Muokkaa

Jaa


NIST authenticator assurance level 2 with Microsoft Entra ID

The National Institute of Standards and Technology (NIST) develops technical requirements for US federal agencies implementing identity solutions. Organizations working with federal agencies must meet these requirements.

Before starting authenticator assurance level 2 (AAL2), you can see the following resources:

Permitted AAL2 authenticator types

The following table has authenticator types permitted for AAL2:

Microsoft Entra authentication method Phishing Resistant NIST authenticator type
Recommended methods
Multi-factor software certificate
Windows Hello for Business with software Trusted Platform Module (TPM)
Yes Multi-factor crypto software
Multi-factor hardware protected certificate
FIDO 2 security key
Platform SSO for macOS (Secure Enclave)
Windows Hello for Business with hardware TPM
Passkey in Microsoft Authenticator
Yes Multi-factor crypto hardware
Additional methods
Microsoft Authenticator app (Phone Sign-in) No Multi-factor out-of-band
Password
AND
- Microsoft Authenticator app (Push Notification)
- OR
- Microsoft Authenticator Lite (Push Notification)
- OR
- Phone (SMS)
No Memorized secret
AND
Single-factor out-of-band
Password
AND
- OATH hardware tokens (preview)
- OR
- Microsoft Authenticator app (OTP)
- OR
- Microsoft Authenticator Lite (OTP)
- OR
- OATH software tokens
No Memorized secret
AND
Single-factor OTP
Password
AND
- Single-factor software certificate
- OR
- Microsoft Entra joined with software TPM
- OR
- Microsoft Entra hybrid joined with software TPM
- OR
- Compliant mobile device
Yes1 Memorized secret
AND
Single-factor crypto software
Password
AND
- Microsoft Entra joined with hardware TPM
- OR
- Microsoft Entra hybrid joined with hardware TPM
Yes1 Memorized secret
AND
Single-factor crypto hardware

1 Protection from external phishing

AAL2 recommendations

For AAL2, use multi-factor cryptographic authenticator. This is phishing resistant, eliminates the greatest attack surface (the password), and offers users a streamlined method to authenticate.

For guidance on selecting a passwordless authentication method, see Plan a passwordless authentication deployment in Microsoft Entra ID. See also, Windows Hello for Business deployment guide

FIPS 140 validation

Use the following sections to learn about FIPS 140 validation.

Verifier requirements

Microsoft Entra ID uses the Windows FIPS 140 Level 1 overall validated cryptographic module for authentication cryptographic operations. It's therefore a FIPS 140-compliant verifier required by government agencies.

Authenticator requirements

Government agency cryptographic authenticators are validated for FIPS 140 Level 1 overall. This requirement isn't for non-governmental agencies. The following Microsoft Entra authenticators meet the requirement when running on Windows in a FIPS 140-approved mode:

  • Password

  • Microsoft Entra joined with software or with hardware TPM

  • Microsoft Entra hybrid joined with software or with hardware TPM

  • Windows Hello for Business with software or with hardware TPM

  • Certificate stored in software or hardware (smartcard/security key/TPM)

For Microsoft Authenticator app (iOS/Android) FIPS 140 compliance information, See FIPS 140 compliant for Microsoft Entra authentication

For OATH hardware tokens and smartcards we recommend you consult with your provider for current FIPS validation status.

FIDO 2 security key providers are in various stages of FIPS certification. We recommend you review the list of supported FIDO 2 key vendors. Consult with your provider for current FIPS validation status.

Platform SSO for macOS is FIPS 140 compliant. We recommend referring to the Apple Platform Certifications.

Reauthentication

For AAL2, the NIST requirement is reauthentication every 12 hours, regardless of user activity. Reauthentication is required after a period of inactivity of 30 minutes or longer. Because the session secret is something you have, presenting something you know, or are, is required.

To meet the requirement for reauthentication, regardless of user activity, Microsoft recommends configuring user sign-in frequency to 12 hours.

With NIST you can use compensating controls to confirm subscriber presence:

  • Set session inactivity time out to 30 minutes: Lock the device at the operating system level with Microsoft System Center Configuration Manager, group policy objects (GPOs), or Intune. For the subscriber to unlock it, require local authentication.

  • Time out regardless of activity: Run a scheduled task (Configuration Manager, GPO, or Intune) to lock the machine after 12 hours, regardless of activity.

Man-in-the-middle resistance

Communications between the claimant and Microsoft Entra ID are over an authenticated, protected channel. This configuration provides resistance to man-in-the-middle (MitM) attacks and satisfies the MitM resistance requirements for AAL1, AAL2, and AAL3.

Replay resistance

Microsoft Entra authentication methods at AAL2 use nonce or challenges. The methods resist replay attacks because the verifier detects replayed authentication transactions. Such transactions won't contain needed nonce or timeliness data.

Next steps

NIST overview

Learn about AALs

Authentication basics

NIST authenticator types

Achieve NIST AAL1 with Microsoft Entra ID

Achieve NIST AAL2 with Microsoft Entra ID

Achieve NIST AAL3 with Microsoft Entra ID