NIST finalizes digital ID guidelines, eliminates changing of passwords
Federal scientists at the National Institute of Standards and Technology have eliminated outdated requirements for the agency’s digital identity authentication guidelines, such as regular changing passwords as well as adding new standards for the use of biometrics, keysticks and other two-factor authentication tokens, according to a report by Cyberscoop.
The final document, dubbed NIST Special Publication 800-63 (PDF), marks the third version of the guidelines and the result of more than a year of public consultation, according to NIST Senior Standards and Technology Advisor Paul Grassi.
The drafts of the revised documents were viewed by more than 74,000 unique visitors on the agency’s website over the last year, with more than 14,000 comments submitted, Grassi said.
“There is no way a document this comprehensive could have evolved without the direct input of stakeholders, who contributed consistently throughout the drafting process,” Grassi wrote in a blog post, calling the agency’s first use of open-source code sharing and development site GitHub a “success”.
“Digital identity in both agencies and the [private sector] market have changed dramatically since the last revision of this document in 2013,” Grassi said.
The finalized document eliminates the concept of “levels of assurance” (LOAs) as a measure of how secure an identity proofing and login authentication process ought to be.
Instead, the agency has separated the digital ID process into three stages, with each one assigned a rating based on how secure it should be.
Identity Assurance Level (IAL) is the process of issuing a login to an individual based on their identity; Authenticator Assurance Level (AAL) measures the security of the authentication process, that is, how a user proves to a system that they are the same individual they claim to be; and Federation Assurance Level (FAL) pertains to the security level of the assertion used in a federated environment, where many systems rely on a single ID authentication process.
Grassi also said that SP 800-63 is now comprised of four parts “and could have more in the future as digital identity evolves.”
The components are as follows: SP 800-63-3 (Digital Identity Guidelines) is the “mothership” guide that includes risk management language designed to align it with OMB guidance, SP 800-63A (Enrollment & Identity Proofing), SP 800-63B (Authentication & Lifecycle Management), and SP 800-63C (Federation & Assertions).
Earlier this year, the FIDO Alliance made recommendations for a strong authentication requirement in the National Institute of Standards and Technology’s (NIST) draft updates to its Framework for Improving Critical Infrastructure Cybersecurity guidelines.