NIST turns to the individual’s roles and responsibilities in digital ID guidance update

The biggest changes to the U.S. government’s guidance for digital identity programs largely focuses on the smaller component in the matter – the individual.

The guideline, for those outside the authentication community, is a blueprint for how U.S. government manages digital ID systems’ needs, requirements and processes

Previous updates, including the last major one in 2017, did not ignore the role and responsibilities of individuals, but nonetheless focused on the enterprise, says Ryan Galluzzo, the ID program lead in the applied cybersecurity division of the National Institute of Standards and Technologies.

There is a better balance between enterprise and individual in the newest edition, Galluzzo said.

He was speaking during the FIDO Alliance‘s Authenticate conference. He apologized up front that scheduling changes meant he had to move rapidly through his deck covering guidance updates that are not yet published.

What followed was like the spoken disclaimer at the end of a television pharmaceutical ad. All the information as there and clear, but there was little evidence that Galluzzo took a second breath.

Clearly, much is changing with this proposed update, but the term that came up again and again was the individual. And that focus falls naturally under the guide’s permanent, overarching navigation points: privacy, stability and security, said Galluzzo.

First, there is no availability yet for the tome, which was revamped to advance the cause of equity in systems and to emphasize options and choices for individuals. Everything else could be guessed: deter threats, apply lessons learned since 2017 and clarify and consolidate requirements where needed.

Galluzzo spoke briefly (and rapidly) about how, for example, phishing resistance cannot fall so heavily on individuals’ shoulders.

Efforts have to reduce phishing successes “without having to put the onus on the end user on how to protect their own credentials.”

In another refocusing on the individual, he said the new guidance calls for an applicant reference. When someone is stuck in a digital ID systems loop or lost in details, they should be able to contact a person who can do more than talk them through a solution.

That person, an applicant reference, should be able to “actually make things happen.” The person in that position should be able to provide representation of identity whenever possible.

There was not too much about individual responsibilities in the abbreviated talk, but Galluzzo said that NIST is done couching how to manage passwords. He noted that few want to talk about passwords because they are such a liability even when they are managed well, but they are still out there.

Forget about what people should or should not do, Galluzzo says rules about passwords are replacing wise advice.

NIST also updated its data security and privacy guidance in 2020.

Article Topics

Authenticate Conference  |  biometrics  |  cybersecurity  |  digital identity  |  FIDO Alliance  |  identity access management (IAM)  |  multifactor authentication  |  NIST  |  Ryan Galluzzo