The NSA has released guidance and a list of Multi-Factor Authentication (MFA) providers and their associated Authenticator Assurance Levels (AAL’s). This comes as a response to government workers who use Personal Identity Verification (PIV) cards normally to authenticate, and cannot due to working from home. https://media.defense.gov/2020/Sep/22/2002502665/-1/-1/0/CSI_MULTIFACTOR_AUTHENTICATION_SOLUTIONS_UOO17091520.PDF NSA MFA DevicesThis comes on the heels of NISTs update to SP 800–63–3 “Digital Identity Guidelines”. [https://pages.nist.gov/800-63-3/] While this is targeted to the government and industry partners, it is ideal for civilian organization to consider when implementing a MFA or 2FA. In particular, the NIST special publication provides clear and concise guidance on selecting a provider based risk levels and requirements. For example, they have the below diagram which helps users select the appropriate Identity Assurance Levels (IAL): Selecting IAL
