FB pixel

NIST finalizes digital ID guidelines, eliminates changing of passwords

Categories Access Control  |  Biometrics News
 

Federal scientists at the National Institute of Standards and Technology have eliminated outdated requirements for the agency’s digital identity authentication guidelines, such as regular changing passwords as well as adding new standards for the use of biometrics, keysticks and other two-factor authentication tokens, according to a report by Cyberscoop.

The final document, dubbed NIST Special Publication 800-63 (PDF), marks the third version of the guidelines and the result of more than a year of public consultation, according to NIST Senior Standards and Technology Advisor Paul Grassi.

The drafts of the revised documents were viewed by more than 74,000 unique visitors on the agency’s website over the last year, with more than 14,000 comments submitted, Grassi said.

“There is no way a document this comprehensive could have evolved without the direct input of stakeholders, who contributed consistently throughout the drafting process,” Grassi wrote in a blog post, calling the agency’s first use of open-source code sharing and development site GitHub a “success”.

“Digital identity in both agencies and the [private sector] market have changed dramatically since the last revision of this document in 2013,” Grassi said.

The finalized document eliminates the concept of “levels of assurance” (LOAs) as a measure of how secure an identity proofing and login authentication process ought to be.

Instead, the agency has separated the digital ID process into three stages, with each one assigned a rating based on how secure it should be.

Identity Assurance Level (IAL) is the process of issuing a login to an individual based on their identity; Authenticator Assurance Level (AAL) measures the security of the authentication process, that is, how a user proves to a system that they are the same individual they claim to be; and Federation Assurance Level (FAL) pertains to the security level of the assertion used in a federated environment, where many systems rely on a single ID authentication process.

Grassi also said that SP 800-63 is now comprised of four parts “and could have more in the future as digital identity evolves.”

The components are as follows: SP 800-63-3 (Digital Identity Guidelines) is the “mothership” guide that includes risk management language designed to align it with OMB guidance, SP 800-63A (Enrollment & Identity Proofing), SP 800-63B (Authentication & Lifecycle Management), and SP 800-63C (Federation & Assertions).

Earlier this year, the FIDO Alliance made recommendations for a strong authentication requirement in the National Institute of Standards and Technology’s (NIST) draft updates to its Framework for Improving Critical Infrastructure Cybersecurity guidelines.

Article Topics

 |   |   |   | 

Latest Biometrics News

 

Japanese govtech startup raises 600 million yen (US$4M) in funding

A release from the Tokyo-based digital ID firm Cross ID says it has raised a total of approximately 600 million…

 

Biometric passports in Google Wallet take (domestic) flight in US

Google Wallet’s feature for digitizing U.S. biometric passports has graduated to a production launch, enabling domestic travel within the country…

 

Challenges remain in effective digital ID management for public benefits, report says

The methods state agencies employ for identity proofing and authentication in online public benefits applications play a crucial role in…

 

Dentity plans decentralized digital ID scale-up with Trinsic platform acquisition

California-based self-sovereign identity provider Dentity is taking over a decentralized ID platform from Trinsic to more quickly scale its consumer-centric…

 

Cluj Airport chooses SITA biometrics to power sustainable travel operations

Romania’s second busiest airport, the Cluj Avram Iancu International Airport, has entered into a collaboration with airport biometrics provider SITA…

 

Birth registration progresses globally but big gaps remain in Sub Saharan Africa: UNICEF

About 8 in 10 children globally below the age of five have had a birth registration around the world in…

Comments

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Most Viewed This Week

Featured Company

Biometrics Insight, Opinion

Digital ID In-Depth

Biometrics White Papers

Biometrics Events