One of the questions that often comes up in discussions regarding Federation and Authentication Levels of Assurance (LOA) is around how one might raise the assurance level of an authentication session. BTW, NIST seems to have an aversion to using the words "Step-Up Authentication" and uses the term "Assurance Level Escalation" in the Electronic Authentication Guidance (NIST SP-800-63-1) [PDF].
In particular, Assurance Level Escalation is considered a special case of multi-token authentication, where the presentation of the first token and the second token are simply separated in time.
As such it is important to understand the token types that are approved for use with US Government Relying Parties for this purpose:
- Memorized Secret Token - Something you know
- Pre-Registered Knowledge Token - Something you know
- Look-up Secret Token - Something you have
- Out of Band Token - Something you have
- Single Factor (SF) One-Time Password (OTP) Device - Something you have
- Single Factor (SF) Cryptographic Device - Something you have
- Multi-Factor (MF) Software Cryptographic Token - Something you have; it may be activated by something you know or something you are
- Multi-Factor (MF) One-Time Password (OTP) Device - Something you have; it may be activated by something you know or something you are
- Multi-Factor (MF) Cryptographic Device - Something you have; it may be activated by something you know or something you are
The above table (NIST SP-800-63-1, Table 7) describes the highest level of assurance that is possible using a combination of two approved token types. This is a per-session assurance level escalation, and is not something more permanent.
:- by Anil John