Digital Identity Guidelines

This article summarizes the Digital Identity Guidelines published by The National Institute of Standards and Technology (NIST) to provide direction on securely managing digital identities. Digital identity as the online equivalent of physical identity is a set of data that uniquely identifies an individual or entity and can be used to authenticate and authorize access to online resources.

The Digital Identity Guidelines are divided into three parts, including 800-63-A, which covers enrollment and identity proofing, 800-63-B, which covers authentication and lifecycle management, and 800-63-C, which covers federation and assertions. Each part contains requirements that must be met for an organization to ensure the security of its digital identities.

Digital Identity Guidelines Part A: Enrollment and Identity Proofing

The first part of the digital identity guidelines, 800-63-A, covers enrollment and identity proofing. This part contains requirements for how organizations should collect and verify information about an individual’s identity. Also, this part of the guidelines covers what type of information should be collected during enrollment. The requirements in this part are designed to ensure that only legitimate users are able to access online resources.

Organizations must first decide what information they need to collect in order to verify an individual’s identity. This information can include but is not limited to name, physical address, email address, Social Security Number, and date of birth. This decision should be based on the sensitivity of the information being protected and the level of assurance that is needed. This will enable the organization to appropriately balance security and privacy.

Next, the organization must collect the required information from the individual. This can be done through in-person interactions, online forms, or other means. The in-person interaction should take place in a secure location, such as a government office or bank. The individual’s identity should be verified using at least two kinds of identification. These identification forms can include a driver’s license, passport, or birth certificate. The online forms should be hosted on a secure website. The individual’s identity should be verified using strong authentication, such as two-factor authentication.

Once the required information has been collected, the organization must verify that the individual is who they claim to be. The organization must then put in place processes and systems to collect and verify the collected information. This includes ensuring that the data is compiled from a reliable source, such as an official government document. The organization must also attest that the information collected is accurate and up to date. This can be done using various methods, such as automated checks, manual reviews, or third-party verification.

Manual checks should be conducted for high-risk situations, such as when an individual is attempting to access sensitive information. Automated checks can be used for low-risk situations, such as when an individual is trying to access non-sensitive information. Third-party verification can be used when the organization does not have the capability to verify the collected data.

After the organization has verified the individual’s identity, it must issue a credential to the individual. This credential can be in the form of a username and password, a digital certificate, or a physical token. The certification should be issued in a secure manner, such as through a secure website or in-person interaction. The credential should be unique to the individual and should not be shared with anyone else.

Finally, the guidelines require that organizations take steps to protect the collected information. This includes storing the information in a secure location, such as a locked filing cabinet or a secure database. The information should only be accessed by authorized personnel. The organization should also have procedures in place to ensure that the data is appropriately disposed of when it is no longer needed.

Part B: Authentication and Lifecycle Management

The second part of the digital identity guidelines, 800-63-B, covers authentication. Authentication is the process of verifying that an individual is who they claim to be. This part of the guidelines provides requirements for four levels of assurance, including low, moderate, high, and special.

Low assurance is an authentication process that provides a reasonable level of confidence in the asserted identity. This level is typically used for situations where the risks are low, such as when an individual is accessing non-sensitive information. Moderate assurance is an authentication process that provides a high level of confidence in the asserted identity. This level is typically used for situations where the risks are moderate, such as when an individual is accessing sensitive information. High assurance is an authentication process that provides a very high level of confidence in the asserted identity. This level is typically used for situations where the risks are high, such as when an individual is accessing critical information. Special assurance is an authentication process that provides an extremely high level of confidence in the asserted identity. This level is typically used for situations where the risks are very high, such as when an individual is accessing information that could have a significant negative impact if it were to fall into the wrong hands.

The guidelines also specify the types of authentication factors that can be used to verify an individual’s identity. These factors are divided into three categories, including something you know, something you have, and something you are.

Something you know includes information that only the individual knows, such as a password or a PIN. Something you have includes an object that only the individual has, such as a key or a token. Something you are includes a characteristic that only the individual has, such as a fingerprint or a retina scan.

The guidelines also specify the minimum number of authentication factors that must be used for each level of assurance. For low assurance, one authentication factor must be used. For moderate assurance, two authentication factors must be used, with one being something you know and the other being either something you have or something you are. For high assurance, three authentication factors must be used, with one being something you know, one being something you have, and one being something you are. For special assurance, four authentication factors must be used, with two being something you know and two being either something you have or something you are.

Part C: Federation and Assertions

The third part of the digital identity guidelines, 800-63-C, covers federation and identity management. Federation is the process of sharing information between organizations to verify an individual’s identity. This part of the guidelines provides an overview of how federation works and what standards are used to ensure compatibility between different federated systems. Identity management is the process of managing digital identities, including creating, updating, and deleting them. This part of the guidance provides information on using digital signatures to verify the identity of individuals who are requesting access to resources. The guidelines cover two main types of authorization, including static authorization and dynamic authorization.

Static authorization, which is based on the identity of the individual and does not change over time, is the simplest form of authorization. In this type of authorization, an individual is granted access to a resource without having to go through an approval process each time they wish to access the resource. For example, an employee might be given static authorization to access their company’s email server. This type of authorization is typically used for resources that do not need to be protected from unauthorized access and do not require frequent updates. Organizations must take care when using static authorization, as it can be easy to grant too much access to individuals. It is essential to only give individuals the level of access that they need to perform their job duties.

Dynamic authorization, on the other hand, is based on the individual’s current situation and can change over time. This type of authorization is typically used for resources that need to be protected from unauthorized access and require frequent updates. For example, an individual might be given dynamic approval to access their bank account information. This type of authorization would allow the individual to view their account balance and transactions but would not allow them to transfer funds.

Dynamic authorization can be used to control the level of access that individuals have to resources. It is essential to carefully consider the level of access that each individual needs before granting them dynamic authorization to a resource. For instance, digital signatures can be used to verify the identity of individuals who are requesting access to resources and verify the identity of the individual who signed a document.

Digital signatures are created using a public key and a private key. The public key is used to verify the signature, while the private key is used to create the signature.

Organizations can use digital signatures to verify the identity of individuals who are requesting access to resources. This type of verification can be used to control the level of access that individuals have to resources. It is essential to carefully consider the level of access that each individual needs before granting them access to a resource.

Overall, the goal of these guidelines is to ensure that only legitimate users are able to access online resources. By collecting and verifying information about an individual’s identity, organizations can ensure that only those authorized to access the resources can do so. By taking steps to transform digital identity and protect the collected data, organizations can further reduce the risk of unauthorized access.