Beyond this, low, moderate and high identification requirements are set out and a risk analysis procedure provided to evaluate the likely result of a transaction being compromised and assign it to the appropriate category.

Low-risk transactions will be handled with an identifier and password, and medium ones with two-factor identification involving exchange of a software token or biometric data for the session in addition to the initial identification.

High level transactions will be conducted with two-factor identification using a hardware token.

The document summarizes the kinds of attacks that can be mounted against authentication and measures that can minimize the risk, such as encryption of communications.

Comments on the standard are requested, by February 17, 2006.