NIST issues digital identity update allowing agencies to use synced passkeys

The supplement to NIST's digital identity guidelines could pave the way for agencies to adopt stronger multi-factor authentication methods.

The National Institute of Standards and Technology, in a new update to its digital identity guidelines, is clarifying a key discrepancy in federal policy that may have been preventing some agencies from adopting stronger forms of multifactor authentication.

In a supplement to the guidelines released Monday, NIST offers new guidance on incorporating “syncable authenticators” into both enterprise and public-facing use cases.

It’s the first supplement NIST has issued for the 2017 digital identity guidelines. The agency is already in the process of updating those guidelines. Comments on the latest draft were due in March, and NIST could release the final revision as soon as later this year.

But Ryan Galluzzo, the digital identity program lead at NIST, said the supplement comes after many people submitted comments about the lack of support for synced passkeys in the current guidelines.

“We realized we can come up with a set of requirements that can allow agencies to make use of this technology right now in a way that will help particularly the public in being able to improve the way they authenticate to online services,” Galluzzo said on Tuesday at an event hosted by Okta in Washington.

Under the 2022 federal zero trust strategy, the Biden administration has directed agencies to offer phishing-resistant multifactor authentication for public-facing online services.

“There’s not a ton of ways to do that without things like hardware security keys, and being able to distribute those,” Galluzzo said. “Passkeys . . . have started to bridge that gap and make them much more available to end users and provide them as well with something that’s much more intuitive to them.”

The FIDO Alliance, an industry association that wants to reduce the world’s reliance on passwords, sets open standards for phishing-resistant passkeys. FIDO defines them as “a replacement for passwords that provide faster, easier, and more secure sign-ins to websites and apps across a user’s devices.”

While the technology is relatively new, Galluzzo pointed to how many people have quickly become accustomed to using authenticators like Apple passkeys to access their online accounts across multiple devices.

“It’s much easier for that end user, it’s much easier for them to understand because they see it on a regular basis,” Galluzzo said.

But he said a strict reading of the NIST’s current digital identity guidelines effectively prevents agencies from using synced passkeys, as it bars them from using cryptographic device authenticators that are exported to multiple devices.

With the new supplement, Galluzzo said agencies can “take that next step and really put it in place.”

Jeremy Grant, who led NIST’s digital identity work during the Obama administration, agreed the new supplement will help agencies more readily adopt the password-less authentication methods endorsed by FIDO. Grant is coordinator of the Better Identity Coalition, an industry group focused on identity security and privacy.

“In terms of practical impact, I think it will help to jumpstart adoption of FIDO authentication in the U.S. government, particularly in overly risk-averse agencies that might not have been willing to embrace FIDO without formal NIST approval,” Grant told Federal News Network.

In the wake of the pandemic, agencies have been pushed to better facilitate online access to government services while also preventing fraud and unauthorized access. But federal cybersecurity leaders have stressed the importance of using “phishing-resistant” multifactor authentication, as opposed to text message verification and other authentication types that can be susceptible to scammers and hackers.

“NIST is quite clear in this new supplement that agencies can and should be looking to use synced passkeys, provided that the products meet a number of technical requirements to ensure the security of the broader authentication solution,” Grant said. “It’s about as full-throated an endorsement as you could hope to see, and I think it will remove some barriers to adoption.”

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

Related Stories

    Stacy Bostjanick and Jennifer Henderson

    Risk and Compliance Exchange 2024: DoD’ Stacy Bostjanick, DCMA’s Jennifer Henderson on finding ‘any means possible’ to help small biz with CMMC

    Read more
    Amelia Brust/Federal News Networkcybersecurity

    How should software producers be held accountable for shoddy cybersecurity products?

    Read more