Sorry, you need to enable JavaScript to visit this website.
Insights on “Digital Identity Guidelines” Sought March 7, 2023

by Sarbari Gupta

Between 2017 and 2023 the world changed dramatically. Technology altered the digital landscape and cybersecurity concerns heightened.

In keeping with its responsibility for developing information security standards and guidelines, the National Institute of Standards and Technology (NIST) deemed it time to revisit its Special Publication (SP) 800-63 “Digital Identity Guidelines,” as it has done several times since the document was first published in June 2004. These guidelines underwent a third revision in 2017, morphing into a four-volume suite. December 2022 marked the issuance of the initial public draft of the fourth revision for public comment.

This SP 800-63-4 update couldn’t be more timely, necessary or thoughtful. Clearly, the technical requirements for federal agencies implementing digital identity services needed revision after nearly six years. Moreover, as comments to a pre-draft of this document highlighted, this iteration needed to advance equity as well as address the topics of optionality and consumer choice, deterrence of fraud and advanced threats, and implementation lessons learned.

The technical requirements for federal agencies implementing digital identity services needed revision after nearly 6 years.

It’s noteworthy that NIST is exercising a bit of specificity in regard to the comments it hopes to receive from the public. NIST specifically seeks feedback focusing on Identity Proofing and Enrollment, Risk Management, Authentication and Life Cycle Management, and Federation and Assertions.

Here are just a few specifics on what NIST seeks by topic:

  • Identity Proofing and Enrollment
    o Available technologies or methods that could support a remote, unattended identity proofing process
    o Ways to integrate digital evidence (e.g., mobile driver’s licenses, verifiable credentials)
    o Potential impact of commercial service providers assuming fraud detection, response notification responsibility
    o Effects of the proposed identity proofing biometric performance requirements on such technologies already in use
  • Risk Management
    o Gaps in the guidance offered for integrating digital identity risk and enterprise risk
    o Ways to integrate equity, privacy and usability impacts into the process for assurance level selection and the model for digital identity risk management
    o Potential use of risk analytics and fraud mitigation techniques in choosing identity assurance levels
  • Authentication and Life Cycle Management
    o The need to better address emerging authentication models and techniques (e.g., FIDO passkeys, verifiable credentials and mobile driver’s licenses)
    o The need for greater clarity on phishing resistance in the guidelines as they relate to two levels of authentication assurance
    o The need to define session management thresholds and reauthentication requirements
    o Effect, if any, of proposed biometric performance requirements on existing biometric technology implementations
  • Federation and Assertions
    o Gaps in the privacy considerations for identity and provisioning application programming interfaces
    o Need for greater clarity regarding “bound authenticators”

NIST also posits some general questions regarding the perceived need for additional guidance and unclear text, among other concerns. Interested parties can find the initial public draft here. The full text on all five comment request areas can be found in the section titled “Note to Reviewers.” NIST was quick to extend its request for comments to all four draft volumes of the suite.

NIST asks that all comments be submitted to by 11:59 pm ET on March 24, 2023. Notably, after NIST review, all comments will be available on the NIST Identity and Access Management website.

# # #

The development of the initial public draft was an intensive undertaking. The contents reflect the cumulative effort of all those who have worked on NIST SP 800-63 iterations in the past as well as the eight collaborators, including me and my colleague Diana Proud-Madruga, who contributed to the current revision. I’m proud to have participated in the effort and pleased with what we achieved.

Return to Electroblog