FAL2 - Alternative Authentication Processes

[dhs-BI]

SP800-63Crev4 specifies requirements for alternative authentication processes in 3.7.3. IPSIE currently does not account for any non-federated authentication mechanisms. In a personal discussion at IETF122, it was pointed out that this was a non-starter for a large SaaS provider and would make IPSIE compliance difficult.

In order to resolve this I suggest two actions:

1. Develop language in OIDC SL1 that allows for direct authentication for break glass accounts with authentication requirements that meet or exceed those defined in SL1 for the federated model. The language should include provisioning/deprovisioning mechanisms and consider that these may exist outside of the automated (e.g. SCIM/JIT) based mechanisms. Appropriate logging and auditing controls should be described as well.
2. Determine whether the direct authentication path should meet the FAL2 requirements or not. Pull in the FAL2 requirements, if necessary.

[deansaxe]

This is another suggested addition to the sidecar doc discussed in the May 13, 2025 meeting.

[deansaxe]

I have published a draft to address this issue. Please see https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html.

[deansaxe]

I have incorporated this into the common requirements doc. If the doc is adopted, this issue can be closed. Labeled as pending close.

[deansaxe]

Doc was adopted, closing.