REGISTER NOW: Privacy Controls Workshop on next steps for NIST SP 800-53, Appendix J!

We’re pleased to announce that on September 8, 2016, NIST and the Department of Transportation will hold a technical workshop on the next steps for NIST Special Publication 800-53, Appendix J…and registration is now open! Workshop participation from security and privacy engineers, privacy subject matter experts, and Senior Agency Officials for Privacy (SAOPs) is imperative for this workshop to be a success, so we encourage experts in these areas to register and attend. However, everyone is welcome so please feel free to join us if you are interested in the design of privacy protections in federal information systems.

Should Appendix J evolve in the next revision of the publication? We need your participation and input to get it right. Workshop attendees will explore the effectiveness and challenges of applying the current privacy controls in SP 800-53 and will discuss what adjustments should be made in the publication’s fifth revision.

Facilitated group discussions will cover a variety of topics, including: potential amendments to the privacy control families, broader guidance on the relationship between the privacy and security controls, and the need for additional NIST guidance on the implementation of controls in privacy risk management processes to support more effective privacy programs.

Shortly, we will release a discussion draft addressing each of the primary focus areas for the workshop. With the discussion draft as a starting point, attendees will have an opportunity to provide critical feedback prior to, during, and following this workshop to guide our next steps.

Your input is critical to making this process a success, so don’t forget to register…and stay tuned for an agenda, panelist announcements, and a discussion draft—which we will post on the event page soon.

Attendees can earn a maximum of five CPE credits through the International Association of Privacy Professionals (IAPP) for attending the workshop by simply submitting this form.

Please Note: If you are a U.S. citizen, the registration deadline is Friday, September 2nd at 12pm, EST. If you are not a U.S. citizen, the registration deadline is Monday, August 22nd at 12pm, EST. This event will be in-person; there will be no webcast.

Twitter: @NSTICnpo

Posted in Uncategorized | Tagged , , , , , , , , , , , , , | 2 Comments

Questions…and buzz surrounding draft NIST Special Publication 800-63-3

Here’s the backstory: You may have noticed that we’ve been getting a wee bit of attention on the proposed deprecation of SMS as an out-of-band second authentication factor in section of draft NIST Special Publication 800-63-3: Digital Authentication Guideline. First, we’re happy to get the attention. Sure, this is a NIST document, but the point of public comment—and our extended public preview of the draft on GitHub—is to make sure the community is a part of creating it. The more eyes the better. The team here at NIST wouldn’t quite say many commenters make lighter work—but they sure do make a better end product.

All that said, accurately communicating information on technical standards can be pretty difficult, so we want to make sure folks know exactly what we mean with this proposal.

Here’s what we mean: There are really two separate changes worth explaining…

First: VoIP and other IP-based services. In today’s Identity Ecosystem, we worry especially about threats that are scalable and threats that can occur remotely. Yes, getting your phone stolen is a threat to all mobile-based two-factor authentication, but the cost to an attacker to steal a password and then steal a phone is much higher than when said swindler can access your accounts from their couch. It takes time and physical mobility, and they have to do the damage before the victim can act—which is typically much quicker when your phone is missing than when they’re remotely in your account.

So while no security approach is perfect, truly tying authentication to a physical device makes a real difference.

These days, not all SMS is a mobile phone-based communication. It’s a beautiful thing about SMS interoperability that we can send a message to a “phone number” without really caring if it’s an SMS, MMS, iMessage, or data message to some other internet service. An SMS sent from a mobile phone might seamlessly switch to an internet message delivered to, say, a Skype or Google Voice phone number. Users shouldn’t have to know the difference when they hit send—that’s part of the internet’s magic.

But it does matter for security. That’s why we’re proposing that federal agencies first verify that the phone number is truly attached to mobile phone. If not (and the user happens to protect her or his VoIP account with a password), the user might now be protecting sensitive personal information with two passwords—that’s two of one factor type (two of ‘something you know’) rather than actual two factor authentication (‘something you know’ and ‘something you have’). So we felt we had to propose ruling VoIP out.

Second: SMS to mobile devices. Let’s move on to the case where we’re confident the SMS is really going to a mobile device.

We’re continually tracking security research on the evolving threat landscape. Following on our approach to limit scalability and remote attacks, security researchers have demonstrated the increasing success (read: lower cost in time and effort and higher success rates) of redirecting or intercepting SMS messages en masse. While a password coupled with SMS has a much higher level of protection relative to passwords alone, it doesn’t have the strength of device authentication mechanisms inherent in the other authenticators allowable in NIST draft SP 800-63-3. It’s not just the vulnerability of someone stealing your phone, it’s about the SMS that’s sent to the user being read by a malicious actor without getting her or his grubby paws on your phone.

Because of the risks, we are discouraging the use of SMS as an “out of band authenticator” — which is, essentially, a method for delivering a one-time use code for multi-factor authentication. This is why we suggest that the use of SMS as a second factor be reconsidered in future agency authentication systems.

But what’s this “deprecated” business all about?

Deprecation is standards-speak for “you can use this puppy for now, but it’s on its way out.” It’s a way of balancing the practicalities of today’s implementations with the needs of the future. While SMS is a popular and convenient option today, the security concerns of SMS as a second factor should be part of agencies’ decisions. Leveraging a SMS to mobile as a second factor today is less effective than some other approaches—but more effective than a single factor. This balancing act is difficult and inherently imperfect, which is why we propose changes to the community and seek comment before making guidance final.

We proposed a deprecation rather than a removal in hopes of increased efficacy for agencies’ investments in upgrading existing systems and building new ones. It’s up to agencies to make the risk-based decisions that best serve their constituents today and future-proof systems for tomorrow.

The market is continually innovating in this space; but so are adversaries. We’re fortunate to have innovators that have given us many authentication options just as convenient, yet more secure, than SMS. We don’t take these decisions lightly, and we’re always looking for better approaches from our stakeholders.

If you think deprecating SMS is a step in the right direction, let us know through our public preview on GitHub. If not, we need to hear from you. If you have another idea, it won’t come to fruition if you don’t share it. In this way we hope to do our part for a better Identity Ecosystem that serves all users and providers of digital services—and these days that covers just about everyone.

Speaking of our GitHub public preview site, we wanted to clear up some confusion…

We have mentioned before that we hope to receive critical comments to draft 800-63-3 and finalize the document by the end of the year (we expect to close the public preview period by September 17, 2016). This approach has many benefits, one of which is to engage experts early in the drafting process so that we can accelerate release of a final publication.

But we’ve heard from many valued stakeholders that think this summer public preview is intended for individuals only—but this is not the case; this document needs organizational input as well (federal agencies: this also goes for you!). To comment as an organization, feel free to create an account representative of your ‘orgname’ or include your organization name in the comment itself. We can even update the issue template to include your organization name if you’d like us to.

Don’t let the term ‘public preview’ stop you. Public means open to all. We introduced this new phase to be as responsive as possible as we engage with the public and private sectors. We’d love a steady stream of substantive comments throughout the open period—so please help us keep things running smoothly and efficiently by submitting your comments as soon as possible. Thank you for your comments and for joining us in this quest to make this document the best it can be!

Twitter: @NSTICnpo

Posted in Uncategorized | Tagged , , , , , , , , , , , , , , , , , | 2 Comments

Calling all 800-63-3 comments!

Have you done your summer reading yet? We’re approaching this summer’s halfway point – which means we’re halfway through the public preview of draft NIST Special Publication 800-63-3: Digital Authentication Guideline. Don’t let the dog days of summer get you down – we still need your feedback and expert opinions! For a refresher on some of the major changes to 800-63-3 and why we’re using GitHub to solicit comments, see our announcement blog.

Screen Shot 2016-07-18 at 10.58.22 AM 800_63 Github issues page

Screenshot of some of the open 800-63-3 GitHub issues we’re combing through – add yours today!

We hope to address comments and finalize this document by the end of the summer, and we expect to close the public preview period by September 17, 2016. We’d love a steady stream of substantive comments throughout the open period, so please help us keep things running smoothly and efficiently by submitting your comments as soon as possible – so it’s not a mad dash for us at the end of the process. Not only do we need time to resolve all open issues, but we also want the stakeholder community to weigh in using GitHub. We will, of course, listen to and account for your feedback no matter what—but the more comments we can get now, the better. To keep track of our plan, you can visit the milestones page to check on our status and if we’ve adjusted any dates (or added iterations).

To everyone who has already contributed to this document: THANK YOU. Your efforts have not gone unnoticed as we work together to enhance digital authentication guidelines and improve the Identity Ecosystem. We don’t take lightly the importance of stakeholder participation for the success of this document.

To everyone else: please head over to the public preview site to submit your feedback today!

Twitter: @NSTICnpo

Posted in Uncategorized | Tagged , , , , , , , , , , , | Leave a comment

Out with the old, in with the new: making MFA the norm

It seems it’s finally multi-factor authentication’s (MFA) time in the limelight. A recent Wells Fargo commercial touts a movement beyond the password with strong authentication. Bank of America enabled passcode-free mobile login with fingerprint. The White House released the Cybersecurity National Action Plan (CNAP), expanding upon Executive Order 13681, with a focus on securing accounts with MFA. Betty White’s on board, too.

The attention is well-deserved – and MFA is here to stay; organizations are implementing and consumers are adopting. lists about 350 websites that support two-factor authentication (2FA, herein mainly referred to as MFA). In 2013, 25% of Americans had used 2FA in the past; but by 2015, this number had increased, as 39% of consumers were using 2FA.

We’ve come a long way. Relying parties (RPs) have recognized MFA’s business and user benefits. Now it’s time to go further: push MFA to the point of ubiquity, focus on consumer preference and the MFA capabilities of their devices, and make MFA sustainable in the ecosystem and economy.

Getting consumers on board

A few user-centric obstacles have prevented MFA from reaching its full potential. The password remains a typical factor in MFA, so consumers still have to remember passwords. In many cases, consumers must type them in from a mobile device – not so fun with long passwords created under complex composition rules. Consumers can have more than a handful of online accounts for accessing bank accounts, health records, email, social media accounts – and the list goes on. Sixty percent of consumers find usernames and passwords cumbersome to use. While the password has its place, simply adding a second factor onto a password scheme isn’t the only way for organizations to adopt MFA.

Plus, many websites and apps issue or implement their own second factor. As organizations develop and deploy stovepiped second factors – like Google Authenticator, SMS, FIDO’s U2F, among other options – we run the risk of overwhelming consumers with an abundance of unique second factors. When accessing accounts from multiple devices, the problem gets worse.

This trend creates an exponential problem where the consumer must remember a variety of combinations: password x with second factor y here, password a with second factor b there. This could put MFA in a bind, where users don’t have access to a second factor when they need it. And RPs may not want to adopt something that adds friction to the customer experience, especially when that second factor affects authentication and authorization in ecommerce transactions.

The good news

Multiple factors are better than one, so we’re thrilled with market adoption over the past few years. Users have access to more options than ever. In many cases, new standards and enhancements to existing ones have made it possible for users to conduct any of the three factors in MFA from a mobile device. In addition, the market for consumer authentication devices continues to grow, allowing RPs to let users bring the second factor of their choice rather than bear the expense of its issuance and management.

RPs can also choose identity federation to onboard more consumers to their services. Federation allows organizations with identity management expertise, and more importantly, access to a large market of existing users, to save RPs the cost and operational burden of identity management by providing them with identity proofing and credential management services. In the end, RPs choosing federation services or letting users bring their own second factor can reduce costs, improve user experience, and enhance security and privacy.

How’s NIST working on this?

For government, the updates in Special Publication (SP) 800-63-3 align with private sector innovation and best practices. Draft SP 800-63-3 recommends MFA for all assurance levels. To facilitate MFA ubiquity, draft SP 800-63-3 encourages market growth, with greater support for mobile devices, new options for the use of biometric authentication, and binding recommendations for RPs that want consumers to feel free to bring their own credential.

Making MFA the norm means players in the ecosystem need to collaborate, innovate, and, in some cases, push the envelope beyond current business practices to cutting-edge service delivery – with a focus on user-friendly solutions. With increasing support for user choice and federation, we are on our way to ensuring that consumers can access their many accounts more conveniently and more securely.

Twitter: @NSTICnpo

We’ve dedicated this month to talking about MFA. For more information, check out our back to basics approach to MFA and our coffee chat with Michael Kaiser, the Executive Director of the National Cyber Security Alliance (NCSA).

Posted in Uncategorized | Tagged , , , , , , , , , , , , , , , | Leave a comment

Coffee Chat with Michael Kaiser, Executive Director, National Cyber Security Alliance

Michael KaiserTo get to the core of multi-factor authentication (MFA) and why it’s such an important security feature, we caught up with Michael Kaiser, the Executive Director of the National Cyber Security Alliance (NCSA). Mr. Kaiser graciously sat down with us for our inaugural coffee chat – a new series on the NSTIC Notes Blog. In this series, we’ll hear from various leaders in the identity community as they share unique perspectives—in their own words—on essential identity topics. See our questions and his answers, below.*

About our expert

Michael Kaiser is the Executive Director of the National Cyber Security Alliance (NCSA). Mr. Kaiser joined the NCSA  in 2008. As NCSA’s chief executive, Mr. Kaiser engages diverse constituencies—business, government and other nonprofit organizations—in NCSA’s broad public education and outreach efforts to promote a safer, more secure and more trusted Internet. Mr. Kaiser leads NCSA in several major awareness initiatives, including National Cyber Security Awareness Month (October), Data Privacy Day (Jan. 28) and STOP. THINK. CONNECT., the global online safety awareness and education campaign. NCSA builds efforts through public-private partnerships that address cybersecurity and privacy issues for a wide array of target audiences, including individuals, families and the education and business communities. In 2009, Mr. Kaiser was named one of SC Magazine’s information security luminaries.

What is MFA, and why is it important?

MFA is, most simply, a way of providing additional security by using another factor in addition to your username and password to log in to an account. Multi-factor – sometimes referred to as two-step or two-factor – authentication or verification, can be any number of things: a biometric (such as a fingerprint, eye scan or gesture), a text message with a one-time code sent to your phone, a token that generates a one-time-use password or just your phone itself, because your phone has a unique ID.

MFA is an extremely important emerging way to increase account security. The new forms of authentication are critical to building a safer, more secure and trusted Internet. Logging in with a username and password, the primary way people access online accounts, has been around since the dawn of the Internet. It was never meant to be a primary form of security but has become the key to entry. It doesn’t work for a variety of reasons. In most cases, your username is your email address, which is likely not a secret, and we know a couple of things about passwords. First, they can be stolen whether from hacking into a website or system or using a service that captures consumers’ keystrokes. Second, good password practices require passwords that are long, strong, and unique for all accounts. Time and time again consumers have shown that they choose not to make strong passwords because they are inconvenient and hard to remember. For several years running the most used passwords have included “password” and “1234567.” The bad guys know this, making passwords easy to harvest or guess. MFA adds another layer to the login process that provides significantly more security to your accounts.

What would you say to people who say MFA is too time consuming or inconvenient? Do the benefits outweigh the extra cost?

The benefit of the increased security vastly outweighs the additional effort to implement it. For example, requiring a second factor like a text message to your phone makes it very hard for the bad guys to break into your account unless they have your phone in their possession, and that’s what makes it so much more secure. The time it takes to turn on and use MFA is not significant, and there are ways to make it easier to manage. For example, some of the email applications that use a text message code don’t require you to add the factor every single time; you can set MFA to remember your device, so that you are only prompted to enter a code when logging in from a different device or location or once every 30 days. As time goes on, and the technology improves, it will get easier and more convenient to use this kind of security technology, because it will work more seamlessly with the devices and websites that people are using and/or you’ll be able to use similar techniques across many, many sites and services.

The National Cyber Security Alliance (NCSA) has a few campaigns related to MFA – what are they?

Our primary campaign on this is called Two Steps Ahead, and it really reflects on what we feel – there’s a play on words about using two-step or MFA, but we also believe in a very positive sense that people who implement these technologies to be more secure are actually getting ahead. If a criminal comes across one account that has a username and password only and another account that has a username, a password and MFA, the criminal will be more likely to go after the former because it’s less work for them. The Two Steps Ahead campaign has held events in more than 20 places across the country over the last couple of years, and we’ll be in 15 to 20 cities in 2016. These events are designed to teach people about MFA and how to enable it and share insight on staying safe and secure online.

Additionally, in 2015 we started a social media campaign called #2FactorTuesday, which falls on the first Tuesday of each month. Each #2FactorTuesday, we work with private- and public-sector partners to share events, resources and content related to authentication, aiming to increase the adoption of MFA as a means to protect online accounts.

What are some ways that the average person can incorporate MFA into his or her online routine?

The starting place for anybody is to turn on MFA for your email account. Almost all of the major email providers offer some form of MFA or two-factor authentication service. The reason that consumers should start here is that for any account that uses a username and password, the password reset process normally starts with an email sent to your email address to verify your account. Therefore, if your email account gets hacked because of weak security, you could basically be providing access to all of your other accounts that have password reset as the way to gain reentry.

Additionally, people are concerned about protecting their money, so it’s recommended that you look into the MFA options that your financial institutions may offer or how they may provide enhanced login security.

You can learn more about how to implement MFA on your online accounts by visiting On this page, we provide links to many of the services on the web that already offer MFA or two-step authentication tools for clients and how to enable these features.

* The views expressed in this post do not necessarily reflect the views of NIST or the NSTIC NPO; they are solely the opinions of the experts interviewed.

Twitter: @NSTICnpo

Posted in Uncategorized | Tagged , , , , , , , , , , , , , , | Leave a comment

Back to Basics: What’s multi-factor authentication – and why should I care?

Here’s the traditional, not so secure way to log in to your bank account: enter your username and that familiar password you probably use for most of your online accounts. Then, you’re in. You can go about your business.

Not so fast! If you’re one of the 54% of consumers who, according to TeleSign, use five or fewer passwords for all of their accounts, you could create a “domino effect” that allows hackers to take down multiple accounts just by cracking one password. The good news? There’s an easy way to better protect your accounts (which contain a lot of personal information) with multi-factor authentication (MFA).

What is MFA?

MFA is quite simple, and organizations are focusing more than ever on creating a smooth user experience. In fact, you probably already use it in some form. For example, you’ve used MFA if you’ve:

  • swiped your bank card at the ATM and then entered your PIN (personal ID number).
  • logged into a website that sent a numeric code to your phone, which you then entered to gain access to your account.

MFA, sometimes referred to as two-factor authentication or 2FA, is a security enhancement that allows you to present two pieces of evidence – your credentials – when logging in to an account. Your credentials fall into any of these three categories: something you know (like a password or PIN), something you have (like a smart card), or something you are (like your fingerprint). Your credentials must come from two different categories to enhance security – so entering two different passwords would not be considered multi-factor.

So look at a simple scenario: logging in to your bank account. If you’ve turned on MFA or your bank turned it on for you, things will go a little differently. First and most typically, you’ll type in your username and password. Then, as a second factor, you’ll use an authenticator app, which will generate a one-time code that you enter on the next screen. Then you’re logged in – that’s it!

MFA B2B Blog Graphic 6_16_2016



In most cases it’s even easier than that. Most MFA approaches will remember a device. So if you come back using the same phone or computer, the site remembers your device as the second factor. Between device recognition and analytics the bank is likely performing—such as whether you’re logging in 20 minutes later from halfway around the world—most of the time the only ones that have to do any extra work are those trying to break into your account.

 So what’s the big deal?

MFA helps protect you by adding an additional layer of security, making it harder for bad guys to log in as if they were you. Your information is safer because thieves would need to steal both your password and your phone. You would definitely notice if your phone went missing, so you’d report it before a thief could use it to log in. Plus, your phone should be locked, requiring a PIN or fingerprint to unlock, rendering it even less useful if someone wants to use your MFA credentials.

Using 2FA is one of the top three things that security experts do to protect their security online, according to recent Google survey. And consumers feel the same way: almost 9 in 10 (86%) say that using 2FA makes them feel like their online information is more secure, according to TeleSign.

 When should I use MFA?

Stopping all online crime is not a realistic goal, but simple steps can massively reduce the likelihood you’ll be the next victim.

You should use MFA whenever possible, especially when it comes to your most sensitive data—like your primary email, your financial accounts, and your health records. While some organizations require you to use MFA, many offer it as an extra option that you can enable—but you must take the initiative to turn it on. Furthermore, if a business you interact with regularly, say your health organization, wants to provide you with convenient online access to health records, test results, and invoices, but only offers a password as a way to protect that data, consider saying: ‘no thanks, not until you provide MFA to secure my information.’

You can find a list of websites that offer MFA here and step-by-step instructions for enabling it for your accounts here. You can even use this browser extension that was created as a result of last year’s National Day of Civic Hacking challenge that we hosted; it lets you know which of the websites you use offer MFA—and makes it easy to call out those that don’t.

It’s simple: turn on MFA today!

Twitter: @NSTICnpo

Posted in Uncategorized | Tagged , , , , , , , | 1 Comment

Looking back on happenings at the IDESG plenary

Last week in New Orleans, the Identity Ecosystem Steering Group (IDESG) launched the Identity Ecosystem Framework (IDEF) Registry and publicly listed the first four organizations to self-attest. At the 17th IDESG plenary meeting, these organizations presented their experiences – emphasizing the business benefit of publicly showcasing their dedication to trusted digital identity solutions. They also shared the ease of self-attestation, thanks to the IDESG’s concierge that assists Registry applicants.

“The launch of the IDEF Registry was a huge milestone, operationalizing the IDEF requirements. We are enthusiastic about this new phase for the IDESG, focused on sharing this product far and wide, encouraging organizations to get listed on the Registry and publicly attest their dedication to the NSTIC Guiding Principles,” said Mike Garcia, acting director of the NSTIC office.

In keeping up the momentum of the launch, plenary attendees mainly looked ahead—toward scaling up the Registry and fostering greater trust across the Identity Ecosystem. Across the two-day event, attendees:

  • Learned how the Registry works and heard perspectives from listed NSTIC pilots MorphoTrust USA, Galois, and PRIVO;
  • Discussed the bylaws of the IDESG and the privacy evaluation process required for all IDESG deliverables;
  • Gained a more thorough understanding of the IDESG standards registry and the process of adopting standards;
  • Discussed mapping the IDESG requirements to other trust frameworks—with the goal of streamlining multiple self-assessments into one;
  • Heard about the pilots’ experiences in evaluating and managing privacy risks in their organizations.

Congratulations on another productive IDESG plenary meeting! We encourage other interested organizations to become some of the first to self-attest to the IDEF requirements on the Registry. The IDESG welcomes early adopter feedback, which will enhance the self-attestation process. It’s an exciting time for the Identity Ecosystem – and we look forward to all that’s ahead with the IDESG.

Twitter: @NSTICnpo

Posted in Uncategorized | Tagged , , , , , , , , , , , , , , , , , , , , | Leave a comment

The IDEF Registry: an open invite to commit to trusted digital identity solutions

The Identity Ecosystem Steering Group (IDESG) laid the groundwork for better digital identity transactions with the release of the Identity Ecosystem Framework (IDEF) – and today they’re inviting organizations to publicly put it to good use.

This morning at the Cloud Identity Summit in New Orleans, the IDESG announced the implementation of the IDEF Registry, an online listing service where ecosystem participants can report their self-assessed status against the IDEF baseline requirements. By attesting to these requirements on the Registry, organizations can showcase their commitment to providing trusted digital identity services. It’s a great way for organizations to demonstrate that they have crossed a threshold in the marketplace, addressing mature protections for consumers beyond those minimally required by law.

What’s involved for organizations in getting listed on the Registry? There are just a few steps:

  1. Determine role. Organizations determine their roles in the Identity Ecosystem, like provider of digital identity services or user of web services.
  2. Perform self-assessment. Organizations perform a self-assessment to determine full or partial compliance with the IDEF requirements.
  3. Complete the IDEF Registry form.
  4. Submit the form. The IDESG will review the form, contact the organization with any questions, and then publish the listing to the Registry.

The IDESG’s flexible self-assessment approach gives organizations a range of options to report their status in meeting each requirement. Also, the IDESG is offering the Registry as a public service — organizations can currently be listed at no charge. With free public access, the IDESG is encouraging organizations large and small to attest, showing that they see the value in trusted digital identity solutions to their businesses — and their customers.

Organizations can participate as an applicant and be listed in the Registry, or use it as a resource and browse the information that has been submitted. The listing enables individuals, businesses, and organizations to identify NSTIC-aligned service providers and more easily adopt trusted identity solutions.

Several early-adopter organizations have worked with the IDESG to develop the Registry, have already completed the self-assessment, and are listed on the Registry: DigiCert, Privacy Vaults Online (PRIVO), Tozny, and University of Maryland, Baltimore County. We look forward to seeing the Registry grow and build greater trust across the Identity Ecosystem. With this exciting announcement, we’re more than ready for the IDESG plenary this week on June 8-9 in New Orleans. See you there!

Check out the IDEF Registry here.

Twitter: @NSTICnpo

Posted in Uncategorized | Tagged , , , , , , , , , , , , , , , | Leave a comment

Announcing Draft Special Publication 800-63-3: Digital Authentication Guideline!

Today, we’re releasing the public preview of draft Special Publication 800-63-3, Digital Authentication Guideline. We’re excited to share the updates we’ve made—along with the new process that enables our stakeholders to contribute to the document in a more dynamic way.


First things first

 There are too many changes to list in a blog, but let’s highlight a few of the biggest:

  • We broke down level of assurance into its independent parts: identity proofing, authenticators, and federated assertions and provide three assurance levels for each of identity proofing and authenticators. We provide guidance to keep this compatible with OMB 04-04 and the four existing levels of assurance while OMB revises existing identity policy.
  • There are now multiple volumes consisting mostly of normative language. By cutting down on the informative language, each volume is now a one-stop shop for mandatory requirements and recommended approaches.
  • Identity proofing got a major overhaul, for which we owe many thanks to our UK and Canadian peers. Plus, the draft guidance supports in-person proofing over a virtual channel—though under a strict set of requirements.
  • We’ve clarified that knowledge-based verification (nee authentication) is limited to specific portions of the identity proofing process and never sufficient on its own. Emailing a one-time password (OTP) is gone too—and we’ve deprecated SMS OTP, so it’s in there but we expect to remove it in a future revision.
  • We address the security required for centralized biometric matching.
  • We have terminology updates to clarify language across the identity space. For example, remember ‘token’? It’s ‘authenticator’ now, since ‘token’ has plenty of other definitions and uses in the real world. It just didn’t make sense to stick with it.

Last, but not least, we modernizing our feedback process to allow greater, more dynamic participation in the development of this document. We’re releasing it on GitHub, a public-facing, simple to use interface, and we’ll solicit comments via GitHub and respond to them and make edits continually over multiple document iterations this summer.

Once these summer iterations come to a close, we‘ll hold a more traditional 30- or 60-day public comment period with comment matrices and email, as an additional option to using GitHub. But for the current public preview, GitHub is place to be!

What we’re looking for from you

Now is your chance to let us know: Did we miss anything? Have we gotten ahead of what is available in the market? Have we made appropriate room for innovations on the horizon?

In this public preview, we’re focused on getting the technical content right. So you’ll probably find an uncrossed ‘t’ and dot-less ‘i’ here and there. We ask that you focus your suggestions in this phase on the substantive (think technical and procedural requirements). Unless they impact the meaning of the statement, we’ll get to minor grammatical issues in due time—but we’ll gladly accept them if you can’t contain your inner grammarian.

GitHub uses markdown for editing, so the document may look a shade different from what you’d typically expect. But don’t let that put you off. You can conveniently access the repository’s ‘Issues’ tab, where you can contribute comments via a simple form. There, you can summarize your suggested changes and submit them for further discussion in a forum-style format. You and your fellow reviewers can then can consider the changes, discuss them, and suggest new ones as the conversation develops. More instructions are available online. And while we want this process to be interactive, we prefer suggested changes over forum chatter.

How we’ll review your comments

Our 800-63-3 team will review and update the draft document by looking over each issue. After careful review, we can incorporate changes directly into the draft and close the issue. The process will be fluid; comment periods will lead to new updates, which in turn will generate new opportunities for public collaboration and more updates. Our team will regularly update the document, so you can see changes as they occur over time. And after these cycles, we’ll end up with a completed version this winter built on community participation.

Now, please, go forth and contribute! We look forward to engaging with the community in this new process for 800-63-3 and developing effective, updated guidance.

Twitter: @NSTICnpo

What’s GitHub?

GitHub is an open source collaboration and development tool that will allow us to share the document and track your comments and suggestions. You can learn more about GitHub and how to sign up for an account here:

Posted in Uncategorized | Tagged , , , , , , , , , , , , | 1 Comment