April 2017 Digital Edition
March 2017 Digital Edition
Feb. 2017 Digital Edition
January 2017 Digital Edition
Nov/Dec 2016 Digital Edition
Oct 2016 Digital Edition
Standards agency recognizes importance of private authentication tools
The National Institute of Standards and Technology’s newly-released revision of government electronic identity authentication guidelines recognizes new tools and techniques have risen that offer safe, flexible applications for government users.
In NIST’s revised edition of its Electronic Authentication Guideline the agency said it expanded the options government agencies can use to verify the identity of users of their Web-based services. The revision of the Electronic Authentication, said NIST, is the first since 2006. The extensive update of the document, it added, is extensive and “recognizes that times, and technologies, have changed.”
“Changes made to the document reflect changes in the state of the art,” explained NIST computer security expert Tim Polk, Cryptographic Technology Group manager at NIST. “There are new techniques and tools available to government agencies, and this provides them more flexibility in choosing the best authentication methods for their individual needs, without sacrificing security.”
When SP 800-63 was first released, said NIST in a statement on Dec. 13, its authors assumed that most agencies would handle figuring out if users’ identities in-house. The growth of an entire industry focused on providing authentication services, however, has grown since the initial release. NIST said that industry “is often in the best interest of agencies to take advantage of commercial systems or those of other government entities.” It added that while passwords are still the go-to authentication mechanism, a growing number of systems rely on cryptographic keys or physical tokens.
According to the agency, the revision broadens the discussion of technologies available to agencies and gives a more detailed discussion of these technologies and isn’t meant to constrain government users from developing their own authentication methods. It recommended that government users developing their own methods use an established process to do so.
Government agencies have the option of using the services of companies that have had their authentication systems certified through the Federal Chief Information Officer Council’s Trust Framework Provider Adoption Process (TFPAP), said NIST. That program assesses credentialing processes against federal requirements, including those established in 800-63. To ensure consistency and avoid redundant analysis, NIST strongly encouraged agencies to leverage the TFPAP process.
SP 800-63-1 is the official implementation guidance for the Office of Management and Budget (OMB) Memorandum 04-04, “E-Authentication Guidance for Federal Agencies.” Polk stressed that the revised NIST guideline may inform but is not intended to restrict or constrain the development or use of standards for implementation of the National Strategy for Trusted Identities in Cyberspace (NSTIC). NIST SP 800-63-1 is specifically designated as a guideline for use by federal agencies for electronic authentication. NSTIC, in contrast, has a broader charge: the creation of an Identity Ecosystem, “an online environment where individuals and organizations will be able to trust each other because they follow agreed upon standards to obtain and authenticate their digital identities.”