A new look at levels of assurance

Spring is a great time for change, and here at the NSTIC NPO, we like to think we’re always ready for change. When we catch wind of a change in the world of online identity, we like to prepare early. We also like to think we listen to our stakeholders. The message has come through clear and simple: four levels of assurance simply aren’t enough. We’ve heard you, and we’re ready for change. It’s a good thing, too, because we’ve recently heard a rumor of a possible new memorandum coming out of OMB and, because we prepared early, we know exactly what we have to do. If the early indications are accurate, OMB’s M-15-15 will redefine the way we do online authentication. Just as its predecessor OMB M-04-04 defined the four levels of assurance, M-15-15 is responsive to the needs of government for e-authentication and creates a workable framework understandable to all. Today we’re responding to the call for M-15-15 and its 15 levels of assurance. Without further ado, we think our multi-stakeholder approach to establishing these levels has really hit the mark: Level 1: The stranger Level 2: Meh Level 3: Not if you were the last credential on earth Level 4: Dude. Dude. DUDE. Level 5: I’m never gonna let you in Level 6: Reasonable confidence subject is not wearing a cape Level 7: A bear? Oh don’t apologize, I get it all the time Level 8: 4realz? Level 9: I hope you are I hope you are I hope you are Level 10: I think therefore you are Level 11: I am what I am and that’s all that I am Level 12: I think you are I think you are I think you are Level 13: Level 14: Abso-freakin-lutely Level 15: Totes McGoats Industry response to this effort has been fantastic and we thank our partners for their efforts. World-renowned identity guru Ian Glazer says, “Sure, sometimes you need to know whether someone is a fictional character or an actual carbon-based entity, but it’s just not important whether it’s Darth Vader or Little Bo Peep. That’s why we needed level 6, and that’s exactly what we got. Way to go, NIST.” Kim Sutherland, plenary chair of the IDESG, was more concerned about higher levels of assurance. “The old approach just didn’t have the quantitative depth that we needed for our work. With the new level 13, we can finally conduct the matrix multiplication necessary to properly authenticate in today’s complex risk environment. I can’t thank NIST enough.” Just doin’ our jobs, ma’am. Follow the NSTIC NPO on Twitter for the latest updates.