NIST updates digital identity guidelines with passkeys, mobile wallets

Draft digital identity guidelines add more detail around emerging tech like mobile driver's licenses, but also keeps the door open to in-person verification.

The National Institute of Standards and Technology is trying to give agencies and the public more options when it comes to digital identity and anti-fraud capabilities.

NIST today published a second draft of a new revision to its seminal “Digital Identity Guidelines.” The standards agency published the initial draft in December 2022. NIST spent the last year revising the special publication after receiving nearly 4,000 comments on the first draft.

Jason Miller, deputy director for management at the Office of Management and Budget, said the new draft guidelines show the Biden administration’s commitment to “strengthening anti-fraud controls while ensuring broad and equitable access to digital services.”

“By incorporating feedback from private industry, federal agencies, privacy and civil rights advocacy groups, and members of the public, NIST has developed strong and fair draft guidelines that, when finalized, will help federal agencies better defend against evolving threats while providing critical benefits and services to the American people, particularly those that need them most,” Miller said in a statement.

The new draft guidelines add more detail around emerging digital identity capabilities, including online passkeys and mobile drivers licenses. The updated draft incorporates a supplement NIST issued earlier this year that allows agencies to use “syncable authenticators” in both enterprise and public-facing use cases.

“We are trying to make sure we maintain as many pathways as possible to enable secure online access to services,” NIST Digital Identity Program Lead Ryan Galluzzo said in the release today., one of the publication’s authors. “We want to open up the use of modern digital pathways while still allowing for physical and manual methods whenever they may be necessary.”

During a webinar hosted by GovExec last week, Galluzzo said NIST’s identity team has been focused on strengthening performance metrics in areas like online document authentication. The draft guidelines incorporate new metrics in areas like biometric matching and liveness detection to help combat online fraud.

“We’re really focusing on how we can make as secure as possible those upfront process when it comes to what we see today, and then opening the door to new technologies like mobile driver’s license, verifiable credentials, other forms of digital evidence and digital identity components that we can actually build into future focused identity processes,” Galluzzo said.

Meanwhile, amid concerns around the proliferating use of facial recognition, the latest draft guidelines maintains NIST’s approach to biometrics-based identity verification. In NIST’s release today, Galluzzo states that “systems that use these technologies must perform accurately, adhere to the privacy requirements articulated in the guidance, and include manual processes to address errors or challenges that users may encounter.”

Comments on the new draft guidelines are open until Oct. 7.

Mobile driver’s license pilots

NIST’s National Cybersecurity Center of Excellence earlier this week also announced plans to work with 15 technology providers on an initial use case for using mobile driver’s licenses in the financial services sector. A growing number of states have begun to issue mobile licenses that can be stored on smartphone wallets.

Galluzzo said the NCCoE will also explore a use case for using mobile drivers licenses (mDl) to access government services.

“So how can I use a similar kind of cryptographically provable and verifiable credential when establishing my account with a federal government agency or with a state and local agency that’s going to then use that to provide access or benefits or services,” Galluzzo explained.

The overarching focus of the center’s mDL project is creating a “new paradigm around the use of digitally focused credentials within use cases where we’ve pretty much relied on things like physical ID cards,” Galluzzo added.

He said NIST officials want to set up more projects at the NCCoE that help organizations implement the guidelines. That’s especially important for federal agencies, which are required to follow NIST’s digital identity standards.

“What can we take and put into practice in the lab to ease the lift and ease the implementation challenges that agencies are going to have once we start to roll out of new guidance,” Galluzzo said.

But even as agencies and the private sector have moved more services online, NIST is also emphasizing the importance of giving the public in-person options.

“Also keeping the door open to the in-person stuff,” Galluzzo said. “In-person and attended processes, while sometimes less convenient, are oftentimes really good options for individuals who might not be able to get through a DocAuth or a biometric check, or simply aren’t comfortable going through those processes.”

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

Related Stories

    cyber, EPA, Water Contamination Nitrates Oregon

    EPA fosters IT resilience through cloud, integrated teams, automation tools

    Read more
    Getty Images/iStockphoto/cybrainCloud Computing

    CISA directs agencies to find, fix cloud security misconfigurations

    Read more