Available 2FA methods with Digital access
Nexus' Digital access platform is based on leading industry standards to guarantee operability with existing applications and security infrastructures.
Nexus' solution uses standard protocols and is extendible through a plug-in API. Open standards such as X.509, Open Authentication, RADIUS, LDAP, SAML 2.0, OpenID Connect and OAuth 2.0 are supported. For applications that do not support any of these standards, integration with Web Services interface is offered.
For more information, see Compare 2FA methods.
For full lifecycle management of the authentication methods, with automated workflows and self-service functionality, see Digital ID.
AAL levels of 2FA methods in Digital access
In the table below you can see the 2FA methods and the corresponding Authenticator Assurance Level (AAL) in the Digital access platform.
| 2FA method | AAL level |
|---|---|
| Mobile virtual smart card | AAL3 |
| Virtual smart card | AAL3 |
| Smart card | AAL3 |
| Mobile OTP | AAL2 |
| Hardware OTP token | AAL2 |
| Software token | AAL1 |
The three AALs define the subsets of options agencies can select based on their risk profile and the potential harm caused by an attacker taking control of an authenticator and accessing agencies’ systems. The AALs are as follows:
| AAL1: AAL1 provides some assurance that the claimant controls an authenticator registered to the subscriber. AAL1 requires single-factor authentication using a wide range of available authentication technologies. Successful authentication requires that the claimant prove possession and control of the authenticator(s) through a secure authentication protocol. |
| AAL2: AAL2 provides high confidence that the claimant controls authenticator(s) registered to the subscriber. Proof of possession and control of two different authentication factors is required through a secure authentication protocol. Approved cryptographic techniques are required at AAL2 and above. |
| AAL3: AAL3 provides very high confidence that the claimant controls authenticator(s) registered to the subscriber. Authentication at AAL3 is based on proof of possession of a key through a cryptographic protocol. AAL3 is like AAL2 but also requires a “hard” cryptographic authenticator that provides verifier impersonation resistance. |
For more information about AALs, see https://pages.nist.gov/800-63-3/sp800-63-3.html.