On September 5th 2016, NIST published the Digital Authentication Guideline: Public Preview. The document, SP 800-63-3, is a complete overhaul of the previous document.
NIST is taking a new approach to this “Public Preview.” They are hosting the document on GitHub to gain more public input. By have successive comment periods and multiple iterations, they hope to create a more dynamic and agile process.
Highlights of the Document
The document is broken into four parts. The base document SP 800-63-3 is the third iteration of this special publication, and has been renamed to: Digital Authentication Guideline. The base document is followed by three separate documents. By breaking the document up, they can focus on importance of ID proofing.
- SP 800-63A – Enrollment and Identity Proofing
- SP 800-63B – Authentication & Lifecycle Management
- SP 800-63C – Federation and Assertions
OMB Levels of Assurance – LOA
eGovernment legislation was passed in 2002 and was quickly followed by OMB M-04-04 in 2003. For over a decade we have used LOA 1, LOA 2, LOA 3 and LOA 4, to classify and refer to the type of authentication we used. The new version of SP 800-63 decouples ID proofing from authentication. Identity Assurance Level (IAL) refers now to the strength of ID proofing and the confidence level associated with those processes, and Authenticator Assurance Level (AAL) refers to the authentication process.
IAL 1 – An applicant can self-assert their identity, meaning there is NO requirement for ID Proofing.
IAL 2 – An applicant’s identity must be proven with real world attributes. This can be with KBA, or can be asserted by a third party. At this level, in-person proofing is allowed but NOT required.
IAL 3 – An applicant’s identity MUST be proved in person. They must be verified by an authorized and trained professional representative of the CSP.
AAL 1 – only requires single factor authentication.
AAL 2 – requires two different authentication factors
AAL 3 – requires proof of possession of cryptographic key used together with multi-factor authentication.
People think the first USERNAME + PASSWORD was on the CTSS system at MIT. When you would log on the system recognized your username, it would give you the proper entitlements. One person got access to accounts payable, while someone else got access to inventory. The CPA got access to the whole accounting system. But when it comes to establishing identity, passwords didn’t work then, and they don’t work today.
It seems users have always been complaining about passwords. NIST seems to have heard these complaints and has made some bold recommendations. First, they suggest agencies do away with periodic and arbitrary password changes. When you force people to change their passwords every 30 days, they just write them down—defeating the point.
I was surprised to see they recommend doing away with mandatory special characters. Until we can do away with passwords completely, they are trying to get us to stop employing practices that don’t work.
Two factor authentication is the darling of the IT industry right now. At last count, there were over 30 2FA vendors with enterprise solutions. We all know that username + password, or one factor authentication simply isn’t secure. So there has been a mad rush to install two factor authentication for everything. But in that mad rush, we neglected our due diligence.
In this document NIST has formalized what many of us has feared for years, that 2FA is full of vulnerabilities. Many forms just aren’t safe. For example NIST has officially deprecated the use of “OTP of over SMS.”
No two fingerprints have even been found to be the same. That’s why law enforcement has been using them since 1901. When you touch something, you leave behind an oily residue with a unique signature. If your finger prints are found at a crime scene you’re likely looking at guilty verdict in a court of law.
But in IT, where everything is electronic, things are different. It’s relatively easy to spoof a fingerprint or even an iris scan. NIST discusses biometrics in depth. They want you to know that while they are getting better, they are still only one factor and must be used with another factor. If you do use biometrics, SP 800-63 details NIST gives specific guidance on when and how to use them.
The Future of Digital Authentication in the Cyber World
SP 800-63-3 is a radical departure for NIST for several reasons.
- Instead of following their traditional comment period, they have posted the document to GitHub and are following an open source model that is iterative and agile.
- They have abandoned the term eAuthentication from 2002 in favor of the term Digital Authentication.
- A new standard of assurance is being proposed, while the decades-old OMB standard is being abolished.
- While NIST is our national standards body, SP 800-63 has always applied to federal executive agencies as defined in Title 39 U.S.C. 201. This document is meant to reach a new audience, the entire United States—the population NIST serves.
Special Publication 800-63-3 is an outstanding piece of work. The team is the first to admit the document is not perfect, which is why they are asking for our help and our comments. If you wish to view the documents, you can find them on NIST’s site. If you wish to comment, you will need to create a GitHub account. If you want step by step instructions, you can find them here. I urge everyone to participate; it’s our digital future.
Nathaniel Rushfinn Crocker is the CIO and co-founder of the Crocker Institute, a benefit corporation in South Carolina dedicated to helping organizations meet their mission through Enterprise Architecture and Program Evaluation. He is passionate about cybersecurity and protecting our online identities. Interested in hearing more of what Nate has to share? You can find him on Twitter and connect with him on LinkedIn.