FB pixel

Industry, govt work to align FIDO and NIST authentication standards

Industry, govt work to align FIDO and NIST authentication standards
 

On day two of the 2023 Authenticate conference focused on user authentication, five prominent cybersecurity professionals convened on a panel to answer the titular question, “So, What Does the U.S. Government Think About FIDO Authentication?”

The panel was curated by Jeremy Grant, managing director for Venable’s Technology and Innovation Group, in his role as an advisor to the FIDO Alliance on government engagement. Grant cites the 2022 U.S. government policy calling for the use of phishing-resistant authentication across government systems, as well as new NIST guidance recognizing synced passkeys, as evidence that the White House is a fan of FIDO.

Representatives from NIST, the IRS, and the General Service Administration traded thoughts and insights on identity assurance, and the evolving definition of phishing-resistance. Ryan Galluzzo, Digital Identity Program Lead for the Applied Cybersecurity Division at NIST, gave an update on release of updates to Special Publication 800-63 Digital Identity Guidelines, saying the evaluation of around 3900 comments from stakeholders is nearing completion.

Galluzzo promises “more formal communication coming from us on what the actual plan of release is going to be for each one of the volumes,” but says NIST anticipates there being a new public draft of the base volume, 800-63A and 800-63C, “based on the volume of changes as well as some of the changes we’ve received public comments on around things like integration of verifiable credentials and mobile driver’s licenses into the identity proofing side of the house.”

Align FIDO and NIST authentication assurance levels

Moushmi Banerjee, senior software architect at Okta, spoke about the growing need for secure authentication in the panel, “Enhancing User Experience and Security with FIDO Authentication and NIST Guidelines.”

“As more and more services move online, the need for secure authentication of user identities becomes extremely important, especially with the exponential increase in bad actors compromising passwords,” she says.

Banerjee has the same issues with passwords as many in the authentication sector, and says authentication standards like FIDO and NIST can help usher in passwordless authentication methods that are user-centric and more phishing-resistant, such as passkeys. Among key points of the FIDO standards, she listed the use of public key cryptography and vendor neutrality.

In a brief summary of NIST SP 800-63B, which covers authentication and lifecycle management, Banerjee breaks down the different authentication assurance levels, which require different levels of single (IAL1) or multi-factor authentication (IAL2, IAL3) and identity proofing. IAL3 requires MFA with cryptographic software authentication such as biometric liveness detection.

To align FIDO with NIST levels, Banerjee says, align authenticator risk levels of low, medium or high with the authentication assurance levels 1, 2 and 3, then choose an authentication based on its strength. NIST SB 800-63B provides guidance on alignment.

Related Posts

Article Topics

 |   |   |   |   |   |   |   | 

Latest Biometrics News

 

Biometrics, electronic devices and identity credentials converging

Biometrics in electronic devices and ID documents to support digital identity are a major theme of the week’s top stories…

 

SITA wraps up acquisition of Materna IPS

SITA reports it has completed all necessary regulatory and legal procedures and finalized its acquisition of Materna IPS, a provider…

 

Payface lands new retail biometric payments deal in Brazil

Brazilian face biometrics payments startup Payface has clinched a deal with supermarket chain Ítalo. Ítalo Supermercados, based in the southern…

 

EU to fund digital programs with €108m, including digital identity

The European Union has issued a new call for funding within the Digital Europe Programme (DIGITAL), allocating over 108 million…

 

Lawmakers try again to kill diversion of TSA screening tech funds

Because of Washington partisan politics, the U.S. Transportation Security Administration (TSA) doesn’t expect to be able to field upgraded and…

 

Florida tosses mDL program into the Gulf

Florida’s mobile driver’s license has been shut down, making the state a rare case in the world of a place…

Comments

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Most Read This Week

Featured Company

Biometrics Insight, Opinion

Digital ID In-Depth

Biometrics White Papers

Biometrics Events