FB pixel

Industry, govt work to align FIDO and NIST authentication standards

Industry, govt work to align FIDO and NIST authentication standards
 

On day two of the 2023 Authenticate conference focused on user authentication, five prominent cybersecurity professionals convened on a panel to answer the titular question, “So, What Does the U.S. Government Think About FIDO Authentication?”

The panel was curated by Jeremy Grant, managing director for Venable’s Technology and Innovation Group, in his role as an advisor to the FIDO Alliance on government engagement. Grant cites the 2022 U.S. government policy calling for the use of phishing-resistant authentication across government systems, as well as new NIST guidance recognizing synced passkeys, as evidence that the White House is a fan of FIDO.

Representatives from NIST, the IRS, and the General Service Administration traded thoughts and insights on identity assurance, and the evolving definition of phishing-resistance. Ryan Galluzzo, Digital Identity Program Lead for the Applied Cybersecurity Division at NIST, gave an update on release of updates to Special Publication 800-63 Digital Identity Guidelines, saying the evaluation of around 3900 comments from stakeholders is nearing completion.

Galluzzo promises “more formal communication coming from us on what the actual plan of release is going to be for each one of the volumes,” but says NIST anticipates there being a new public draft of the base volume, 800-63A and 800-63C, “based on the volume of changes as well as some of the changes we’ve received public comments on around things like integration of verifiable credentials and mobile driver’s licenses into the identity proofing side of the house.”

Align FIDO and NIST authentication assurance levels

Moushmi Banerjee, senior software architect at Okta, spoke about the growing need for secure authentication in the panel, “Enhancing User Experience and Security with FIDO Authentication and NIST Guidelines.”

“As more and more services move online, the need for secure authentication of user identities becomes extremely important, especially with the exponential increase in bad actors compromising passwords,” she says.

Banerjee has the same issues with passwords as many in the authentication sector, and says authentication standards like FIDO and NIST can help usher in passwordless authentication methods that are user-centric and more phishing-resistant, such as passkeys. Among key points of the FIDO standards, she listed the use of public key cryptography and vendor neutrality.

In a brief summary of NIST SP 800-63B, which covers authentication and lifecycle management, Banerjee breaks down the different authentication assurance levels, which require different levels of single (IAL1) or multi-factor authentication (IAL2, IAL3) and identity proofing. IAL3 requires MFA with cryptographic software authentication such as biometric liveness detection.

To align FIDO with NIST levels, Banerjee says, align authenticator risk levels of low, medium or high with the authentication assurance levels 1, 2 and 3, then choose an authentication based on its strength. NIST SB 800-63B provides guidance on alignment.

Related Posts

Article Topics

 |   |   |   |   |   |   |   |   | 

Latest Biometrics News

 

Biometrics connecting ID and payments through digital wallets, apps and passkeys

Biometrics are connecting with payment credentials, whether through numberless credit cards and banking apps or passkeys, as the concrete steps…

 

Reach of Musk, DOGE’s federal data access sets off privacy, security alarms

Led by tech billionaire Elon Musk and a shadowy team believed to be under his control, the United States DOGE…

 

Mobile driver’s licenses on the cusp of ‘major paradigm shift’

More entities have integrated the California mobile driver’s license (mDL) credential for identity verification. Although just 15 states have introduced…

 

Gesture-based age estimation tool BorderAge joins Australia age assurance trial

Australia’s age assurance technology trial is testing the new biometric tool that performs age estimation based on hand gestures. The…

 

European AI compliance project CERTAIN launches

The pan-European project to create AI compliance tools CERTAIN has kicked off its work, with the goal of making European…

 

Signaturit Group acquiring Validated ID for undisclosed sum

Spain-based digital identity and electronic signature provider Validated ID is being acquired by Signaturit Group, a European company offering identity…

Comments

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Most Viewed This Week

Featured Company

Biometrics Insight, Opinion

Digital ID In-Depth

Biometrics White Papers

Biometrics Events