the scenes. authenticators bound to the claimant’s account, there are
three levels of AAL. AAL1 provides some assurance that
Before NIST released the SP 800-63-3 guideline, the
the claimant possesses and controls a single or multi-
functionality to achieve full compliance was already built into
factor authenticator through a secure authentication
the ForgeRock Identity Platform.
protocol. AAL2 provides higher confidence by using two
The purpose of this paper is to discuss how the ForgeRock distinct authentication factors over approved cryptographic
platform approaches NIST SP 800-63-3 compliance, mapping techniques. AAL3 provides very high confidence by requiring
the user authentication options to the applicable assurance the use of a hardware-based authenticator, verifier-based
levels. impersonation resistance, and two distinct authentication
factors through approved cryptographic techniques.
Simple examples outline ways an administrator might
configure the ForgeRock Identity Platform to achieve 800- NIST SP 800-63C, subtitled Federation and Assertions,
63A, 800-63B, and 800-63C compliance. addresses how an identity managed by one agency can be
trusted, and used, at another agency without duplicating the
identity. It also describes privacy-enhancing techniques, and
NIST’s Digital Identity methods that allow for strong multi-factor authentication
(MFA), while the subject remains pseudonymous to
Guidelines (SP 800-63-3) the digital service. There are three levels of FAL. FAL1
allows the subscriber to enable the resource provider to
NIST’s latest iteration of the SP 800-63 series, SP 800-63-3, receive a bearer assertion properly signed by the identity
“Digital Identity Guidelines,” makes it clear that it is no longer provider. FAL2 adds the requirement that the assertion
sufficient for an identity management implementation to be encrypted using approved cryptography such that the
meet a single level of assurance (LOA). Instead, the new resource provider is the only party that can decrypt it. FAL3
guidelines require agencies to consider business and privacy requires the subscriber to present proof of possession of
risks combined with mission needs to select first, an Identity a cryptographic key referenced in the assertion in addition
Assurance Level (IAL), second, an Authenticator Assurance to the assertion artifact itself. The assertion is signed by the
Level (AAL), and third, for federated systems, a Federation identity provider and encrypted to the resource provider
Assurance Level (FAL). using approved cryptography.

Each of these new identity assurance levels have their own The standards themselves can be downloaded from the NIST
800-63 special publication subset. Note that some of the website at the following links:
information about assurance levels is taken unquoted out of
the related NIST documentation for clarity and consistency. • NIST 800-63-3: Digital Identity Guidelines

• 800-63A: Enrollment and Identity Proofing

NIST SP 800-63A, subtitled Enrollment and Identity Proofing,
• 800-63B: Authentication and Lifecycle Management
details the three different levels of mitigation — IAL1, IAL2,
and IAL3 — based on risk profile and the potential harm • 800-63C: Federation and Assertions
caused by an attacker with a successfully authenticated
false identity. With IAL1, all attributes are self-asserted, and
no attempt is made to verify the real-world persona of the

ForgeRock and NIST 2

Introduction to the The ForgeRock Identity Platform is broad and robust. Some
key features of the platform used to achieve compliance with

Forgerock Platform NIST SP 800-63-3 are:

• Registration and end-user self-service: User registration,

As the industry leader, ForgeRock continues to define the forgotten username, password reset, and progressive
market with easy-to-use, state-of-the-art, artificial intelligence profiling can be added to an authentication flow. Infusing
driven identity, credential, and access management. The these flows directly into the authentication tree means
ForgeRock Identity Platform provides the industry’s most fewer clicks and less confusion for end users, landing
comprehensive and innovative set of tools and wraps them them as authenticated users into the resource they were
in a unique, user-friendly, administrator-driven graphical attempting to access. It also allows personalization of the
interface. Due to its open source beginnings, ForgeRock self-service flows based on context.
benefits from the involvement of an active and resilient
• Progressive profiling: Intelligent Access trees allow
community. ForgeRock is known as a robust and elastic ICAM
progressive profile flows to be embedded directly into an
solution, enabling millions of identities to securely access
authentication journey, creating a way for administrators
content throughout the U.S. federal government, state and
to collect additional, consented user information within the
local governments, and the education sector.
context of the overall user journey.
ForgeRock continues to innovate the standards and • Nodes and trees: A key design principle of Intelligent
technologies used to facilitate access, with ForgeRock Access is that trees are simple to design, build, and
employees contributing to and leading standards boards. deploy. Using a simple drag-and-drop user interface (UI),
With the NIST SP 800-63-3 guidelines as a direct influence administrators can create complex, yet user-friendly
on ForgeRock development, ForgeRock provides public authentication journeys by linking nodes, creating
sector agencies the flexibility to quickly achieve and maintain loops, and nesting nodes within other nodes. The tree
compliance. framework models the authentication journey using
decision nodes to detect digital signals, make decisions,
ForgeRock also attracts and partners with industry-leading
direct the authentication journey, and gather information.
technology companies. The result of these partnerships is a
This information is used to determine risk and can inform
strong trust network whose integrations enrich identity and
downstream apps of the accumulated knowledge gained
access processes, enabling multiple approaches to achieve
during the authentication journey, including, for example,
compliance with the NIST SP 800-63-3 guidelines. More
the derived risk score.
information about our trust network can be found at the
ForgeRock Marketplace. • Federation: The ForgeRock Identity Platform supports all
major federation and authorization standards, including
SAML 2.0, WS-Federation, OAuth 2.0, OpenID Connect
and User-Managed Access (UMA) and can be the identity
provider, the service provider, and/or the relying party.

ForgeRock and NIST 3

The ForgeRock platform offers many more features than those described above. For a comprehensive list, visit the ForgeRock
Identity Platform overview and product documentation.

For a complete list of classes and certifications, visit ForgeRock University, part of ForgeRock Backstage.

ForgeRock and NIST 4

ForgeRock and NIST ForgeRock Identity Management provides registration
and progressive profiling services and works with

SP 800-63A major identity proofing services in order to acquire and

record assurance levels for each of the attributes under
ForgeRock’s management. Each of the attributes stored
Enrollment and Identity Proofing can have associated meta-data indicating the asserted
identity assurance level (IAL) from the authoritative source.
The guideline addresses how applicants prove their identities
In addition, ForgeRock Directory Services can encrypt all
and enroll as valid subscribers within an identity system.
personally identifiable information (PII) data, at rest and in
Identity proofing and enrollment is possible at one of three
motion, based upon FIPS 140-2 algorithms. For additional
different risk levels for scenarios where the applicant is
information, see ForgeRock Identity Management overview
remote or physically present.
or documentation, and the ForgeRock Directory Services
IAL1: No requirement to link the applicant to a specific real- overview or documentation.
life identity.
Where appropriate, such as with some implementations
IAL2: Proof that the applicant is properly associated to the of IAL1 and IAL2, ForgeRock’s self-registration can be used
real-world existence of the claimed identity through the use to ease administrator load and end-user friction. Self-
of remote or physically-present identity proofing. registration allows the applicant to register with an agency
with minimal or no administrator interaction. Further
IAL3: Physical presence is required for identity proofing.
exploration of this service can be found in the ForgeRock
Identifying attributes must be verified by an authorized and
Identity Management self-registration and self-service
trained representative of the CSP.
documentation.

Source: https://pages.nist.gov/800-63-3/sp800-63-3.html#63Sec4-Figure1

ForgeRock and NIST 5

ForgeRock and NIST requirements against a dynamic, contextual session.
(For more information, see the ForgeRock Access

SP 800-63B Management overview, the ForgeRock Access Management

documentation, the ForgeRock Identity Gateway overview,
and the ForgeRock Identity Gateway documentation.
Authentication and Lifecycle Management
AAL1-3 requires single-factor and multi-factor combinations
Where the SP 800-63A covers an applicant’s initial visit, the that allow subscribers to choose authentication factors, and,
SP 800-63B guideline covers the successive authentications depending on the choice, may require the subscriber to add
of that same subscriber when returning to use an agency’s one additional factor to achieve the highest assurance level,
applications and services. To achieve guideline compliance, AAL3. ForgeRock’s authentication trees offer an excellent
the authenticator mechanism must assure that the person solution to enable this complexity. See below for examples
accessing an agency’s resources today is the same person, using ForgeRock Access Management trees and nodes.
with the same identity, who accessed the resources
yesterday. Each assurance level coincides with a level of ForgeRock also helps agencies achieve AAL3 (the highest
risk comparable to the information provided by the agency level) using FIDO2 capable devices or browsers. This can be
resource. achieved using ForgeRock’s implementation of WebAuthn
(FIDO2) plus one-time passwords (OTP), with or without the
The ForgeRock Identity Platform provides all required need for third-party hardware. Third-party authenticators,
components to achieve NIST SP 800-63B compliance at all such as YubiKeys, may be required by an implementation
levels. Through its flexible architecture, ForgeRock allows today. As maturing hardware and features, including
agencies to select the authenticator type(s) necessary to fingerprint readers, become commonplace, the need for
meet the complex needs of their user base and achieve third-party hardware will diminish. Agencies that already
the required authenticator assurance level defined by their possess or wish to pilot these more mature platforms can
program or mission. use ForgeRock as it exists today to achieve this advanced use
case.
ForgeRock provides context-aware authentication
and authorization services that match NIST’s notion of
“componentization,” where strong authentication is a Authenticator Requirements Supported by
component of a comprehensive access management system. ForgeRock
All authenticator requirements covered in SP 800-63B section
The ForgeRock Identity Platform supports the notion of
5.1 are supported by the ForgeRock Identity Platform and the
AAL with ForgeRock Access Management and Identity
ForgeRock Marketplace. The next three sections discuss each
Gateway working together as a complete solution. This
authenticator type relative to the authenticator assurance
satisfies the requirement to provide risk-based and
levels AAL1, AAL2, and AAL3.
context-aware capabilities to adapt to evolving security

AAL1 Permitted Authenticator Types

Memorized Look-Up Out-of-Band

Secrets Secrets Devices

Single-Factor
Single-Factor Multi-Factor
Cryptographic
OTP Device OTP Devices
Software

Single-Factor Multi-Factor Multi-Factor

Cryptographic Cryptographic Cryptographic
Devices Software Devices

ForgeRock and NIST 6

 AAL2 Permitted Authenticator Types

Multi-Factor Multi-Factor
Multi-Factor
Cryptographic Cryptographic
OTP Devices
Software Devices

Look-up Secret
Memorized
Secrets + Out-of-Band
SF OTP Device
SF Crypto Software
SF Crypto Device

AAL3 Permitted Authenticator Types

Multi-Factor Single-Factor
Cryptographic
Devices
Cryptographic
Devices
+ Memorized
Secrets

Multi-Factor Multi-Factor
Single-Factor
OTP Device + Cryptographic
Devices
/ Cryptographic
Software

Single-Factor
Single-Factor
OTP Device + Cryptographic
Software
+ Memorized
Secrets

Authenticator Assurance Level 1 – AAL1

AAL1 protects low-risk content and requires the subscriber to control either a single-factor or a multi-factor authenticator bound
to his or her account. It also mandates the use of secure communication protocols. ForgeRock provides the flexibility to use any
of the authenticator types required by AAL1.

AAL1 Compliance is achieved using any of the following authenticator types:

Memorized Secrets Look-Up Secrets Out-of-Band Devices

Printed or electronic list of Push authentication through
Password, PIN, KBA OTPs or PINs or codes mobile app

Single-Factor OTP Multi-Factor Single-Factor

Devices OTP Devices Cryptographic
H/TOTP generators, YubiKeys PIN or biometrically protected
Software
or Google Authenticator H/TOTP generators, YubiKeys
Software-based FIDO, U2F

Single-Factor Multi-Factor
Cryptographic Cryptographic Multi-Factor
Devices Software Cryptographic Devices
PIV or CAC
YubiKey with FIDO, U2F WebAuthN

ForgeRock and NIST 7

Examples of Achieving AAL1 Using ForgeRock Intelligent Access

AAL1 Permitted Authenticator Type

Memorized Secrets
Username/Password

AAL1 Permitted Authenticator Type

Out-of-Band
Push Authentication

Note: Each use case illustrated above demonstrates how to easily achieve the desired assurance level. Administrators can
create more complex designs by dragging and dropping additional nodes into the tree and moving flowlines between nodes.
Administrators might choose a more complex tree to reduce end-user friction or add additional journey characteristics or
collection points. To learn more, see Authentication Nodes and Trees in the ForgeRock product documentation.

ForgeRock and NIST 8

Authenticator Assurance Level 2 – AAL2
AAL2 requires a high confidence that the subscriber controls the authenticators bound to his or her account. AAL2 requires
proof of possession and control of two authentication factors, and communication must use approved cryptographic protocols.

AAL2 Compliance is achieved using any of the following authenticator types:

Multi-Factor Multi-Factor
OTP Devices Cryptographic Multi-Factor
Software Cryptographic Devices
PIN or biometrically
protected H/TOTP PIV or CAC
generators, YubiKeys WebAuthN

OR

AAL2 Permitted Authenticator Combinations - 1st factor + any of the 2nd factors

1st Factor + 2nd Factor

Look-up Secret
SF Crypto Software
Memorized Secrets
Out-of-Band
Password, PIN, KBA
SF Crypto Device
SF OTP Device

Examples of Achieving AAL2 Using ForgeRock Intelligent Access

AAL2 Sufficient Single Authenticator Type Multi-Factor

Cryptographic
WebAuthN Softwares

ForgeRock and NIST 9

 1st Factor 2nd Factor
AAL2 Sufficient Single Authenticator Combination
Memorized + Out-of-
Username/Password plus Push Authentication Secret Band

Note: Each use case illustrated above demonstrates how to easily achieve the desired assurance level. Administrators can
create more complex designs by dragging and dropping additional nodes into the tree and moving flowlines between nodes.
Administrators might choose a more complex tree to reduce end-user friction or add additional journey characteristics or
collection points. To learn more, see Authentication Nodes and Trees in the ForgeRock product documentation.

ForgeRock and NIST 10

Authenticator Assurance Level 3 – AAL3
AAL3 requires a very high confidence that the subscriber controls the authenticators bound to his or her account. This includes
proof of possession and control of a hardware-based authenticator as well as an impersonation-resistant authenticator. AAL3
requires two authentication factors and communication must be performed over approved cryptographic protocols.

AAL3 with Single AAL3 with Two Authenticator Types

Authenticator
Multi-Factor OR Single-Factor
Memorized
Cryptographic Cryptographic
Devices Devices + Secrets
Password, PIN, KBA
PIV or CAC YubiKey with FIDO, U2F

OR

AAL3 with Two Authenticator Types

Single-Factor Multi-Factor Multi-Factor

OTP Devices Cryptographic Cryptographic
H/TOTP generators, + Devices OR Software
YubiKeys or Google
Authenticator PIV or CAC WebAuthN

OR

AAL3 with Three Authenticator Types

Single-Factor Single-Factor
OTP Devices Cryptographic Memorized
H/TOTP generators, + Software + Secrets
YubiKeys or Google Password, PIN, KBA
Authenticator Software-based FIDO, U2F

Examples of Achieving AAL3 Using ForgeRock Intelligent Access

1st Factor 2nd Factor

AAL3 Sufficient Authenticator Combination
Memorized + SF Crypto
Username/Password plus YubiKey Secret Device

ForgeRock and NIST 11

 1st Factor 2nd Factor
AAL3 Sufficient Authenticator Combination
SF OTP + MF Crypto
OATH (YubiKey) plus WebAuthN Device SW

Note: Each use case illustrated above demonstrates how to easily achieve the desired assurance level. Administrators can
create more complex designs by dragging and dropping additional nodes into the tree and moving flowlines between nodes.
Administrators might choose a more complex tree to reduce end-user friction or add additional journey characteristics or
collection points. To learn more, see Authentication Nodes and Trees in the ForgeRock product documentation.

ForgeRock and NIST 12

ForgeRock and FAL1: Allows for the subscriber to enable the resource
provider to receive a bearer assertion cryptographically

NIST SP 800-63C signed by the identity provider.

FAL2: Adds the requirement that the assertion be encrypted

Federation and Assertions using approved cryptography such that the resource
provider is the only party that can decrypt it.
NIST SP 800-63C provides requirements when using
federated identity architectures and assertions to convey FAL3: Requires the subscriber to present proof of possession
the results of authentication processes and relevant identity of the assertion artifact and the cryptographic key referenced
information to an agency application. In addition, this volume in the assertion. The assertion must also follow FAL1 and
offers privacy-enhancing techniques to share information FAL2.
about a valid, authenticated subject and describes methods
Federation is built into the ForgeRock Identity Platform.
that allow for strong MFA while the subject remains
ForgeRock’s federation services are based on open
pseudonymous to the digital service. SP 800-63C contains
standards, such as SAML, OpenID Connect, OAuth 2.0, and
both normative and informative material.
UMA. These services provide value for both provider and
The three FALs reflect the options agencies can select based consumer entities, to include: identity provider (IdP), service
on their risk profile and the potential harm caused by an provider (SP), authorization server (AS), relying party (RP),
attacker taking control of federated transactions. and other types. FAL compliance is outlined in the table
below.

How ForgeRock Meets the Requirements

FAL Requirements
SAML 2.0 (WSFed) OAuth 2.0 OIDC 1.0

IdP Web Browser SSO

Bearer assertion AS, STS AS, STS
Profile, ST
1
Signed by IdP ⦁ ⦁ ⦁

IdP Web Browser SSO

Bearer assertion AS, STS AS, STS
Profile, ST
2
Signed by IdP ⦁ ⦁ ⦁

Encrypted to RP ⦁ ⦁ ⦁

Holder of key assertion STS AS - RFC 7800 AS - RFC 7800, STS

3 Signed by IdP ⦁ ⦁ ⦁

Encrypted to RP ⦁ ⦁ ⦁

ForgeRock and NIST 13

Closing Thoughts
A solid and innovative security mindset is difficult to achieve, but ForgeRock and NIST share such a mindset. This mindset drives
ForgeRock. It’s why the ForgeRock Identity Platform is the most innovative and comprehensive ICAM and identity governance
platform on the market. ForgeRock leads the ICAM market because we listen to our customers. We listen to the demands of the
industry. We contribute to and lead top standards boards. We develop enduring trust relationships with other strong security
companies. And, and we implement the best, most flexible product available. ForgeRock meets and exceeds the stringent,
evolving needs government agencies require to accomplish their missions and achieve their objectives. Government agencies
that use the ForgeRock Identity Platform find SP 800-63-3 compliance simple to achieve, easy to maintain, and fully future proof.

About ForgeRock Follow Us

ForgeRock, the leader in digital identity, delivers modern and comprehensive Identity and Access Management solutions for consumers,
employees and things to simply and safely access the connected world. Using ForgeRock, more than a thousand global customer organizations
orchestrate, manage, and secure the complete lifecycle of identities from dynamic access controls, governance, APIs, and storing authoritative
data – consumable in any cloud or hybrid environment. The company is privately held, and headquartered in San Francisco, California, with offices
around the world. For more information and free downloads, visit www.forgerock.com or follow ForgeRock on social media.

Copyright © 2021 ForgeRock, All Rights Reserved.