Update c7-secure-digital-identities.md

OWASP · Dec 18, 2024 · fdd2d8c · fdd2d8c
1 parent eb52501
commit fdd2d8c
Showing 1 changed file with 1 addition and 3 deletions.
diff --git a/docs/the-top-10/c7-secure-digital-identities.md b/docs/the-top-10/c7-secure-digital-identities.md
@@ -13,9 +13,7 @@ The [NIST Special Publication 800-63B: Digital Identity Guidelines (Authenticati
 
 NIST 800-63b describes three levels of authentication assurance called Authentication Assurance Level (AAL):
 
-- **Level 1 : Passwords**: The first level, AAL level 1 is reserved for lower-risk applications that do not contain PII or other private data. At AAL level 1 only single-factor authentication is required, typically through the use of a password (something you know). The security of passwords (or credentials in general) is of utmost importance, this includes both secure storage (using a key-derivation function and such) as well as corresponding processes, e.g. having a secure password-reset flow.
-- **Level 2 : Multi-Factor Authentication**: NIST 800-63b AAL level 2 is reserved for higher-risk applications that contain "self-asserted PII or other personal information made available online." At AAL level 2 multi-factor authentication is required including OTP or other forms of multi-factor implementation.
-- **Level 3 : Cryptographic Based Authentication**: NIST 800-63b Authentication Assurance Level 3 (AAL3) is required when the impact of compromised systems could lead to personal harm, significant financial loss, harm the public interest or involve civil or criminal violations. AAL3 requires authentication that is "based on proof of possession of a key through a cryptographic protocol." This type of authentication is used to achieve the strongest level of authentication assurance. This is typically done through hardware cryptographic modules. When developing web applications, this will commonly lead to WebAuthn or PassKeys.
+#### Level 1 : Passwords: The first level, AAL level 1 is reserved for lower-risk applications that do not contain PII or other private data. At AAL level 1 only single-factor authentication is required, typically through the use of a password (something you know). The security of passwords (or credentials in general) is of utmost importance, this includes both secure storage (using a key-derivation function and such) as well as corresponding processes, e.g. having a secure password-reset flow.
 
 #### Level 2 : Multi-Factor Authentication