authentication-governance-pack is an SSOT Registry pack for digital identity proofing, authenticator assurance, federation assurance, credential lifecycle, session security, WebAuthn/FIDO authenticators, OIDC authentication claims, account recovery, and authentication evidence.
It governs how a repository proves that a claimant controls authenticators for a subscriber account, how strongly identity was proofed, how federation assertions are protected, and how sessions and recovery preserve the target assurance level. It does not govern application permissions.
An SSOT Registry pack is an installable package of governed Architecture Decision Records (ADRs) and Specifications (SPECs) for ssot-registry. The pack supplies reusable decision and requirement documents that downstream repositories can synchronize into their local .ssot registry and link to features, tests, claims, evidence, and releases.
Authentication governance is not authorization governance. Teams need stable requirements for identity proofing, authenticator strength, federation assertions, session lifecycle, recovery, and audit evidence without confusing those controls with resource permissions.
NIST SP 800-63-4 separates digital identity assurance into three functions:
- IAL, Identity Assurance Level, covers identity proofing and enrollment: how strongly the credential service provider established the applicant identity and subscriber account.
- AAL, Authentication Assurance Level, covers authentication events: how much confidence the verifier has that the claimant controls authenticators bound to the subscriber account.
- FAL, Federation Assurance Level, covers federation assertions: how strongly identity-provider assertions are protected and validated by a relying party.
IAL is not MFA strength. AAL is not identity proofing. FAL is not authorization permissioning.
- Pack ID:
pack:authentication - PyPI package:
authentication-governance-pack - Import package:
authentication_governance_pack - GitHub repository: groupsum/authentication-governance-pack
- Reservation owner:
extension-pack:authentication-governance-pack
- NIST SP 800-63-4 digital identity assurance
- IAL identity proofing and enrollment
- AAL authenticator and authentication-event strength
- FAL federation assertion protection
- OIDC ID Token authentication claims,
acr, andamr - WebAuthn and FIDO authenticators
- authenticator lifecycle, account recovery, reset, and revocation
- session lifecycle, reauthentication, step-up, and logout
- authentication audit and release evidence
- NIST SP 800-63-4 Digital Identity Guidelines
- NIST SP 800-63A-4 Identity Proofing and Enrollment
- NIST SP 800-63B-4 Authentication and Authenticator Lifecycle
- NIST SP 800-63C-4 Federation and Assertions
- OpenID Connect Core 1.0
- OpenID Connect Extended Authentication Profile ACR Values 1.0
- W3C WebAuthn Level 3
- FIDO CTAP 2.2
- OAuth 2.0 Security Best Current Practice, RFC 9700
This release includes 11 ADR templates and 12 SPEC templates covering authentication boundaries, NIST SP 800-63-4 assurance, IAL, AAL, FAL, OIDC authentication claims, WebAuthn/FIDO authenticators, authenticator lifecycle, session lifecycle, account recovery, failure handling, and authentication evidence.
uv add authentication-governance-pack
uv add ssot-registry authentication-governance-pack
uvx --from ssot-registry --with authentication-governance-pack ssot --helpuv run ssot pack inspect authentication_governance_pack
uv run ssot pack preflight . authentication_governance_pack --all
uv run ssot pack sync . authentication_governance_pack --all --trust --yes
uv run ssot validate .
uv run ssot spec get . --id spc:pack.authentication.authentication-boundary-contractfrom authentication_governance_pack import load_document_manifest, read_packaged_document_text
adr_manifest = load_document_manifest("adr")
spec_manifest = load_document_manifest("spec")
text = read_packaged_document_text("spec", "SPEC-2000-authentication-boundary-contract.yaml")- GitHub repository: groupsum/authentication-governance-pack
- PyPI package: authentication-governance-pack
- SSOT Registry: ssot-registry
- SSOT pack contracts: ssot-pack-contracts