After one year and a large, cross-industry effort, the new Special Publication (SP) 800-63 is now a final product.
The Electronic Authentication Guidelines evolved into Digital Identity Guidelines — a suite of documents covering digital identity from initial risk assessment to deployment of federated identity solutions.
This revision to SP 800-63 was NIST’s first foray into using GitHub to collaborate with stakeholders for a major document.
The community participation resulted in a tremendous response: Contributors submitted 1,400+ comments for review, and the web version of the publication drew over74,000 unique visitors between May 2016 and May 2017.
Digital identity has changed dramatically since the last revision of this document in 2013.
Gone are the days of levels of assurance (LOAs), replaced by ordinals for individual parts of the digital identity flow, enabling implementers more flexibility in their design and operations:
• Identity Assurance Level (IAL): The identity proofing process and the binding between one or more authenticators and the records pertaining to a specific subscriber
• Authenticator Assurance Level (AAL): Authentication process, including how additional factors and authentication mechanisms can impact risk mitigation
• Federation Assurance Level (FAL): Assertion used in a federated environment to communicate authentication and attribute information to a relying party (RP)
The suite that is now SP 800-63 has four parts — and could have more in the future as digital identity evolves. SP 800-63 is the mothership; the starting point for all things digital identity and risk, with SP 800-63A, 800-63B, and 800-63C covering the various components of a digital identity system:
• SP 800-63-3 (Digital Identity Guidelines) incorporates risk language that agencies have been following from OMB M-04-04 and updates SP 800-63-2, sections 1-4.
• SP 800-63A (Enrollment & Identity Proofing) updates SP 800-63-2, section 5
• SP 800-63B (Authentication & Lifecycle Management) updates SP 800-63-2, sections 6-8
• SP 800-63C (Federation & Assertions) updates SP 800-63-2, section 9
• SP 800-63A focuses on arguably the most difficult part of digital identity: Strengthening identity proofing while expanding options for remote and in-person proofing. The new guidelines clarify methods for resolving an identity to a single person and enables RPs to evaluate and determine the strength of identity evidence.