On the face of it, NIST has released another technical update to its digital identity guidelines, but experts have waded in saying they feel “heard” that the standard reflects the dynamic ID systems that the industry is working on.
Digital identity is not defined as a “security or IT function”, but the standard details digital identity as “strategic infrastructure” and explores the acute challenges of balancing risk, trust, equity and accessibility.
Integrating ID systems should not just be about following technical requirements for compliance; companies should be urged by the risk of becoming irrelevant if they do not embrace dynamic ID systems.
The culmination of a four-year process of listening to public commentary and review from the community, the specification strategically resets the meaning of identity.
Identity has progressed to the widespread acceptance of digital wallets storing and exchanging verifiable credentials, AI in its use for identity, ID proofing and resilient fraud approaches.
The 4th Revision of Special Publication 800-63, Digital Identity Guidelines, intended to respond to the “changing digital landscape” and evolution of identity that has emerged since the last major revision of this standard, said NIST.
The expanded requirements and evaluation metrics stress an urgency to maintain adoption of crucial digital identity infrastructure.
One commenter, Gabriel Steele, General Manager, Customer and Identity Services, ANZ, conveys this stating: “The cost of inaction isn’t just non-compliance – it’s irrelevance”.
The guidelines for the scope of identity technologies is overtly clear, driving the ecosystem to adopt ID systems to challenge evolving risk.
“This version reframes identity not as a set of technical controls, but as a dynamic system that balances risk, trust, usability and equity”, Steele said.
The governance of AI, which can bolster verification if risks are well managed, should be non-negotiable.
Privacy, equity and accessibility are not footnotes, he commented on the news. Privacy and security in technology is now mandatorily built into modern design processes for tools to be used in real conditions.
Adding controls and measuring metrics address real-time injection attacks and forged media. The standard, and public response on it, has standardised password-less, syncable authenticators, for example synced passkeys.
While the comment period has closed, NIST says it always welcome engagement, feedback, and questions.
“As with previous revisions, implementation resources are already in development, and we are exploring concepts such as machine-readable conformance criteria and a Digital Identity Risk Management tool” – NIST.
