Managing digital identities can be tough these days. You likely have numerous usernames and passwords to keep straight and, if you’re really working at it, do your best to add two-factor authentication into the mix whenever you can. You probably know you can be doing more, but you’re not sure where to start or what is most secure. At the National Institute of Standards and Technology (NIST), we definitely get it. We know the identity struggle is real.
We are diligently working to offer practical guidance and catalysts to ease the burden of digital identity for organizations and consumers. Specifically, NIST’s Trusted Identities Group (TIG) works to improve online identity for individuals and organizations by encouraging government and commercial adoption of privacy-enhancing, secure, interoperable and easy-to-use identity solutions – our four guiding principles. We want to make sure the underlying foundation of identity processes – the standards and guidelines – is based on and aligned with our guiding principles.
Improving the digital identity world includes doing so for the government, and that includes updating and improving NIST Special Publication (SP) 800-63,Digital Identity Guidelines, a document that covers all things digital identity for federal agencies. Because what government does impacts more than just government, we worked with the community for more than a year, gathered feedback, got direct input from stakeholders to finalize the document and released SP 800-63-3 in June. Now, federal agencies will use this newly updated document to improve and build out their identity services – and we’re hearing from plenty of private organizations that are going to use SP 800-63 as their guidebook.
What Is Special Publication 800-63?
NIST’s SP 800 series defines cybersecurity procedures and guidelines for use within federal agencies. Since 2006, SP 800-63 has been agencies’ go-to resource for identity proofing, authentication and a range of other digital identity questions. While the guidance is not required for use outside of federal agencies, organizations around the world often use it as a basis for their own digital identity efforts.
Why the Changes and New Version?
We revised SP 800-63 so federal agencies can accept a diversity of authentication and identity proofing technologies (in an effort to improve their service delivery and reduce risk). We need to make sure our systems are protected from attacks – but this guidance isn’t just about improving security. It’s also about modernizing our digital infrastructure and improving federal systems’ privacy and usability so consumers can have better online experiences. By doing so, individuals can more easily access government services and be confident that their personal information is kept private – and that no one is over-collecting it.
How Has SP 800-63 Evolved Over Time (i.e., how is SP 800-63-3 different from its predecessor, SP 800-63-2)?
In this version, we broke apart one document into a suite of four (a SP 800-63-3 parent document, SP 800-63A, SP 800-63B, and SP 800-63C), covering digital identity from initial risk assessment to deployment of federated identity solutions that meet the needs of today’s digital economy. These new guidelines better reflect innovation and standards efforts occurring across the globe.
Replacing the singular levels of assurance (LOA) are the new “xALs”: Identity Assurance Level (IAL), Authenticator Assurance Level (AAL) and Federation Assurance Level (FAL). This new system gives agencies more flexibility to pick solutions tailored to their services, users and risk profiles.
With the goal of offering agencies more options, there were a variety of updates in identity proofing and authentication and new in-depth requirements for identity federation. In identity proofing, agencies now have more options for establishing a high-assurance digital identity. For example, there is no longer a static list of acceptable documents for achieving different levels of assurance in identity proofing. Now, evidence gets ranked based on its characteristics, and agencies can mix and match documents based on their desired assurance levels.
The new publication also offers more options on the authentication side – particularly at higher assurance levels – to help organizations remain innovative, including security keys and a comprehensive set of biometric performance and security requirements. Other big changes include no longer being able to ask questions like the infamously-not-private “What’s your mother’s maiden name?” to authenticate or recover a lost, stolen or forgotten credential – plus restrictions on the use of SMS in multi-factor authentication.
Identity federation enables an identity provider to proof and authenticate someone and provide identity assertions that other organizations can accept and trust. Simply put, this is like using Twitter or Google to log in to other sites – though there’s a bit more to it for transactions that need stronger identity proofing and authentication. SP 800-63C lays out the details of identity federation and assertions to keep its implementation simple and trustworthy.
For a deep dive on what’s changed in the new version, head over to the TIG’s I Think, Therefore IAM blog.
What Impact Does This Have on Agencies and Other Organizations?
For legacy systems, federal agencies have up to 12 months to comply with the new guidelines; however, new systems in development – and those not yet deployed – must meet the new guidelines before going into production. Agencies rolling out constituent-facing identity programs will also be looking at the guidelines and taking advantage of the flexibility in identity proofing and authentication options.
Our overall goal with the new publication is to make sure that agencies have a path forward when it comes to working with high-assurance digital identities. This will make conducting business online easier, more secure and more cost effective.
We plan to continue engaging with implementers to gather and share lessons learned throughout the current revision. We are already drafting implementation guides for each of the SP 800-63 documents. These guides will provide stepwise instructions on how to implement some of the more complicated aspects of the Digital Identity Guidelines. The first set will focus on identity proofing, and we will release further guidance over the course of the year – so stay tuned! Follow us on Twitter and subscribe to our blog to hear from us every step of the way.
About the Author
Paul Grassi is the senior standards and technology advisor at NIST. He joined NIST in June 2014 to advance and accelerate the development and adoption of identity authentication and authorization related standards and technologies needed to implement the identity ecosystem envisioned in the National Strategy for Trusted Identities in Cyberspace (NSTIC).
Mr. Grassi comes to NIST with a broad background of technology and management consulting and significant experience developing enterprise security strategies and systems, having served a range of Fortune 500 companies and both domestic and foreign governments.