NIST recently announced it is undertaking a “transformational change” to its digital authentication guidelines. NIST is currently accepting comments being submitted over GitHub that will be followed by the more traditional public comment period later this summer. The GitHub method is part of a new approach intended to foster more openness with the goal of creating even stronger guidelines.
This important guideline update is in response to the growing security challenges associated with the influx of mobile devices and bring your own device (BYOD) policies in the workplace.
Led by Paul Grassi, senior standards and technology advisor at NIST, the update addresses the four levels of identity assurance and risk management.
The major changes include:
- Eliminates level two
- Deprecates over the air one-time passcodes
- Defines acceptable use of knowledge-based verification
- Specifies acceptable password policies
- Ends visual-only document inspection for identity proofing at higher levels
Also, when NIST updates a guideline they want to ensure it is strong and clearly committed – in this case, that user authentication is now even more important. Until now, the notion of authentication was a confusing mix of terms around multi-level and two-factor authentication. To help clarify, NIST is no longer referring to “tokens” opting instead to refer to them as “authenticators.”
To net it out further, the notion of “authenticator” simplifies the process by boiling the four levels of assurance down to essentially to three authentication mechanisms that I translate as:
• Who you are?
• What you have?
• What you know?
We believe this is a critical update and we applaud NIST and the revised guidelines that are now even more focused on authentication! This is also significant for emerging digital risk management strategies as the guideline supports the integration of multiple capabilities with the first level of emphasis on authentication of the user.
The guideline also addresses changes to ID Proofing. Until now, when you present an identity, there is a visual inspection of ID proofing. But with this new NIST guideline you can use computers to proof your ID. So even though that might increase the risk of not having a human in loop, by integrating the three concepts and using more technology and making it easier to authenticate will make it easier and help reduce risk.
Commenting on the update, Grassi said, “It’s cliché to say that technology moves fast, but we face a massive challenge to address evolving technologies and threat environments at a global scale and Internet speed — all without compromising on our responsibility to protect individuals’ security and privacy. We rely on the broad identity community to help us create smart, modern and practical guidance, and we hope this approach provides a more nimble way for our stakeholders to do just that.”