The National Institute of Standards and Technology (NIST) has published major changes to its guidelines on digital authentication.Published on 30 August, the new guidelines now separate the individual elements of identity assurance into discrete, component parts.For non-federated systems, agencies will select and combine two (2) individual components, referred to as Identity Assurance Level (IAL) and Authenticator Assurance Level (AAL). For federated systems, a third component, Federation Assurance Level (FAL), is required.While IAL refers to the robustness of the identity proofing process and the binding between an authenticator and the records pertaining to a specific individual, AAL refers to the robustness of the authentication process itself.Meanwhile, FAL refers to the robustness of the assertion protocol utilized by the federation to communicate authentication and attribute information (if applicable) to a relying party.Due to these changes, NIST has also split the SP 800-63 revision into a family of documents organized into four main sections: Digital Authentication Guideline, Enrollment and Identity Proofing, Authentication and Lifecycle Management and Federation and Assertions.In terms of major changes that the revisions address, NIST states, for example: "Current government systems do not separate the functions of authentication and attribute providers. However, in some applications, these functions are provided by different parties. .. This document suite describes authenticator assurance and identity assurance as separate metrics, and provides a mapping between these metrics and overall level of assurance"There are also broader changes, as Michael Garcia, deputy director at NIST's National Strategy for Trusted Identities in Cyberspace, explained in Federalnewsradio."We changed the name from electronic authentication to digital authentication guidance, which in itself indicates that we're a little bit smarter about this than we were [10 years ago]," he said."When you think about where we were 10 years ago, even the most equipped folks in a lot of agencies didn't understand how digital identity worked at all, or to a very limited extent. And that world has changed so massively over the last 10 years, our understanding within federal agencies of how to do these things has changed an enormous amount."Garcia shared more details during a 30 August panel at the Symantec Government Symposium in Washington.Garcia said identity proofing is "a complete re-write," based off good practices guidance like the kind seen in Canada and the UK."It's much more about the characteristics of quality evidence and the outcomes of the event itself," Garcia said. "It really tries to take a step back from being prescriptive and it's really about performance. We hope that that allows some additional future-proofing to say 'ok look, if the document has the following characteristics, we're not going to specify a list of documents that do or do not meet them.'"
Recent Video
- New non-profit trade association of HAND will standardise global talent ID
- No cards, no phones: J.P. Morgan’s biometric revolution in payments
- Anthony Vidiano on building the future of access management
- Charisma Check wins 2025 Start-Up Pitching Competition, advancing identity verification and background checks for dating app users
- How to protect one billion Amazon customers: Lessons from continuous risk assessments
