December 21, 2015 -
The whitepaper examines NIST’s intention to draft a framework that will support a greater understanding of the strength of authentication technologies used in identity management systems.
According to the white paper, “such a framework will provide a methodology to compare authenticators and allow a determination to be made on the selection of appropriate authenticators that are commensurate with assessed risk. In addition to providing a clearer understanding of an individual authenticator’s ability to mitigate risk, the framework will also present a common basis to understand the strength of combinations of authenticators within multi-factor systems as well as comparability among authenticators.”
NIST anticipates that the new framework will be developed to accommodate state-of-the-art authentication practices, solutions, and technologies, so that their strength can be understood and evaluated through standardized testing methodologies and reporting metrics.
To develop such a framework, NIST has chosen to initially focus on biometric technologies due to their expanding use in the consumer market as a primary authentication factor used to access remote, online services, but for which measurement science has not reached the same degree of maturity as other authentication factors, such as cryptographic systems. This lack of parity between measuring the strength of biometric and cryptographic solutions has consequences, including the exclusion of biometrics as a single or primary authentication factor in NIST guidance for accessing remote federal systems.
The whitepaper works towards finding parity and a mechanism for measurement.
The document also serves as a primer for discussions to be held at the “Advanced Identity Workshop” in Gaithersburg, Maryland, on January 12 and 13, 2016. The workshop will convene federal agencies, commercial relying parties, and identity solution providers to collaborate on improving standards, guidance, and practices related to identity management.