Public Services > Central Government

US standards group NIST publishes new digital identity guidelines

David Bicknell Published 25 June 2017

SP Suite 800-63, put together with UK identity peers’ help, gives identity proofing ‘a major overhaul’ including breaking down level of assurance into its independent parts

 

The US National Institute of Standards and Technology’s (NIST) Trusted Identities Group has published new digital identity guidelines providing technical requirements for federal agencies implementing digital identity services.

The guidelines contained in Special Publication (SP) suite 800-63 , which have been over a year in the making, are designed to give identity proofing ‘a major overhaul’ and benefited from support provided by UK and Canadian identity peers.

The guidelines’ publication includes an overview of identity frameworks; using authenticators, credentials, and assertions in a digital system; and a risk-based process to select assurance levels. Organisations have the flexibility to choose the appropriate assurance level for their needs.

For the new SP 800-63, NIST sought to simplify and clarify guidance, better align with commercial markets, promote international interoperability, and focus on outcomes to promote innovation and deployment flexibility. The updates in the guidelines’ publication are intended to give relying parties latitude in designing, building, consuming, and procuring identity technology.

The highlights of the changes to the guidelines include breaking down level of assurance into its independent parts: identity proofing, authenticators, and federated assertions.

The changes also created multiple volumes with clear distinctions between ’normative’ and ‘informative’ language, so each volume is a one-stop shop for mandatory requirements and recommended approaches.

The guidance supports in-person proofing over a virtual channel, though under a strict set of requirements and clarified that knowledge-based verification (“nee authentication”) is limited to specific portions of the identity proofing process and never sufficient on its own.

It also places additional restrictions on the use of SMS for a one-time password (OTP) and removed OTP via email and addresses the security required for centralised biometric matching as well as offering updated terminology to clarify language across the identity space.

(thanks to former UK government CloudStore lead Mark Craddock for highlighting the guidelines)








We have updated our privacy policy. In the latest update it explains what cookies are and how we use them on our site. To learn more about cookies and their benefits, please view our privacy policy. Please be aware that parts of this site will not function correctly if you disable cookies. By continuing to use this site, you consent to our use of cookies in accordance with our privacy policy unless you have disabled them.