AAL2 FIPS Compliance

The TruValidate Multifactor Authentication(MFA) API may be used as part of a NIST Authenticator Assurance Level 2/3 program. Utilizing identity verification in the device linking process, a high level of certainty can be gained in linking a FIPS 140-2 compliant MFA Mobile Authenticator SDK based device to your a user’s account. The MFA API is also FIPS compliant in its encryption and digital signature requirements if used appropriately. For the MFA API to be used in a FIPS 140-2 and subsequently SP 800-57 compliant manner, single purpose keys must be utilized in your implementation. The MFA API already uses separate keys for encryption and digital signatures. Your implementation must also do the same for its credentials.


TruValidate Multifactor Authentication(MFA) Organizations can be required to enforce FIPS compliance by checking the “Enforce FIPS 140-2” checkbox in MFA Admin Center when initially creating your MFA Organization. Once enabled, the enforcement cannot be removed. It also cannot be enabled after creation of the Organization. When “Enforce FIPS 140-2” is selected, any request made to the MFA API that does not utilize single purpose keys will receive an “F-XXX” or a “CRED-XXX”error with the error reason explaining the compliance issue with your entity setup. This enforcement will also be placed on Devices communicating with the MFA API. As such, ensure your mobile app is utilizing a FIPS 140-2 compliant MFA Mobile Authenticator SDK.

User Contributed

TransUnion links to user contributed code as a resource to its community. TransUnion does not in any way guarantee or warrant the quality and security of these code bases. User contributed code is supported by the creators. If you do find a link from the site to user contributed code that is malicious or inappropriate in any way, please report that link to TransUnion immediately and we will investigate the claim. Submit any issue to TransUnion support at https://transunion.com/support. ×