This page is ARCHIVED. Please visit https://www.nist.gov/identity-access-management for current information on NIST’s Identity and Access Management work.
Version: 3; 3 March, 2016
Applied Cybersecurity Division
Information Technology Laboratory, NIST
The identity ecosystem has matured to the point where it is appropriate to undertake the work of building measurement science for application in the market—a critical step in further aiding expansion and innovation of the identity ecosystem. Building off of January’s workshop, NIST intends to delve more deeply into each of the topic areas: Strength of Identity Proofing, Strength of Authentication, and Attribute Metadata & Confidence.
This charter provides a high level understanding of the work which NIST’s Applied Cybersecurity Division will undertake to advance a standardized approach for measuring the strength of authentication methods by focusing on biometric authentication first, to document vulnerabilities and mitigation strategies specific to this form factor. The intention is to use this work and the body of work on other form factors at a later stage to address strength of authentication for any form factor.
The purpose of this project will be to produce a document that contains guidance for measuring and evaluating the strength of a biometric authentication system. This document will provide a greater understanding of the confidence that can be placed in different types of biometrics based authentication systems and allow for more informed, risk based decisions when selecting, building, or implementing biometric authentication solutions. Its overall objective is to promote more efficient and secure identity practices within the federal government and across the identity ecosystem as a whole. To enable this latter objective, NIST is considering the possibility of providing the NISTIR as a contribution to a standards organization to catalyze the development of a voluntary consensus standard. A final approach to standardization will be identified as work and stakeholder engagement progress.
NIST will undertake the development of a framework for scoring the strength of biometric authentication methods. This document will initially take the form of a draft NIST Internal Report (NIST IR). Through public review comments, workshops, and other public engagement opportunities, NIST will gather information to determine whether to publish the document as a NIST IR and/or whether to submit the document to another forum.
This document will build off of the previously published white paper, “Measuring Strength of Authentication” and explore a vulnerabilities based approach to assessing, evaluating, and scoring the strength of a biometric authentication system. The NISTIR will—likely—be modality (e.g., finger print, iris, voice) agnostic and explore the possibility of multiple modalities being employed in a single system.
The NIST IR will only address biometric authentication systems. It will, however, be developed with the intent to enable application of the vulnerabilities based model to other methods of authentication in the future.
This IR will be developed using an iterative approach that engages community stakeholders early and often during the drafting period—taking advantage of more frequent, but shorter comment periods to enable rapid production of the document. All processes will be conducted in a way that preserves and reflects NIST’s traditions of openness and transparency. The proposed phases are outlined below:
Throughout the course of this project, ACD intends to engage with a broad spectrum of different stakeholders. Those interested in engaging with, contributing to, and influencing this work should seek out opportunities in the following ways:
In addition to facilitating comments on the IR and its draft. ACD is also seeking input on the concepts and ideas proposed in this charter—we want to know if we are heading in the correct direction. Comments can be provided by emailing to NSTICworkshop [at] nist.gov.
Below are high level milestones, by phase for the development of the IR.