The Executive Summary of NIST 800-63 states that ‘Level 2 provides single factor remote network authentication. At Level 2, identity proofing requirements are introduced, requiring presentation of identifying materials or information.’ A wide range of available authentication technologies can be employed at Level 2. It allows any of the token methods of Levels 3 or 4, as well as passwords. Successful authentication requires that the claimant prove through a secure authentication protocol that he or she controls the token. Eavesdropper, reply, and on-line guessing attacks are prevented.

We apply controls found in the ‘ERS Administrator’s Manual,’ and the ‘Form BA-12 Checklist,’ to meet the level 2 authentication requirements.

Registration requirements

Access to ERS begins with the filing of a paper application form, BA-12, ‘Application for Employer Reporting Internet Access.’ The forms must be signed and certified by someone at the company who has signature authority and mailed to the RRB. When an application is received at the RRB, A&T reviews it and completes the “BA-12 Checklist” to validate the name of the certifying authority using existing RRB records. Once validated, a P/P is mailed to the applicant at the company’s address of record. The application form and the completed checklist are stored in a secure area.

The ERS meets the registration NIST requirements for level 2 by maintaining records of the registration/application and by reviewing the applications according to written instructions. The RRB maintains a record of the actions taken to validate the application. Both documents are filed in a secure area..

Identity proofing requirements

The RRB meets the identity proofing requirements for level 2 by verifying information provided by the applicant on their application through record checks at RRB sufficient to identify a unique individual; by requiring that the application include the signature of a person known to the RRB; by requiring written signatures; and by mailing the Pin and Password to the address of record thus confirming the address.

The RRB’s biggest advantage in authenticating an applicant/user is that there are less than 700 employers covered under the Acts and RRB staff has had personal contact with many of them. The RRB staff also have the following information available with which to validate an applicant.

• EDM contact official database;
• Form G-117a, Designation of Contact Official;
• Form G-440, Report Specification Sheet;
• correspondence;
• Pocket List of Railroad Officials; and
• seminar registration forms.

If anything is questionable, the RRB staff telephones an official contact at the company to validate the information on the application..

Assurance level 2 authentication

Level 2 authentication allows a wide range of available authentications, including passwords. If passwords are used, NIST PS 800-63 indicates that there should be protections against eavesdropper, replay, and on-line guessing attacks. RRB uses password encryption against eavesdroppers and replay.

Level 2 also requires that ERS administrators not reveal passwords to third parties. ERS passwords are encrypted and the encryption software is not available to any RRB staff. The software cannot be accessed even by RRB programming staff. Since no RRB staff has access to 1) unencrypted passwords, 2) the encryption algorithm, or 3) the software that creates and maintains the passwords, there is no possibility that RRB staff can disclose a password.

For level 2 protection against on-line guessing, NIST recommends “guessing entropy” of 30. Guessing entropy is an indication of the amount of work to determine, or guess, a password. Alternately, NIST indicates that any system that required passwords to be changed at least every two years and limited trials by locking an account for 24 hours after six failed attempts would satisfy the targeted guessing attack requirements for level 2.

ERS requires that passwords by changed every 90 days and will temporarily lock an account after three unsuccessful password attempts. An account is permanently locked after five unsuccessful attempts and can only be unlocked by a Password Administrator. ERS passwords must meet RRB password standards. It is determined that ERS passwords attained a “guessing entropy” of 30, as described in the next section..

Password rules and guessing entropy

We estimate that the ERS password system provides the 30 bits of “guessing entropy” recommended for level 2 in the NIST SP800-63, Appendix A. Entropy is the uncertainty of a value and “guessing entropy” is the difficulty in guessing the value or, in this case, the difficulty in guessing a password. ERS passwords meet the level 2 considerations as follows.

• A minimum length of 8 characters, chosen by the user from an alphabet of 94 printable characters.

ERS password length is 8 to 16 characters, chosen by the user from an alphabet of 70 characters. Several special characters are available for ERS passwords, but not every one. The variable password length which increases the difficulty in guessing a password offsets this limit.



• Require passwords to include at least one upper case letter, one lower case letter, one number, and one special character.

ERS passwords require three of the four. This limit is offset by the fact that after three unsuccessful attempts, a user is locked out for 60 minutes. This effectively prevents all automated password guessing.



• Use a dictionary to prevent passwords from including common words and permutations of the username.

ERS checks passwords against usernames and other common words and permutations.

The application form to gain access to the ERS system requires applicants to sign a statement that they will comply with the RRB’s security guidelines. The guidelines are mailed with the application and are also found in the Reporting Instructions to Employers manual. The guidelines include practices for keeping your password secure.

Additional authentication strategies

Additional authentication strategies The ERS meets the required level 2 authentication. In addition to the minimum requirements, the RRB has increased the level of assurance by applying mitigation strategies. The following are practices not mentioned elsewhere in this report which ERS uses to increase our assurance that only authorized users have access.

• A person in authority at the company must sign and certify the application form.
• Penalties for fraud are communicated on the application form (Form BA-12), written procedure (Reporting Instructions to Employers), and on the first web screen that appears when accessing the system.
• RRB system administrators perform daily monitoring of users accessing ERS. ERS captures a transaction record of activity processed and forms filed which includes the user’s Logon ID, IP address, and browser information.
• A BA-4 Summary Report of ERS service and compensation data is created daily and made available to all users with BA-4 access at that company. This report is intended for use by employers to validate tax deposits and, as such, could detect an unauthorized user who obtained fraudulent access to file a report.
• The RRB requires that applications for access be mailed to the RRB. Using the United States Postal Service provides an additional deterrent against fraud.