A Retrospective Look: Advancing standards for strong identity and authentication in the Identity Ecosystem

As the NSTIC pilots develop and implement innovative identity solutions, they are confronting head-on the challenges of attempting to convince the marketplace to adopt them. We are enthusiastic about organizations that are pioneering new identity technologies, but recognize that widespread adoption of these technologies require that they be interoperable. Standards are essential here; without them, consumers and businesses have no way to easily adopt these technologies, or judge how – if at all – to trust them. Recently, we have been excited to see the market start to respond to this need, creating new standards that make strong identity and authentication more convenient for businesses and their users. And with this, we’ve seen the IDESG Standards Coordination Committee (SCC) start to identify where there are gaps in the current set of standards – either places where existing standards need to be revised and improved, or where brand new standards may be needed to fill gaps. One example of the latter involves knowledge-based authentication (KBA). While KBA is widely used today, there is no performance standard for KBA solutions – something that many of the NSTIC pilots have flagged as a significant challenge. The SCC is pursuing approaches to work with industry in developing a performance standard for KBA, with the goal of allowing organizations that issue credentials – and those that accept them – to be confident that users accessing their site are who they say they are. The addition of metrics to dynamic KBA may allow organizations to make well-informed decisions that reduce the risk of unauthorized disclosure, while increasing the overall trustworthiness and efficacy of the Identity Ecosystem. Additionally, they could give a greater level of control to the organization making the risk decision. Outside of the IDESG, the health sector is also making strides here by initiating a project to standardize the secure exchange of health information in a way that puts the individual first. Through the Open Identity Foundation’s Health Relationship Trust (HEART) project – with support from the Office of the National Coordinator (ONC) for Health IT – industry is working to ensure that patient consent and authorization to health records will no longer be a tedious, paper-based, and confusing task. HEART is targeted at health information sharing, but more largely it represents a holistic effort to enhance the security and privacy of three standards – OAUTH, OpenID Connect, and UMA. Mobile applications have also seen substantial advancements this past year with organizations like the FIDO Alliance (Fast Identity Online) broadening the aperture on how individuals can use devices they already have to replace passwords, or support more convenient, easy-to-use multi-factor authentication. With this standardization, individuals have more choice than ever in how they authenticate, whether it is with biometrics (like fingerprints or facial recognition) or traditional hardware and software tokens (like SMS passcodes or USB keys). While there has clearly been serious standardization progress lately, there is still great work to come. As we continue to develop these new standards, it’s important to keep in mind that privacy by design and user friendly authorization must be inherent in standards and technology. In addition to these familiar concepts, standards need to take new technologies into consideration. For example, the emerging Internet of Things (IOT) offers exciting new possibilities, but also raises privacy and security concerns. NIST is starting to explore how standards may help to jumpstart these innovative technologies and provide frameworks to address potential risks. NIST recognizes the advancements in standards occurring throughout the private sector. In order for the government to benefit from these advances in the marketplace, it is imperative for NIST to evolve our standards accordingly. As such, the NIST Computer Security Division has issued a "Note to Reviewers" to explore new ways to apply innovation within Special Publication (SP) 800-63, Electronic Authentication Guidelines, across all levels of assurance. While SP 800-63 is required for federal agencies only, a potential future revision could benefit consumer-facing services the government offers, including Connect.gov and the private sector identity service providers that are intrinsic to the delivery of strong authentication to the government. Public and private sector input will be imperative in shaping this important document, and the impact it could have on the Identity Ecosystem. Solid standards are imperative to the implementing the NSTIC. They help drive the adoption of strong authentication technologies by increasing the interoperability and ease of use of identity solutions. We are thrilled with the recent advancements, and are eager to see new challenges addressed through standards in 2015 and beyond. Follow the NSTIC NPO on Twitter for the latest updates.