Pats on the back, questions and suggestions for NIST’s Digital Identity Guidelines

The U.S. National Institute of Standards and Technology should communicate clearly with Congress and continue to refine key concepts in digital identity management, according to comments from organizations responding to a call for feedback on second public draft of its Digital Identity Guidelines.

The revised Digital Identity Guidelines presented in the second draft of NIST SP 800-63 Revision 4 flesh out guidance on the use of digital wallets and passkeys. The comment period closed on Monday, October 7.

Three Republican members of the House Committee on Science Space and Technology want to hear from NIST on the findings of its research into digital identity and facial recognition, and how the Guidelines can address reliability, security and accuracy concerns.

In a letter to NIST Director Laurie Locascio, the trio, who chair the Committee, as well as its subcommittees on Research and Technology and Investigations and Oversight, note concerns regarding the privacy compatibility and accuracy of facial recognition. They also note that in learning about the Identity Assurance Levels (IALs) defined by NIST, some of their concerns have been addressed.

“That said, some concerns remain with the reliability, accuracy, and security of the technology as well as future developments in face recognition technology and other forms of digital identity,” the write.

Six questions follow, asking about NIST’s process for updating the guidance as new threats emerge, how it participates in facial recognition standards development and its measure for promoting facial recognition accuracy and reliability, in particular across different demographics. The members of Congress ask how revisions 3 and 4 of the Guidelines address privacy concerns, “what safeguards are in place” for personally identifiable information (PII) used in facial recognition and how NIST supports federal agencies implementing its guidance.

The letter requests answers by October 22.

NGOs see positive steps, room for improvement

The Center for Democracy & Technology (CDT) begins by lauding NIST’s work addressing equity, accessibility and privacy in the update. The emphasis on providing options is especially welcome, CDT says.

The group goes on to suggest changes to 8 different areas of the Guidelines in its feedback. NIST should consider adding “documentation” to the Digital Identity Risk Management (DIRM) process and consider access to identity evidence and in-person proofing options for specific populations.

The CDT suggests that disability and gender identity be included in biometric performance evaluation.

For the non-biometric IAL2 method involving confirmation codes sent to the physical address of the user, minimum validity periods should be recommended, along with the maximums included in the draft.

The CDT also wants NIST to enshrine choice among digital wallets and user control over wallet attributes, and to make key privacy recommendations into requirements.

CDT is a partner to NIST, along with Georgetown University’s Beeck Center for Social Impact + Innovation, on a project to tailor its digital identity guidelines for the delivery of public benefits.

Joint feedback from the American Civil Liberties Union and Electronic Privacy Information Center (EPIC) breaks down into four suggestions.  NIST should focus on large-scale fraud attacks, address “second-order risks” from third-party vendors and private sector players, emphasize anonymous and pseudonymous authorization and rethink its user groups, the organizations argue.

On the latter point, the ACLU and EPIC note that people with physical disabilities and fleeing domestic abuse might be included in the same “user group” by NIST, but have very different concerns in applying for benefits.

They also argue that “biometric systems are unreliable due to inherent biases present in facial recognition technologies – as well as the increasing sophistication of biometric spoofing techniques using generative artificial intelligence,” though without providing specific examples of spoofed face biometrics systems.

There is significant overlap between the feedback from the ACLU and EPIC and that from CDT, in terms of approval for fostering trust in digital identity services, building options into the Guidelines and encouraging privacy protections.

Article Topics

biometrics  |  Center for Democracy & Technology  |  data privacy  |  digital identity  |  digital wallets  |  IAL2  |  NIST  |  passkeys  |  standards  |  U.S. Government