Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

A Methodology for Developing Authentication Assurance Level Taxonomy for Smart Card-based Identity Verification



Ramaswamy Chandramouli


Smart cards (smart identity tokens) are now being extensively deployed for identity verification for controlling access to Information Technology (IT) resources as well as physical resources. Depending upon the sensitivity of the resources and the risk of wrong identification, different authentication use cases are being deployed. Assignment of authentication strength for each of the use cases is often based on: (a) the total number of three common orthogonal authentication factors--What You Know, What You Have and What You are, and (b) the entropy associated with each factor chosen. The objective of this paper is to analyze the limitation of this approach and present a methodology for assigning authentication strengths based on the strength of pair wise bindings between the five entities involved in smart card based authentications--the card (token), the token secret, the card holder, the card issuer, and the person identifier stored in the card. The rationale for the methodology is based on the following three observations: (a) The form factor of the smart identity token introduces some threats of misuse; (b) the common set of credentials objects provisioned to a smart card embody bindings to address those threats and (c) the strength of an authentication use case should therefore be based on the number and type of binding verifications that are performed in the constituent authentication mechanisms.The use of the methodology for developing an authentication assurance level taxonomy for two real world smart identity token deployments is also illustrated.
NIST Interagency/Internal Report (NISTIR) - 7849
Report Number


card issuer, cardholder trait (biometric), person identifier, smart identity token, token secret


Chandramouli, R. (2014), A Methodology for Developing Authentication Assurance Level Taxonomy for Smart Card-based Identity Verification, NIST Interagency/Internal Report (NISTIR), National Institute of Standards and Technology, Gaithersburg, MD, [online], (Accessed June 24, 2024)


If you have any questions about this publication or are having problems accessing it, please contact

Created March 5, 2014, Updated November 10, 2018