FB pixel

NIST finalizes digital ID guidelines, eliminates changing of passwords

Categories Access Control  |  Biometrics News

Federal scientists at the National Institute of Standards and Technology have eliminated outdated requirements for the agency’s digital identity authentication guidelines, such as regular changing passwords as well as adding new standards for the use of biometrics, keysticks and other two-factor authentication tokens, according to a report by Cyberscoop.

The final document, dubbed NIST Special Publication 800-63 (PDF), marks the third version of the guidelines and the result of more than a year of public consultation, according to NIST Senior Standards and Technology Advisor Paul Grassi.

The drafts of the revised documents were viewed by more than 74,000 unique visitors on the agency’s website over the last year, with more than 14,000 comments submitted, Grassi said.

“There is no way a document this comprehensive could have evolved without the direct input of stakeholders, who contributed consistently throughout the drafting process,” Grassi wrote in a blog post, calling the agency’s first use of open-source code sharing and development site GitHub a “success”.

“Digital identity in both agencies and the [private sector] market have changed dramatically since the last revision of this document in 2013,” Grassi said.

The finalized document eliminates the concept of “levels of assurance” (LOAs) as a measure of how secure an identity proofing and login authentication process ought to be.

Instead, the agency has separated the digital ID process into three stages, with each one assigned a rating based on how secure it should be.

Identity Assurance Level (IAL) is the process of issuing a login to an individual based on their identity; Authenticator Assurance Level (AAL) measures the security of the authentication process, that is, how a user proves to a system that they are the same individual they claim to be; and Federation Assurance Level (FAL) pertains to the security level of the assertion used in a federated environment, where many systems rely on a single ID authentication process.

Grassi also said that SP 800-63 is now comprised of four parts “and could have more in the future as digital identity evolves.”

The components are as follows: SP 800-63-3 (Digital Identity Guidelines) is the “mothership” guide that includes risk management language designed to align it with OMB guidance, SP 800-63A (Enrollment & Identity Proofing), SP 800-63B (Authentication & Lifecycle Management), and SP 800-63C (Federation & Assertions).

Earlier this year, the FIDO Alliance made recommendations for a strong authentication requirement in the National Institute of Standards and Technology’s (NIST) draft updates to its Framework for Improving Critical Infrastructure Cybersecurity guidelines.

Article Topics

 |   |   |   | 

Latest Biometrics News


Groups reject expiry date for digital ID cards in Kenya as govt defends move

Some civil society organizations in Kenya say they want an explanation from the government with regard to the institution of…


Idemia forensic software extracts human faces, tattoos for investigative leads

Even when a facial recognition system is integrated within a state or federal investigative agency, human intervention is necessary. In…


Nearly three quarters of U.S. adults worry deepfakes could sway election: Jumio

The hour is ripe for political deepfakes. The U.S. presidential elections are still four months away, and the campaign has…


Controversial US privacy bill rewritten again, but path still unclear

The already controversial American Privacy Rights Act of 2024 (APRA), which was originally introduced in April by U.S. Senate Commerce…


Selective disclosure and zero-knowledge proofs: Examining the latest revision of ETSI TR 119 476

By Sebastian Elfors, Senior Architect at IDnow In July 2024, the European Telecommunications Standards Institute (ETSI) published an updated revision of…


Contractor needed for project to identify civil registration hurdles in Chad

A request for the Expression of Interest (EOI) has been launched for a consultancy firm to identify challenges that stand…


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Most Read This Week

Featured Company

Biometrics Insight, Opinion

Digital ID In-Depth

Biometrics White Papers

Biometrics Events