Hoping to balance today’s requirements with future needs, the National Institute of Standards and Technology released a major update to Special Publication 800-63 for digital authentication.
The third version was published Aug. 30, and divides the digital authentication document into four sections, ranging from credentials that are tied to a specific person to the process of sending those authentication results to the party who needs know that certification.
“We changed the name from electronic authentication to digital authentication guidance, which in itself indicates that we’re a little bit smarter about this than we were [10 years ago],” said Michael Garcia, deputy director at NIST’s National Strategy for Trusted Identities in Cyberspace. “When you think about where we were 10 years ago, even the most equipped folks in a lot of agencies didn’t understand how digital identity worked at all, or to a very limited extent. And that world has changed so massively over the last 10 years, our understanding within federal agencies of how to do these things has changed an enormous amount.”
That allows for fewer anecdotal explanations for how things work, and more of an outcome-based explanation, Garcia shared, during an Aug. 30 panel at the Symantec Government Symposium in Washington.
“The more your audience understands the concepts and the ultimate goals of what you’re trying to achieve, the more you can provide them with ‘this is the outcome we need’ and the less you can provide them with ‘this is the thing you have to do,'” Garcia said.
The third revision has already received more than 200 comments.
Unlike the original special publication, the third version is split into four documents: digital authentication guidelines, enrollment and identity proofing, authentication and lifecycle management, and federation and assertions.
Garcia said identity proofing is “a complete re-write,” based off good practices guidance like the kind seen in Canada and the UK.
“It’s much more about the characteristics of quality evidence and the outcomes of the event itself,” Garcia said. “It really tries to take a step back from being prescriptive and it’s really about performance. We hope that that allows some additional future-proofing to say ‘ok look, if the document has the following characteristics, we’re not going to specify a list of documents that do or do not meet them.'”
Garcia said if you can prove that a piece of evidence meets a certain criteria, you should be able to label it — such as superior, adequate or weak — and then move it to the next step in the authentication process.
The proofing requirements should already be determined, Garcia said, offering an example of an identity assurance level 3, requiring one strong and two superior documents.
“That gives you an option of doing a mix and match sort of thing, to reach the level that you need,” Garcia said. “It doesn’t pigeonhole the individual that lost their form of ‘Identity Y,’ and now they can’t do it. There’s a whole variety of ways to meet it, so you can do what suits your needs to mitigate the risk that you need to.”
Garcia also pointed out that the Federations and Asserts document was practically all new.
According to the draft, this type of system “is preferred over a number of siloed identity systems that each serve a single agency or RP [relying party],” the draft states.
The benefits of “federated identity architecture,” NIST says in its draft, include enhanced privacy, data minimization, cost reduction and enhanced user experience.
Garcia said the third iteration reflects a better understanding of the digital authentication space, however, “we’re not there yet.”
“It’s very easy to point to a single solution when you don’t understand a solution very well,” Garcia said. “I can rigorously look at this solution and make a determination about it. When there’s a variety of solutions it becomes much more difficult to do that, [there’s] much more investment to do that and we’ll probably get some wrong. So instead we really want to look at it in what are the outcomes we’re trying to achieve, and we think the space has matured enough to be able to do that.”
The realm of possibility
The government’s ongoing efforts to modernize and streamline electronic credentialing include a cover letter and memo sent in May from Federal Chief Information Officer Tony Scott to agency CIOs highlighting the General Services Administration’s 18F’s new Log-in.gov effort.
The Defense Department’s CIO announced in June his plan to phase out the Common Access Card (CAC) over the next two years.
Jason Martin, a services executive with the Defense Information Systems Agency, said what his agency has started to do is look at what multi-factor really means.
The CAC is not good for mobile devices, but it works great for application and work station authentication, he said.
“The challenge becomes, how is that going to exist in the future, if that all becomes virtual how do we do it,” said Martin, who joined Garcia at the panel on information access.
“We’re looking at a number of tools, industry has worked on a number of tools,” such as biometrics, Martin said. “Are those reliable right now? I don’t know, but they are certainly now within the realm of possibility.”