NIST finalizes radical update of digital ID guidelines

Federal scientists at the National Institute of Standards and Technology have finalized a major update to their guidelines on digital identity authentication, getting rid of outdated requirements like the regular changing of passwords and introducing standards for the use of biometrics and keysticks or other authenticating two-factor tokens.

The final document, dubbed NIST Special Publication 800-63, is the third revision of the guidelines and the end product of a year-plus long process of public consultation, NIST Senior Standards and Technology Advisor Paul Grassi said in a blog post.

More than 74,000 unique visitors looked at the drafts of the revised document on the agency’s website over the past year, he said, and there were more than 14000 comments submitted.

“There is no way a document this comprehensive could have evolved without the direct input of stakeholders, who contributed consistently throughout the drafting process,” wrote Grassi, adding that this was the agency’s first effort to use the open-source code sharing and development site GitHub to collaborate with commentators.

“It was a great success,” he concluded of the use of GitHub.

“Digital identity in both agencies and the [private sector] market have changed dramatically since the last revision of this document in 2013,” Grassi noted. As a result, the document does away with concept of “levels of assurance” or LOAs, as a measure of how secure an identity proofing and login authentication process must be. Instead, the digital ID process is broken down into three stages, each of which is given a rating depending on how secure it need to be:

• Identity Assurance Level (IAL): “The identity proofing process and the binding between one or more authenticators and the records pertaining to a specific subscriber” — in other words the process of issuing a login to an individual based on their identity.
• Authenticator Assurance Level (AAL):  Measures the security of the authentication process — how a user demonstrates to a system that they are the individual they claim to be.
• Federation Assurance Level (FAL): The security level of the assertion used in a federated environment — where several systems rely on a single ID authentication process.

Reflecting this breakdown, SP 800-63 now has has four parts — “and could have more in the future as digital identity evolves,” states Grassi:

• SP 800-63-3 (Digital Identity Guidelines) The “mothership” guide, containing risk management language designed to align it with OMB guidance.
• SP 800-63A (Enrollment & Identity Proofing)
• SP 800-63B (Authentication & Lifecycle Management)
• SP 800-63C (Federation & Assertions)