Oct 242017

NIST’s Digital Identity Guidelines Favor the User

Colleen Theresa Brown and Shay Banerjee
, , ,

With the continued rise of data breaches rooted in a compromise of user credentials, interest has continued to build in more secure form of digital identities for authentication.  Supporting controls for federal agencies as well as innovation in the market, the National Institute of Standards and Technology (“NIST”) published its four-volume Digital Identity Guidelines earlier this year on June 22, 2017. The Guidelines encourage online service providers (“OSPs”) to adopt design practices that promise to reduce unnecessary user frustration with password and identity verification systems, while at the same time increasing security.  The primary purpose of the Guidelines is to promulgate technical requirements for federal agencies, businesses, however, could use the Guidelines as a baseline for their own cybersecurity systems—both to establish credibility and enhance the user experience.

Digital Identity Systems

The first volume of the Guidelines provides an overview of digital identity systems. Each subsequent volume focuses on one of three components of identity assurance:

  • Enrollment and Identity Proofing
  • Authentication and Lifecycle Management
  • Federation and Assertions

Enrollment and Identity Proofing

The second volume relates to creating a unique digital identity based on manual user input. Enrollment involves (1) resolving a claimed identity to a single unique user, (2) validating the accuracy of the identity data against authoritative sources, and (3) verifying that a claimed identity is that of the user claiming it.  NIST’s recommendations for enrollment systems include:

  • Data Minimization – restrict data collection to the smallest and least invasive set of attributes necessary to resolve a unique identity.
  • Matching Algorithms – incorporate automated processes to validate data against multiple authoritative sources.
  • Derived Credentialing – avoid repetitive data input by tying new authentications to existing user identities.

Authentication and Lifecycle Management

The third volume relates to granting system access to already-enrolled users (i.e. “subscribers”). Authentication is the ongoing process of associating subscribers with their online activity based on (1) “something you know” (e.g. passwords), (2) “something you have” (e.g. smartphones), or (3) “something you are” (e.g. biometrics).

NIST’s recommendations for authentication systems include:

  • Simplified Password Rules – eliminate overly-complex password requirements and enable passphrases through higher character limits and permitting space characters.
  • Permanent Duration Passwords – stop requiring subscribers to change their passwords periodically, absent actual evidence of compromise.
  • Alternate Multifactor Authentication – allow subscribers to choose between secondary authentication options based on context, goals, and tasks.

Federation and Assertions

The fourth volume relates to using password managers and other third party identity providers (“IdPs”). Federation occurs when an identity provider (“IdP”) authenticates a given subscriber and subsequently submits “assertions” of the relevant identity information to one or more OSPs. NIST’s recommendations for federation systems include:

  • Use of IdPs – allow IdPs to automatically paste identity information into online forms, subject to certain communication and privacy protocol.
  • Streamlined Assertions – minimize the number of user actions required to generate an IdP assertion and strive for a consistent user experience across systems.
  • Multiple Accounts – allow users of an IdP to select from multiple accounts associated with a given system.

Conclusion

Although NIST’s recommendations might seem non-traditional, they attempt to respond to recent developments in the industry. Empirical analyses of breached password databases imply that most users respond to password complexity requirements and expiration notices with simple incrementing, such as adding a “1” to a default password. Such findings—combined with (1) the increased sophistication of cyber attacking algorithms, (2) the growing prominence of password harvesting techniques (e.g. phishing, keystroke logging, etc.) as opposed to password cracking techniques, and (3) the added likelihood that overly-complex passwords will be stored unsafely due to their lowered memorability—suggest that a streamlined user experience may be more security-enhancing than artificial password rules.

Online service providers—as well as any entity with an sizable online services component—should take notice of the NIST Guidelines and monitor these developments as they continue to develop digital identity solutions for their users.

Colleen Theresa Brown

Washington, D.C.

cbrown@sidley.com

Shay Banerjee

sbanerjee@sidley.com

You might also like
UK GDPR Reform Is Back! Department of Science, Innovation and Technology Introduces New Data Protection and Digital Information Bill

On 8 March 2023, the newly created Department of Science, Innovation and Technology (“DSIT”) introduced the Data Protection and Digital Information (No. 2) Bill. The “Bill” is in substance a re-introduction of the previous Data Protection and Digital Information Bill which was withdrawn from Parliament on the same day as the new Bill was published. The Bill, which has been hailed by the UK Government as one that will “save billions” and “cut down pointless paperwork” is the UK’s latest attempt to create a more streamlined piece of data protection legislation for the UK whilst still “ensur[ing] data adequacy.” The Information Commissioner’s Office (“ICO”) also welcomed the re-introduction of the Bill, with the Commissioner stating that he would “support [the Bill’s] ambition.” While much of the Bill remains the same as its previous iteration, we set out the key provisions and notable amendments below.

Biden Administration Announces National Cybersecurity Strategy

On March 1, 2023, the Biden administration announced its long-awaited National Cybersecurity Strategy. The strategy is part of the administration’s efforts to bolster and modernize public and private responses to cybersecurity threats.

UK’s New Pro-innovation Approach to Regulating Digital Technologies

On 15 March 2023, the UK Government published, alongside its Spring Budget, a report on the Pro-innovation Regulation of Technologies Review (the “Report”). The Report was led by the government’s Chief Scientific Advisor and National Technology Officer, Sir Patrick Vallance, who was tasked with “bringing together the best minds to advise how the UK can better regulate emerging technologies, enabling their rapid and safe introduction.” In response, the UK Government has accepted all of the Report’s recommendations, and set out some next steps for their implementation.