The National Institute of Standards and Technology (NIST) has published draft guidelines concerning the management of digital identities online, and will welcome public comment on the draft until March 24 of next year.
The “Digital Identity Guidelines” publication (aka NIST Special Publication 800-63 Revision 4) is primarily concerned with the identity proofing and authentication of users interacting online with government information systems. And in drafting the guidelines, NIST has focused on four overarching goals: advancing equity, emphasizing optionality and choice for consumers, deterring fraud and advanced cyberthreats, and addressing implementation lessons that have previously been learned.
One such lesson – though it isn’t mentioned in the document itself – may be that there is considerable skepticism from the public, or at least mainstream media publications, about the use of facial recognition as the only means of authentication.
It’s a lesson that was learned vividly in the IRS-ID.me fiasco that played out earlier this year. The Internal Revenue Service had attempted to make selfie-based identity verification mandatory for citizens filing their taxes online, and hired ID.me as the vendor of its biometric technology, only to prompt outrage from privacy advocates and scrutiny from lawmakers. The plan was quickly shelved.
As Homeland Security Today reports, “a significant portion” of NIST’s efforts in hammering out the new guidelines will involve exploring alternative methods of identity verification. “This draft update reinforces that NIST’s guidelines have always allowed for alternatives to facial recognition as well as appropriate and fair use of facial recognition technologies and that NIST will be more fully defining these alternatives in the final guidelines,” said the Office of Management and Budget’s deputy director for management, Jason Miller.
The document itself goes into more detail. “NIST sees a need for inclusion of an unattended, fully remote Identity Assurance Level (IAL) 2 identity proofing workflow that provides security and convenience, but does not require face recognition,” the Initial Public Draft states. To that end, NIST wants input on what kind of technologies could offer such an alternative, whether they are supporting by technical standards, and whether there are established testing methods to assess their performance.
NIST is also anticipating a growing role for virtual identity credentials, and wants to ensure that it considers how they might be addressed in its guidelines.
“What methods exist for integrating digital evidence (e.g., Mobile Driver’s Licenses, Verifiable Credentials) into identity proofing at various identity assurance levels?” the document asks.
Later, that line of thinking is followed to a question about whether the guidelines sufficiently address “emerging authentication models and techniques – such as FIDO passkey, Verifiable Credentials, and mobile driver’s licenses” – adding, “What are the potential associated security, privacy, and usability benefits and risks?”
Those questions aren’t rhetorical. In addition to requesting public comment, NIST will host a virtual workshop dedicated to its “Digital Identity Guidelines” on January 12, with registration for the event now open.
December 20, 2022 – by Alex Perala