NIST Digital Identity Guidelines with New "Memorized Secrets" Recommendations

NIST Digital Identity Guidelines with New "Memorized Secrets" Recommendations

By Nancy Rand
Posted in Security
On January 12, 2018

The National Institute of Standards and Technology (NIST) finalized its Digital Identity Guidelines in December 2017 and published the following four documents:

NIST Special Publication 800-63-3, Digital Identity Guidelines

Presents an executive summary of the series along with a glossary.

NIST Special Publication 800-63A, Digital Identity Guidelines, Enrollment and Identity Proofing

Provides requirements for enrollment and identity proofing of applicants for access to resources at each Identity Assurance Level (IAL) and the responsibilities of Credential Service Providers (CSPs) with respect to establishing and maintaining enrollment records and binding authenticators. Also in this document is a figure (Figure 4-1 The Identity Proofing User Journey) that outlines the basic flow for identity proofing and enrollment.

NIST Special Publication 800-63B, Digital Identity Guidelines, Authentication and Lifecycle Management

Includes definitions of authenticator assurance levels 1-3, along with memorized secrets requirements. The Authenticator Assurance Levels are:

  • AAL1 requires single-factor authentication and is permitted with a variety of different authenticator types.
  • AAL2, authentication requires two authentication factors for additional security.
  • AAL3, additionally requires the use of a hardware-based authenticator and verifier impersonation resistance.

The changes to "memorized secrets" requirements include the following.

  • Make password policies user friendly
  • Minimum password of 8 characters and maximum of at least 64
  • Check new passwords against a dictionary of known-bad choices
  • Don't require composition rules, e.g., requiring special characters, alpha, numeric
  • Don't require password hints
  • Don't require knowledge-based authentication questions, e.g., what is your favorite….
  • Don't expire a password without reason such as forgotten, phishing, or a password database was stolen

These changes are in contrast to present password requirements in other standards such as PCI DSS 3.2. We expect feedback from those standards organizations in the coming months as relates to these changes.

NIST Special Publication 800-63C, Digital Identity Guidelines, Federation and Assertions

Presents requirements to identity providers (IdPs) and relying parties (RPs) of federated identity systems. 

Nancy Rand

Nancy Rand

Nancy has more than 20 years’ experience in information technology and security, solving business issues and implementing best-practice solutions that support organizational objectives. Her expertise includes leveraging, optimizing, and implementing diverse technology platforms, and management of large-scale technology projects.