NIST intros new changes to federal system authentication guidelines
The National Institute of Standards and Technology posted four documents to GitHub detailing drastic changes it has made to its guidelines for federal agencies’ digital authentication practices, according to a report by FCW.
NIST is updating its identity proofing strategy to better support current Office of Management and Budget guidance in an effort to help agencies select the most effective digital authentication technologies for their needs.
The new strategy includes breaking up the individual components of identity assurance into distinct, individual elements.
NIST’s new approach would allow individuals to establish their identity through identity assurance, authenticating their credentials to gain access to a system through authenticator assurance, such as an encrypted identity card with an embedded chip.
The documents also mention that passwords could be completely numeric as NIST’s experts concede that using a combination of character types in passwords “is not nearly as significant as initially thought, although the impact on usability and memorability is severe.”
Alternatively, the organization recommends that user-selected passwords ought to be compared against a list of unacceptable passwords, which would includes those passwords from past breaches, dictionary words and obvious words that users are likely to select (such as the service’s name).
The guidelines also state that users will no longer be given a password “hint” that is accessible to a third party. Therefore, passwords based on specific types of information such as your first pet or mother’s maiden name will no longer be valid.
NIST also states that biometrics for authentication matching should be conducted locally on a user’s device or by a central verifier, but biometrics must be used in combination with a second authentication factor that be cancelled.
Biometric systems used in those applications should have a tested equal error rate of 1 in 1,000 or better, with a false-match rate of 1 in 1,000 or better, according to NIST.
Previously reported, the National Institute of Standards and Technology published an analysis of invited comments for its Cybersecurity Framework.