Industry, govt work to align FIDO and NIST authentication standards
On day two of the 2023 Authenticate conference focused on user authentication, five prominent cybersecurity professionals convened on a panel to answer the titular question, “So, What Does the U.S. Government Think About FIDO Authentication?”
The panel was curated by Jeremy Grant, managing director for Venable’s Technology and Innovation Group, in his role as an advisor to the FIDO Alliance on government engagement. Grant cites the 2022 U.S. government policy calling for the use of phishing-resistant authentication across government systems, as well as new NIST guidance recognizing synced passkeys, as evidence that the White House is a fan of FIDO.
Representatives from NIST, the IRS, and the General Service Administration traded thoughts and insights on identity assurance, and the evolving definition of phishing-resistance. Ryan Galluzzo, Digital Identity Program Lead for the Applied Cybersecurity Division at NIST, gave an update on release of updates to Special Publication 800-63 Digital Identity Guidelines, saying the evaluation of around 3900 comments from stakeholders is nearing completion.
Galluzzo promises “more formal communication coming from us on what the actual plan of release is going to be for each one of the volumes,” but says NIST anticipates there being a new public draft of the base volume, 800-63A and 800-63C, “based on the volume of changes as well as some of the changes we’ve received public comments on around things like integration of verifiable credentials and mobile driver’s licenses into the identity proofing side of the house.”
Align FIDO and NIST authentication assurance levels
Moushmi Banerjee, senior software architect at Okta, spoke about the growing need for secure authentication in the panel, “Enhancing User Experience and Security with FIDO Authentication and NIST Guidelines.”
“As more and more services move online, the need for secure authentication of user identities becomes extremely important, especially with the exponential increase in bad actors compromising passwords,” she says.
Banerjee has the same issues with passwords as many in the authentication sector, and says authentication standards like FIDO and NIST can help usher in passwordless authentication methods that are user-centric and more phishing-resistant, such as passkeys. Among key points of the FIDO standards, she listed the use of public key cryptography and vendor neutrality.
In a brief summary of NIST SP 800-63B, which covers authentication and lifecycle management, Banerjee breaks down the different authentication assurance levels, which require different levels of single (IAL1) or multi-factor authentication (IAL2, IAL3) and identity proofing. IAL3 requires MFA with cryptographic software authentication such as biometric liveness detection.
To align FIDO with NIST levels, Banerjee says, align authenticator risk levels of low, medium or high with the authentication assurance levels 1, 2 and 3, then choose an authentication based on its strength. NIST SB 800-63B provides guidance on alignment.