NIST intros new changes to federal system authentication guidelines
The National Institute of Standards and Technology posted four documents to GitHub detailing drastic changes it has made to its guidelines for federal agencies’ digital authentication practices, according to a report by FCW.
NIST is updating its identity proofing strategy to better support current Office of Management and Budget guidance in an effort to help agencies select the most effective digital authentication technologies for their needs.
The new strategy includes breaking up the individual components of identity assurance into distinct, individual elements.
NIST’s new approach would allow individuals to establish their identity through identity assurance, authenticating their credentials to gain access to a system through authenticator assurance, such as an encrypted identity card with an embedded chip.
The documents also mention that passwords could be completely numeric as NIST’s experts concede that using a combination of character types in passwords “is not nearly as significant as initially thought, although the impact on usability and memorability is severe.”
Alternatively, the organization recommends that user-selected passwords ought to be compared against a list of unacceptable passwords, which would includes those passwords from past breaches, dictionary words and obvious words that users are likely to select (such as the service’s name).
The guidelines also state that users will no longer be given a password “hint” that is accessible to a third party. Therefore, passwords based on specific types of information such as your first pet or mother’s maiden name will no longer be valid.
NIST also states that biometrics for authentication matching should be conducted locally on a user’s device or by a central verifier, but biometrics must be used in combination with a second authentication factor that be cancelled.
Biometric systems used in those applications should have a tested equal error rate of 1 in 1,000 or better, with a false-match rate of 1 in 1,000 or better, according to NIST.
Previously reported, the National Institute of Standards and Technology published an analysis of invited comments for its Cybersecurity Framework.
Article Topics
biometrics | cybersecurity | identity verification | National Institute of Standards and Technology | NIST | online authentication | passwords | privacy
Comments
8 Replies to “NIST intros new changes to federal system authentication guidelines”
Leave a Reply
This site uses Akismet to reduce spam. Learn how your comment data is processed.
NIST intros new changes to federal system #authentication guidelines https://t.co/GgfksweruQ
NIST intros new changes to federal system authentication guidelines https://t.co/CsDpFNMoKh
NIST intros new changes to federal system authentication guidelines https://t.co/4WmCOjq3jc
RT @BiometricUpdate: NIST intros new changes to federal system #authentication guidelines https://t.co/Xs4Sea2fS8
RT @BiometricUpdate: NIST intros new changes to federal system #authentication guidelines https://t.co/kkWEmKxI0r
RT @BiometricUpdate: NIST intros new changes to federal system #authentication guidelines https://t.co/scmGmAYXDA
RT @BiometricUpdate: NIST intros new changes to federal system #authentication guidelines https://t.co/Q4x5NpCXpb
#NIST intros drastic changes it has made to its guidelines for federal agencies’ digital #authentication practices https://t.co/6rtZtk4O9a