Identity and Access Management at NIST: A Rich History and Dynamic Future

Digital identity for access control is a fundamental and critical cybersecurity capability that ensures the right people and things have the right access to the right resources at the right time. NIST has a rich history in digital identity standardization spanning more than 50 years. We have conducted research, developed prototypes and reference implementations, and supported pilots to better understand new and emerging technologies that inform our digital identity standards, guidelines, and resources. Also, NIST participates and leads in the development of national and international standards, guidance, best practices, profiles, and frameworks to create an enhanced, interoperable digital identity and access management ecosystem.

Passwords as the Beginning

Before most people had ever used a computer, the National Bureau of Standards was developing guidelines and standards for using automation to identify computer users and limit their access to information—in other words, user authentication. By the mid-1980s, passwords were widely used and NIST released a comprehensive standard on passwords, Federal Information Processing Standard (FIPS) 112, Password Usage. FIPS 112 covered not only password characteristics (e.g., composition, length, lifetime, and sources), but also their management and usage  (e.g. secure storage, distribution to users, communication, and time between authentications).These advanced concepts found in the 1985 standard are still familiar today, such as password strength, one-time passwords, and login attempt limits.

Smart Cards / Token-Based  Authentication

Recognizing a need for stronger authentication mechanisms as alternatives to passwords, NIST started work on smart cards in the late 1980s, and our Data Encryption Standard (DES) was used on a cryptographic token to create the Token Based Access Control System (TBACS). Expanding further, NIST put standard cryptographic algorithms for authentication —DES and RSA —onto smart cards. The challenge of managing symmetric keys on a large scale led to an increased focus on the use of public key cryptography following the standardization of the Digital Signature Standard (DSS) as FIPS 186 in 1994. NIST was instrumental in developing foundational standards, architectures, and specifications that drove the early implementations of the public key infrastructure components that were critical to the adoption and use of public key cryptography in the federal government. In the late 1990s, NIST led the government’s work on defining smart card interoperability technical specifications and standards, which resulted in the Government Smart Card Interoperability Specification (GSC-IS) and establishing the framework for smart cards to work in an open environment.

Personal Identity Verification (PIV)

The year 2004 marked the inception of Personal Identity Verification (PIV) credentials. It began with Homeland Security Presidential Directive 12 (HSPD-12) to establish requirements for a common standard for identifying federal employees and contractors. NIST immediately began developing the standard for the PIV card, security, and privacy requirements for issuing organizations, and detailed technical specifications of components and processes for government-wide interoperable use of PIV cards in authentication, access control, and PIV card management. The next tasks were to complete the publications supporting the standard, produce and issue the first PIV cards, establish a program for PIV product validation, and provide PIV reference implementations. Today, the set of PIV credentials can accommodate a diverse and growing set of user device platforms, with interoperability across the federal government achieved via Federation.

Digital Identity Guidelines

In the early 2000s, NIST supported the Office of Management and Budget (OMB) in developing guidance (OMB M-04-04) on electronic authentication ("e-authentication") to assist federal agencies in selecting authentication processes that provide the appropriate level of assurance for particular use cases. NIST staff and OMB were also working together on Special Publication (SP) 800-63, Digital Identity Guidelines, to complement OMB-M-0404 and provide e-authentication guidelines with specific technical requirements for each assurance level. These guidelines are targeted not only at internal federal agency purposes but also at public-facing federal agency applications. Over the years, NIST built on the foundation of the e-authentication program, incorporating lessons learned from industry adoption of new technologies. The latest revision, SP 800-63 ­­– now named ‘The Digital Identity Guidelines – provides a risk management framework for identifying digital identity needs and establishes a graduated set of controls for the identity proofing and enrollment, authentication, and federation of digital identities across identity domains. The guidelines serve as the standard for digital identity management for federal agencies to provide online services, transactions, and applications to the public. The Digital Identity Guidelines have been broadly adopted by industry and internationally.

National Strategy for Trusted Identities in Cyberspace (NSTIC)

In April 2011, President Obama signed the National Strategy for Trusted Identities in Cyberspace (NSTIC), which  called for the public and private sectors to collaborate on the creation of an “Identity Ecosystem.” This ecosystem would enable individuals to choose from multiple identity providers and digital credentials for more convenient, secure, and privacy-enhancing transactions anywhere online. The  NSTIC objective was to advance four guiding principles for all identity solutions: (1) privacy-enhancing and voluntary, (2) secure and resilient, (3) interoperable, and (4) cost-effective and easy-to-use. NIST established the NSTIC Program Office to administer 15 pilot programs to advance the guiding principles and to establish and lead the Identity Ecosystem Steering Group (IDESG) in developing and implementing the Identity Ecosystem Framework. The NSTIC program and pilots demonstrated identity solutions to promote the guiding principles and advanced key initiatives, including the adoption of multi-factor authentication, implementation of mobile driver’s licenses, and foundation for privacy engineering for identity solutions. The lessons learned drove industry adoption of new technologies and also informs NIST standards and guidelines on digital identity.

National Cybersecurity Center of Excellence (NCCoE)

The National Cybersecurity Center of Excellence (NCCoE) was formed in 2012 to create practical, standards-based solutions that organizations of all types and sizes can use to protect their assets, people, and data. Since its inception, the NCCoE has collaborated with several communities to provide guidance on digital identity management, including the financial sector, the energy sector, public safety communities, and e-commerce. For each project, the NCCoE designed and implemented a standards-based architecture in the NCCoE lab environment using commercially available standards and technology. This applied work feeds directly into the guidance the NCCoE publishes and acts as a feedback loop for standards bodies and commercial technology providers. In this way the NCCoE has demonstrated a myriad of standards-based identity concepts including multifactor authentication using FIDO protocols, single sign-on using OAuth 2.0, and identity federation using OpenId Connect 1.0 and SAML 2.0. Currently the NCCoE is working with industry to demonstrate zero trust architectures, which rely upon many of these digital identity principles.

Where We Are Heading

An increasing part of our personal and professional lives rely on digital services, the value of which has been emphasized throughout the pandemic. State and federal agencies increasingly turned to the Internet to provide critical government services, and remote work and online collaboration tools have become part of everyday life for many Americans. Digital identity is a critical technology to enable, deliver and support these services. While digital identity services and technologies have come a long way since NIST’s early work on passwords in the 1980s, the recent experience during the pandemic have highlighted some of the remaining challenges to ensuring these technologies can support security and privacy needs while maintaining equitable access to important government services. Today, we are building on our rich history in identity and access management to identify new technologies, processes, and considerations for providing digital identity services in a private and equitable manner.