While no one thinks it’s a good idea to talk about breakups in the month of February, with the deadline approaching for certain federal agencies to comply with the digital identity requirements outlined in the National Institute of Standards and Technology’s Special Publication (SP) 800-63-3, agencies should prepare themselves to say goodbye to outdated, first-generation technologies that are no longer viewed as effective digital authentication methods.
NIST 800-63-3 was published in June 2017 and represents the first major overhaul of the digital identity guidelines that were originally published over eleven years ago and were last revised in 2013. The new revision retires the old model of the guidelines that required agencies to select appropriate digital identity technology based on a single level of assurance. The new model, included in SP 800-63-3, recognizes that in today’s market there are three separate components to digital identity services, if not more, including identity proofing, authentication, and federation. Using these components, SP 800-63-3 introduces three different areas of assurance (collectively referred to as “xALs”), each of which has three distinct assurances levels—Levels 1 to 3. As with the prior version of SP 800-63, the assurance level of each xAL dictates the appropriate digital identity technology that agencies should use to meet the technical requirements for the selected xAL assurance level.
Aside from the most obvious change noted above, SP 800-63-3 also makes some notable changes relating to authentication. For example:
- One-time-passwords (“OTPs”) delivered via email are no longer viewed as a multi-factor authentication method as passwords and email addresses are both considered to be “something you know” factors.
- “Restricted Authenticators” (e.g., sending a code to a known phone number) have been widely used as an authenticator and were previously viewed as a reliable method of authentication, but have become less reliable as criminal conduct and technology have evolved. While Restricted Authenticators are not completely prohibited, the use of such authenticators imposes additional obligations on agencies. Currently, authenticators using the public switched telephone network, including phone and Short Message Service (SMS)-based OTPs, are restricted.
- New password recommendations that, rather than requiring users to reset their passwords on a periodic basis, urge the use of passwords (referred to in the publication as memorized secrets) that are at least 64 characters long, and be comprised of phrases that users can easily memorize.
- The use of pre-registered knowledge tokens—for example, questions like “what is the name of your favorite law firm” (obviously, Troutman Sanders)—can no longer be used to authenticate or recover a lost, stolen, or forgotten credential.
Agencies have until June 2018 to meet the requirements of SP 800-63-3 and to say farewell to their outdated digital identity technologies. We assume that NIST understood that the most painful goodbyes are the ones that are never explained, and that is why NIST actively tried to explain the reasoning behind the numerous updates and changes imposed by SP 800-63-3 through various communications, including their FAQ page that can be accessed here. NIST has made it clear that although the new guidelines have changed substantially from past versions, SP 800-63-3 is not the be-all-end-all for digital identity guidelines. With the market and technology constantly changing, and new threats continuously emerging, it’s only a matter of time before NIST tells us it’s time to move on again to more healthy circumstances.