NIST Digital Identity Summary and Update
This article provides a NIST digital identity summary and update related to NIST special publication 800-63 for digital identity guidelines. The National Institute of Standards and Technology (NIST) digital identity guidelines, known as Special Publication (SP) 800-63, provide recommendations for creating and maintaining secure digital identities. The guidelines are intended to help organizations, government agencies, and other entities establish a secure and trustworthy digital identity ecosystem.
The guidelines offer topics related to digital identity, including:
- Authentication: guidelines for verifying the identity of a user through various methods such as multi-factor authentication, knowledge-based authentication, and biometric authentication.
- Authorization: guidelines for granting access to resources and information based on the user’s verified identity.
- Identity proofing: guidelines for verifying the identity of an individual, including identity proofing remotely and in-person.
- Identity assurance: guidelines for determining the level of trust that can be placed in an individual’s identity claim.
- Risk-based authentication: guidelines for assessing the risk level with a given transaction and adjusting authentication methods accordingly.
- Out-of-band authentication: guidelines for using a separate method to verify an identity.
The NIST digital identity guidelines are voluntary but widely adopted by many companies and governments globally. They are designed to provide a comprehensive and flexible framework for creating and maintaining secure digital identities, with a focus on providing robust remote identity proofing and device-based authentication options, while balancing security and usability.
Purpose of NIST Digital Identity Guidelines
The purpose of NIST digital identity guidelines is to provide a set of best practices for creating and maintaining secure digital identities, to help organizations and government agencies to establish a secure and trustworthy digital identity ecosystem, and to provide a comprehensive and flexible framework for creating and maintaining secure digital identities.
NIST Digital Identity Updates
The National Institute of Standards and Technology (NIST) regularly updates its digital identity guidelines, known as Special Publication (SP) 800-63. These guidelines provide recommendations for creating and maintaining secure digital identities, including guidelines for authentication and authorization. Some of the changes in recent updates include:
- SP 800-63-3 (2017): This update introduced new guidelines for multi-factor authentication and introduced the concept of “verifiers” (organizations or entities that verify identities) and “subscribers” (individuals who are seeking to prove their identity).
- SP 800-63B (2018): This update provided additional guidelines for multi-factor authentication, including guidelines for using knowledge-based authentication (KBA) and risk-based authentication.
- SP 800-63C (2020): This update was a major revision of the previous version, which added new guidelines for remote identity proofing, device-based authentication, and more. The guidelines are focused on the new concept of “identity assurance level (IAL)” and “authentication assurance level (AAL)”
It is important to note that NIST guidelines are voluntary, but are widely adopted by many organizations and government agencies in the United States and around the world.
SP 800-63C Update 2020
SP 800-63C, which was released in 2020, is a major update to the previous version of NIST’s digital identity guidelines. Some of the key updates include:
- Remote Identity Proofing: This update introduces new guidelines for verifying identities remotely, such as through online or video-based methods. This is important in light of the increased use of remote work and online services.
- Device-based Authentication: The update also includes new guidelines for device-based authentication methods, such as using a device’s biometric data or other unique characteristics to authenticate a user.
- Identity Assurance Level (IAL) and Authentication Assurance Level (AAL): In previous versions of the guidelines, NIST recommended different levels of authentication based on the sensitivity of the information being accessed. In this update, NIST introduced the concept of “identity assurance level (IAL)” and “authentication assurance level (AAL)” to provide a more comprehensive framework for assessing the level of assurance required for different types of transactions.
- Biometric Authentication: This update also provides specific guidelines for biometric authentication, which is becoming more widely adopted as a means of verifying identity.
- Risk-based Authentication: The guidelines also introduce the concept of risk-based authentication, which allows organizations to assess the level of risk associated with a given transaction and adjust their authentication methods accordingly.
- Out-of-band Authentication: The guidelines also provide recommendations for out-of-band authentication, which is a method of authentication that uses a separate communication channel (e.g. SMS, phone call) to verify a user’s identity.
Overall, the SP 800-63C update provides a more comprehensive and flexible framework for creating and maintaining secure digital identities, with a focus on providing more robust remote identity proofing and device-based authentication options.
What is Remote Identity Proofing?
Remote identity proofing, also known as remote identity verification, is the process of verifying a person’s identity remotely, typically through an online or video-based process. This can be accomplished through various methods, including:
- Document verification: This involves verifying a person’s identity by comparing information on a government-issued ID (e.g. passport, driver’s license) to information provided by the individual.
- Knowledge-based authentication (KBA): This involves verifying a person’s identity by asking them to answer personal questions, such as their mother’s maiden name or the name of their first pet.
- Biometric verification: This involves using a person’s unique physical or behavioral characteristics (e.g. fingerprints, facial recognition) to verify their identity.
- Video-based verification: This involves using video conferencing technology to conduct a live interview with the individual to verify their identity.
Remote identity proofing is becoming increasingly important as more and more transactions and interactions are conducted online, and in light of the increased use of remote work and online services. The NIST SP 800-63C guidelines provide recommendations for remote identity proofing, including the use of multiple methods to verify identity in order to increase the overall level of assurance.
It’s important to note that remote identity proofing is not a replacement of in-person identity verification, but rather it’s an additional means of identity verification that can be used in certain circumstances where in-person verification is not possible or feasible.
What is Risk-based Authentication?
Risk-based authentication (RBA) is a method of assessing the level of risk associated with a given transaction and adjusting authentication methods accordingly. This approach allows organizations to balance security and usability by only requiring stronger authentication methods when the risk of fraud or unauthorized access is higher.
Risk-based authentication typically involves evaluating a number of different factors to determine the level of risk associated with a given transaction. These factors can include:
- The type of transaction being conducted
- The sensitivity of the information being accessed
- The location of the user
- The device being used
- The behavior of the user (e.g. whether they have a history of suspicious activity)
Based on the level of risk determined, the organization can then choose an appropriate level of authentication to use. For example, if the risk is low, a simple username and password may be sufficient, while a higher risk transaction may require multi-factor authentication (MFA) or other stronger methods.
Risk-based authentication is becoming an increasingly popular approach to identity and access management, as it allows organizations to provide a more seamless user experience while still maintaining a high level of security. The NIST SP 800-63C guidelines provide recommendations for risk-based authentication, including how to evaluate risk and how to implement risk-based authentication in a way that is both effective and secure.
What is Out-of-band Authentication?
Out-of-band authentication (OOB) is a method of authentication that uses a separate communication channel to verify a user’s identity. This separate channel is typically used as a secondary means of authentication, in addition to something the user knows (like a password), something the user has (like a security token), or something the user is (like a biometric).
There are different ways OOB authentication can be implemented, but some common examples include:
- Sending a one-time passcode (OTP) to a user’s mobile phone or email address and asking the user to enter it on the login page
- Making a phone call or sending a text message to a user’s phone number, and asking the user to confirm their identity by responding to the message
- Using an application such as Google Authenticator, that generates a time-based OTP that the user must enter in addition to their password.
The idea behind OOB authentication is that it can be more secure, as it ensures that the person attempting to log in has access to a device or communication channel that is only available to the true user. It can also serve as an additional layer of security in case the primary means of authentication is compromised.
OOB authentication can be used in various scenarios, including high-security environments, such as financial institutions, government agencies, and healthcare organizations, as well as for online transactions that involve sensitive information or large amounts of money. The NIST SP 800-63C guidelines provide recommendations for OOB authentication, including how to implement it in a way that is both effective and secure.