The big changes to NIST password recommendations we’ve been talking about are official: NIST 800-63 is final.
It’s important to know that this overhaul is about more than just passwords. It’s a full reworking of digital identity guidelines with a suite of new documents and a flexible approach to using them.
The parent document is 800-63 and there are three child documents:
Identity Proofing is described in 800-63A
Proofing refers to the initial confirmation of the identity of an actual person. The new approach moves away from NIST specifying particular items (e.g. a drivers license) to now simply explaining the “characteristics” of what makes good proofing evidence. This provides more flexibility to allow what will work best in a particular environment. This is especially important since the person being identified may be remote.
Authentication is described in 800-63B
Authentication refers to checking something you “Know”, “Have”, or “Are” before allowing access to a system or resource. We’ve discussed passwords as the “something you know”, but there are major changes in the other authentication factors.
For “Something You Have” (e.g. your smartphone), NIST is advising against email and most uses of SMS for delivery of one-time-passwords. These communication channels can be compromised. NIST suggests a host of options, but the use of authenticator apps will likely increase as a result.
NIST is also advising caution around authentication using “Something You Are” (e.g. facial recognition or fingerprint scanning). The current state of these biometric technologies introduces too much risk from false positive and false negative identification.
Federation is described in 800-63C
Federation is where proofing and authentication occurs in one system that other systems will trust. Federation is strongly encouraged by NIST and the new guidelines include privacy-enhancing requirements that can make federation appealing.
More adaptable to individual situations
NIST SP 800-63 has become a lot more flexible. While the previous document had a single Level of Assurance (LOA) and accessing risk and determining appropriate practices, this new version has separate “xALs” for Identity Assurance Level (IAL), Authenticator Assurance Level (AAL), and Federation Assurance Level (FAL). The result is clearer alignment of requirements to risk.
Implementation of 800-63
Now NIST 800-63 is final, organizations will begin to take its recommendations into planning and implementation.
We’ve spoken with members of the NIST team and they will be turning attention to creating implementation guides for the more complicated requirements.
The first section of the implementation guide is around identity proofing. For the password screening outlined in section 5.1.1 of 800-63B, the effort to maintain a blacklist is substantial but not necessarily complicated, so it’s unclear whether that will receive it’s own section. Organizations interested in seeing the Enzoic implementation of these requirements are invited to contact us, or signup for free.
The community-centric approach and 1,400+ comments that went into NIST 800-63 show a great commitment to collaboration. They’ve done a great job of meeting their goal of simplifying and clarifying their guidance, aligning with commercial markets, promoting international interoperability, and focusing on outcomes to promote innovation and deployment flexibility.
– 3 Key Elements of the NIST Password Requirements for 2020
– Automate Password Policy & NIST Password Guidelines
– Creating a NIST Password Policy for Active Directory