More nuanced biometrics test guidance and new vouching roles tipped for NIST updates

Biometrics testing that takes equity into account, vouching and referees are key changes being introduced into the National Institute of Standards and Technology’s digital ID guidance, attendees of the today’s OIX Identity Trust Update were told by an official from the U.S. agency.

Ryan Galluzzo of the Applied Cybersecurity Division at NIST’s Information Technology Lab presented the update at the hybrid event hosted by the Open Identity Exchange.

The public comment period for NIST’s ongoing update of its 800-63-4 digital identity guidelines closed on April 14, and the agency is now sifting through the 3,400 different pieces of feedback it received.

The changes, which are intended to reflect the public comments NIST began gathering in 2020, and the lessons of the pandemic, include guidance on evaluating the performance of digital identity tools, both overall and for different demographic groups.

Controls to defend against automated attacks and other advanced threats are also being written in.

Galluzzo says the new draft makes significant changes to all four volumes of 800-63-4, and identified seven in particular. Biometric performance requirements for identity proofing and authentication are being updated, after the previous version did not differentiate between the two.

An Identity Assurance Level 1, at which biometrics are optional, is being established. Other updates detail how to incorporate mobile driver’s licenses, and introduce the concept of “Applicant References,” which are people who can vouch for an identity or attribute, and mandates “Trusted Referees.” Phishing resistance is defined, which Galluzzo tied to the broader federal government move towards zero trust.

Another workshop will likely be held by NIST during the summer to go through the changes, he said, and a decision on the publication timeline should be ready by the fall.

He also reviewed NIST’s IAM Roadmap, which is currently open for public comment until June 1. The agency is engaged with W3C on verifiable credentials and the various bodies working on standards for digital wallets as it goes through the review, Galluzzo said, referring to the presentation by the Open Wallet Foundation immediately prior to his.

NIST’s National Cybersecurity Center of Excellence is currently running an mDL and mobile digital identity project bringing together different participants within the ecosystem to prototype use cases.

Galluzzo invited stakeholders to get in touch to help with the project.

Article Topics

biometric testing  |  biometrics  |  digital identity  |  identity assurance  |  NIST  |  Open Identity Exchange (OIX)  |  Ryan Galluzzo  |  standards