The National Institute of Standards and Technology (NIST) finalized its Digital Identity Guidelines in December 2017 and published the following four documents:
NIST Special Publication 800-63-3, Digital Identity Guidelines
Presents an executive summary of the series along with a glossary.
NIST Special Publication 800-63A, Digital Identity Guidelines, Enrollment and Identity Proofing
Provides requirements for enrollment and identity proofing of applicants for access to resources at each Identity Assurance Level (IAL) and the responsibilities of Credential Service Providers (CSPs) with respect to establishing and maintaining enrollment records and binding authenticators. Also in this document is a figure (Figure 4-1 The Identity Proofing User Journey) that outlines the basic flow for identity proofing and enrollment.
NIST Special Publication 800-63B, Digital Identity Guidelines, Authentication and Lifecycle Management
Includes definitions of authenticator assurance levels 1-3, along with memorized secrets requirements. The Authenticator Assurance Levels are:
- AAL1 requires single-factor authentication and is permitted with a variety of different authenticator types.
- AAL2, authentication requires two authentication factors for additional security.
- AAL3, additionally requires the use of a hardware-based authenticator and verifier impersonation resistance.
The changes to "memorized secrets" requirements include the following.
- Make password policies user friendly
- Minimum password of 8 characters and maximum of at least 64
- Check new passwords against a dictionary of known-bad choices
- Don't require composition rules, e.g., requiring special characters, alpha, numeric
- Don't require password hints
- Don't require knowledge-based authentication questions, e.g., what is your favorite….
- Don't expire a password without reason such as forgotten, phishing, or a password database was stolen
These changes are in contrast to present password requirements in other standards such as PCI DSS 3.2. We expect feedback from those standards organizations in the coming months as relates to these changes.
NIST Special Publication 800-63C, Digital Identity Guidelines, Federation and Assertions
Presents requirements to identity providers (IdPs) and relying parties (RPs) of federated identity systems.