AAF Boost‎ > ‎

Operating at LoA1

Do you understand the requirements of operating at LoA1?

Identity Providers asserting LoA1 are required to follow the NIST SP 800-63-2 standard for LoA1. The AAF does not require the Subscriber to submit a Compliance Statement stating that the requirements of the NIST standard have been met for LoA1. 

Identity Proofing:
  • Document your processes for issuing credentials. Note this is a baseline requirement for complying with the AAF Federation Rules. There are no additional requirements for identity proofing at Level 1.

Tokens and token and credential management:
  • User passwords must be at least 6 characters (or alternatively a randomly generated PIN of 4 or more digits).
  • You have implemented a throttling mechanism that effectively limits the number of failed authentication attempts an attacker can make on the user’s account to 100 or fewer in any 30-day period. Note: This is a particularly difficult requirement to meet. Please contact support@aaf.edu.au if you wish to discuss options for meeting this requirement.
  • Password files are protected by access controls that limit access to administrators and only to those applications that require access.
  • Password files do not contain the plain text passwords. Typically they contain a one-way hash of the password.
As an Identity Provider, if you do not meet all requirements for LoA1 under Token and Credential Assurance, you should assert a value of 0 for this.

                            NIST Electronic Authentication Guideline, NIST SP - 800-63-2