The National Institute of Standards and Technology is revising Special Publication 800-63, Digital Identity Guidelines, which gives guidance to federal agencies on how to implement identity verification requirements. The document was last revised in 2017 and is being updated to reflect the current cybersecurity environment and the changes in threats that have occurred since then.
The new version will look at some of the privacy and ethical considerations that must be taken into account with new guidelines, the new risk management
techniques that may be incorporated and the new technology that may be needed to implement the guidelines. The guidelines will also create a path to phishing-resistant authentication that is stronger than simple multifactor authentication.
FedTech discussed the new guidelines with David Temoshok, senior adviser for applied cybersecurity and the Information Technology Laboratory at NIST; the lab has responsibility for all 800 series special publications.
FEDTECH: These guidelines were last updated in 2017, a lifetime in the world of cybersecurity. What’s happened since then that made the updates necessary?
TEMOSHOK: We had the pandemic and the government's response to the pandemic, which really accelerated the transition from in-person government services to online services. The government also established pandemic relief programs, which attracted cyberattackers. We saw many new forms and a much greater volume of cyberattacks. We saw bot attacks, automated attacks, an emergence in synthetic identities and phishing attacks across the spectrum of government online services. Funding and financial services and benefits were available that just weren't there previously.
Click on the banner below to learn more about identity management.
FEDTECH: Describe some of the updates included in the new guidelines.
TEMOSHOK: We are making a special effort to make sure we could advance equity across the government's online service programs — we want to make sure that no sector of the population, no community, is excluded from the government's online services delivery methods. We wanted to specifically address how equity should be treated across the different processes as well as the technologies in the digital identity guidelines.
We’ve also seen the emergence of new forms of digital identity evidence. The 2017 revision treats evidence of identity — whether it’s submitted in person, remotely over a device, or as a scan or a photograph — as physical evidence. But we’ve seen such an emergence of digital identity evidence that we needed to address both the processes and the security, as well as the privacy in handling digital identity evidence.
LEARN MORE: Developing a strong cybersecurity strategy is key to keeping your agency protected.
FEDTECH: Explain the equity aspect of identity authentication because that seems to be critical. Is that related to the issues with face recognition?
TEMOSHOK: It’s more than that. Any potential bias across demographic groups is certainly an issue with face recognition algorithm comparisons. But we are addressing a broad range of equity considerations that deal with rural rather than urban or suburban users, for example. Rural users may not have easy access to online services if they or their communities do not have access to mobile devices that allow for remote identity proofing and remote authentication processes.
We also recognize that with any form of processing, like identity proofing or authentication processes, there can be potential biases or inequities across communities. It's a much broader scope than just bias in the face recognition algorithm. The first executive order that President Biden signed in 2021 was Executive Order 13985, which called attention to equity across government services — not just online services, but all government services. It directed agencies to conduct equity assessments of the services that they provide and the programs that they operate, and we call that out in the digital identity guidelines. There's been a strong positive response to the focus on equity in the update.
FEDTECH: Can technology help with creating equity, or is that more of a process change?
TEMOSHOK: It's more of a process. We address multifactor authentication, and one of those factors needs to be a possession-based authentication factor — something that the user has. It’s important to not exclude populations from multifactor authentication access if they have difficulty acquiring a possession-based authentication factor because all of our accounts in government require multifactor authentication. We looked to expand the options that are available to both identity services and individuals on how they can prove identity for access, and then authenticate them once they're registered and can access their accounts. We're looking for options that are available to implementers, identity services and individuals so that they can choose processes that are more convenient or that they have the capability to perform.
FEDTECH: Some of the literature on the guidelines talked about enabling systems to be more phishing-resistant. How would that work?
TEMOSHOK: Phishing resistance really requires a tight binding authentication with the individual who’s being authenticated. And it has been difficult to find commercially available products similar to the government's Personal Identity Verification card and the Department of Defense’s Common Access Card, which have an integrated circuit chip with embedded digital certificates that allow for encryption-based authentication processes.
But there’s been an expansion in the marketplace of FIDO authenticators. FIDO is Fast Identity Online, an industry-based organization that has developed specifications that allow for an asymmetric encryption authentication process, which is a phishing-resistant process. There are now commercially available products where a FIDO-based authenticator can establish a strong multifactor authentication process that's phishing-resistant and available in multiple locations. Without that key — even though a phishing attack might induce a user to provide his or her user ID and password — the attacker doesn’t have access to that private key, so the authentication process fails.
FEDTECH: Is there any thought to getting more specific about what kind of proof of physical identity is acceptable?
TEMOSHOK: There are physical and digital credentials that can be presented as evidence of identity. These are onboarded into the service where we use evidence-based identity proof such as a U.S. driver's license, passport or immigration card. Mobile driver's licenses or a data feed from an e-Passport also allow us to validate the credential that's being presented. But in addition, they make sure that the identity attributes that are on those credentials — name, date of birth, address — can be validated so that we can bind a unique identity and a digital identity to the evidence that's been provided.
Then there's evidence that's much stronger, such as Real ID, which has a picture and is governed by state motor vehicle departments. There is established identity proofing plus an issuance and maintenance process for those types of credentials. And there are credentials such as a mobile driver's license that is digital in form and digitally signed by the issuing authority. Digital evidence can be validated through that digital signature, which ensures the integrity and the authenticity of the document. We consider that to be superior evidence to bind the digital identity.
The range of acceptable multifactor authentication processes is broad — from an SMS text message that is sent to a phone to strong encryption-based hardware security modules that protect the private key for authentication processes. We recognize that broad range, but we're also encouraging the adoption of phishing-resistant multifactor authentication.
FEDTECH: How critical is a solid identity verification method in a zero-trust environment?
TEMOSHOK: All zero-trust implementations and all implementations of the digital identity guidelines in the federal government will require multifactor authentication at the access point, which is supported by zero trust. And within the zero-trust architectural strategy that establishes the requirements that all authentications must be multifactor and phishing-resistant, and for public-facing access, these implementations must at least offer phishing-resistant multifactor authentication capability to the public so that we can begin that broad-scale adoption across the population.
