NIST’s Digital Identity Guidelines Favor the User
With the continued rise of data breaches rooted in a compromise of user credentials, interest has continued to build in more secure form of digital identities for authentication. Supporting controls for federal agencies as well as innovation in the market, the National Institute of Standards and Technology (“NIST”) published its four-volume Digital Identity Guidelines earlier this year on June 22, 2017. The Guidelines encourage online service providers (“OSPs”) to adopt design practices that promise to reduce unnecessary user frustration with password and identity verification systems, while at the same time increasing security. The primary purpose of the Guidelines is to promulgate technical requirements for federal agencies, businesses, however, could use the Guidelines as a baseline for their own cybersecurity systems—both to establish credibility and enhance the user experience.
Digital Identity Systems
The first volume of the Guidelines provides an overview of digital identity systems. Each subsequent volume focuses on one of three components of identity assurance:
- Enrollment and Identity Proofing
- Authentication and Lifecycle Management
- Federation and Assertions
Enrollment and Identity Proofing
The second volume relates to creating a unique digital identity based on manual user input. Enrollment involves (1) resolving a claimed identity to a single unique user, (2) validating the accuracy of the identity data against authoritative sources, and (3) verifying that a claimed identity is that of the user claiming it. NIST’s recommendations for enrollment systems include:
- Data Minimization – restrict data collection to the smallest and least invasive set of attributes necessary to resolve a unique identity.
- Matching Algorithms – incorporate automated processes to validate data against multiple authoritative sources.
- Derived Credentialing – avoid repetitive data input by tying new authentications to existing user identities.
Authentication and Lifecycle Management
The third volume relates to granting system access to already-enrolled users (i.e. “subscribers”). Authentication is the ongoing process of associating subscribers with their online activity based on (1) “something you know” (e.g. passwords), (2) “something you have” (e.g. smartphones), or (3) “something you are” (e.g. biometrics).
NIST’s recommendations for authentication systems include:
- Simplified Password Rules – eliminate overly-complex password requirements and enable passphrases through higher character limits and permitting space characters.
- Permanent Duration Passwords – stop requiring subscribers to change their passwords periodically, absent actual evidence of compromise.
- Alternate Multifactor Authentication – allow subscribers to choose between secondary authentication options based on context, goals, and tasks.
Federation and Assertions
The fourth volume relates to using password managers and other third party identity providers (“IdPs”). Federation occurs when an identity provider (“IdP”) authenticates a given subscriber and subsequently submits “assertions” of the relevant identity information to one or more OSPs. NIST’s recommendations for federation systems include:
- Use of IdPs – allow IdPs to automatically paste identity information into online forms, subject to certain communication and privacy protocol.
- Streamlined Assertions – minimize the number of user actions required to generate an IdP assertion and strive for a consistent user experience across systems.
- Multiple Accounts – allow users of an IdP to select from multiple accounts associated with a given system.
Although NIST’s recommendations might seem non-traditional, they attempt to respond to recent developments in the industry. Empirical analyses of breached password databases imply that most users respond to password complexity requirements and expiration notices with simple incrementing, such as adding a “1” to a default password. Such findings—combined with (1) the increased sophistication of cyber attacking algorithms, (2) the growing prominence of password harvesting techniques (e.g. phishing, keystroke logging, etc.) as opposed to password cracking techniques, and (3) the added likelihood that overly-complex passwords will be stored unsafely due to their lowered memorability—suggest that a streamlined user experience may be more security-enhancing than artificial password rules.
Online service providers—as well as any entity with an sizable online services component—should take notice of the NIST Guidelines and monitor these developments as they continue to develop digital identity solutions for their users.