AAL2 FIPS Compliance
The TruValidate Multifactor Authentication(MFA) API may be used as part of a NIST Authenticator Assurance Level 2/3 program.
Utilizing identity verification in the device linking process, a high level of certainty can be
gained in linking a FIPS 140-2 compliant MFA Mobile Authenticator SDK based device to your a
user’s account. The MFA API is also FIPS compliant in its encryption and digital signature
requirements if used appropriately. For the MFA API to be used in a FIPS 140-2 and
subsequently SP 800-57 compliant manner, single purpose keys must be utilized in your
implementation. The MFA API already uses separate keys for encryption and digital signatures.
Your implementation must also do the same for its credentials.
TruValidate Multifactor Authentication(MFA) Organizations can be required to enforce FIPS compliance by checking the “Enforce FIPS
140-2” checkbox in MFA Admin Center when initially creating your MFA Organization.
Once enabled, the enforcement cannot be removed. It also cannot be enabled after creation of the
Organization. When “Enforce FIPS 140-2” is selected, any request made to the MFA API
that does not utilize single purpose keys will receive an “F-XXX” or a “CRED-XXX”error with the error reason
explaining the compliance issue with your entity setup. This enforcement will also be placed on
Devices communicating with the MFA API. As such, ensure your mobile app is utilizing a FIPS
140-2 compliant MFA Mobile Authenticator SDK.
TransUnion links to user contributed code as a resource to its
community. TransUnion does not in any way guarantee or warrant
the quality and security of these code bases. User contributed code is supported by the
creators. If you do find a link from the site to user contributed code that is malicious or inappropriate in any
way, please report that link to TransUnion immediately and we will investigate the claim. Submit any issue to
TransUnion support at https://transunion.com/support.