Biometric authentication accuracy bar rises, assurance levels evolve in NIST guidance
Biometrics performance requirements have been upgraded and identity assurance levels revised in the latest draft update to the U.S. National Institute of Standards and Technology’s Digital Identity Guidelines. NIST reviewed the changes so far, the numerous comments submitted about them, and possible further revisions in a recent webinar.
The changes to biometrics guidelines include a more stringent accuracy requirement for authentication to align with other standards advanced since the previous version was finalized in 2017.
The Base Volume for the 800-63 guideline introduces concepts and defines roles and responsibilities for digital identity proofing, enrollment, authentication and federation. It provides risk assessment methodology and sets assurance levels.
The key changes proposed by NIST include a revamp to the risk management approach to make it more process-oriented, and an amended process for assurance level selection, which also now includes tailoring, Connie LaSalle, senior technology policy advisor at NIST’s Information Technology Lab explains.
The update to the model supports additional deployment options, specifically including federation, adds a section on continuous system evaluation and improvement, and emphasizes a multi-disciplinary approach to risk assessment and management. Considerations for risk assessments for particular individuals and communities are also included.
In the new digital identity model, NIST refers to the “subject” of revision 3 as the “holder” of an ID, to better align with current industry terminology. The “credential service provider” becomes the “issuer,” and “relying parties” are “verifiers,” which includes those doing the verifying and those who use the verified information.
NIST is also planning further consultations to provide guidance on equity within the Base Volume, and risk scoring metrics may be introduced.
LaSalle also noted that some of the feedback was contradictory, with for example organizations asking for decision trees to be reintroduced while others thank the agency for removing them.
Enrollment and Identity Proofing
The title for the NIST SP 800-63A guidelines is changing, with “Identity Proofing” and “Enrollment” switching places, says Ryan Galluzzo, identity program lead for NIST’s Applied Cybersecurity Division. That change is just the tip of the iceberg.
The concept of digital evidence has been introduced, and more clarity on that concept is coming, Galluzzo says. The trusted referee system has been mandated at the system level, and generally updated. A component identity proofing service can provide it, but the system must have a trusted referee, per NIST guidelines.
New biometric requirements for ID proofing have been added. They are specific to the identity proofing context, as opposed to those in volume B. Performance, testing, consent and privacy requirements for facial recognition have been integrated into the guidance.
Identity Assurance Level 1 has been overhauled, from “don’t do identity proofing” in Galluzzo’s words, to “a pretty robust set of controls.” IAL1 is still considered too high-friction by most submitting comments, and NIST is considering further adjustments.
He also reviewed the introduction of “Applicant References” who can vouch for others, and Galluzzo noted a variety of feedback, both positive and seeking more detail. Many commenters requested greater clarity for the main roles in identity proofing, including Applicant References but also Proofing Agents, Trusted Referees and Process Assistants. NIST is working on delineating the boundaries of each. Equity impact assessments and evaluations are also being added to volume A.
The structure of requirements has been updated for greater consistency by popular request, with assurance levels mapped against in-person attended, in-person unattended, remote attended and remote unattended methods.
Additional fraud checks are being considered, including transaction analytics and consortium data.
Some feedback suggested that NIST should define a baseline of core attributes, but in recognition of the specific needs of different businesses and applications and a desire to avoid mandating over-collection of personal information, it will stick to examples.
NIST is also still considering alternative non-biometric options for identity proofing.
Authentication and Lifecycle Management
Volume B is the closest to a final version release, and Andy Regenscheid, PIV technical lead for NIST’s Computer Security Division says it has less major conceptual changes than the others.
Phishing resistance is defined, a restriction on cloning cryptographic authenticators is out to organizations can synch keys, and ineffective techniques around passwords, like expirations and complexity requirements, have been removed. Questions during this segment of the event touched on how to think of passkeys in the context of NIST’s guidelines.
Biometric performance requirements have been revised, with mandated false match rates strengthened from 1 in 1,000 to 1 in 10,000. This reflects improvements in the technology, and also better aligns with other standards, like those of the FIDO Alliance’s Biometric Certification Program.
Push authentication requirements have evolved, but SMS remains in the guidance as a multifactor authentication tool.
Federation and Assertions
David Temoshok, who leads NIST’s SP 800-63 work from within the Applied Cybersecurity Division, reviewed the changes to volume C.
Like the identity assurance levels, federation assurance levels 1, 2 and 3 have been updated to make them clearer and “more achievable,” and to include protection against injection attacks.
Trust frameworks have been built into the guidance, and the responsibilities of different parties in trust agreements defined.
Provisioning and identity APIs are considered in the revision, and the concept of federated relying party accounts and controls is now included.
This volume will also include a section dedicated to new identity credentials, like the W3C’s verifiable credentials and mobile driver’s licenses, in response to submitted comments.
The public event was followed by a government-only meeting, and the finalized new versions are slated for publication next year.