NIST updates Digital Identity Guidelines with biometrics requirements, alternatives
The U.S. National Institute of Standards and Technology has released revised guidelines for digital identification in federal government systems.
The new guidelines set technical requirements to support risk-based management of digital identities to reduce fraud and cybercrime, while maintaining equity and fundamental human rights.
The ‘Digital Identity Guidelines’ draft updates the section on using biometrics for identity proofing, including requirements for performance and testing. It identifies authentication methods that are more resistant to phishing attacks, and includes updated recommendations on best practices for sharing and exchanging digital identity information between different systems, as in federated authentication.
Identity federation, authentication, and proofing are dealt with in three volumes following the initial volume describing underlying risk management processes, as in previous versions of the guidelines.
Comments are due by March 24, 2023. NIST will also hold a workshop on January 12, 2023, to explain the major changes to the guidelines.
NIST is an agency of the Department of Commerce.
“These guidelines are intended to help organizations manage risks related to digital identity and get the right services to the right people while preventing fraud, preserving privacy, fostering equity and delivering high-quality, usable services to all,” says Under Secretary of Commerce for Standards and Technology and NIST Director Laurie E. Locascio. “We are actively seeking feedback not only from technical specialists, but also from advocacy and community engagement groups that have insight into the potential impacts these technologies can have on members of underserved communities and marginalized groups.”
The previous version of the Digital Identity Guidelines and the role they give to biometrics was explained by Aware CCO Rob Mungovan at Identity Week 2021.
“This draft update reinforces that NIST’s guidelines have always allowed for alternatives to facial recognition as well as appropriate and fair use of facial recognition technologies and that NIST will be more fully defining these alternatives in the final guidelines,” comments Jason Miller, deputy director for management at the Office of Management and Budget.
The draft is intended to align with NIST’s Risk Management Framework, expanding on it with guidance for incorporating equity and usability considerations into digital identity risk management. Miller also noted that the document supports ongoing efforts by the White House to address theft of digital identities and public benefits.