Simplifying digital identity
Getting digital identity right can be a challenge—that's why NIST develops guidance, including frameworks and methods, to help agencies and organizations offer privacy-enhancing, secure, interoperable, and easy to use services. NIST guidance is risk-based, enabling organizations to achieve mission goals, deploy services that are appropriate for their systems and users, and simultaneously minimize adverse outcomes. NIST works continually with the community to develop deployable, effective guidance.
NIST aims to support market progress, like the adoption of more effective authentication solutions. The outlook is good: 63% of large organizations are using multi-factor authentication (MFA) across their organization, and 41% of medium-sized businesses plan to implement or expand their MFA deployments in 2017, according to SecureAuth.
NIST Special Publication (SP) 800-63: Digital Identity GuidelinesThe Special Publication (SP) 800-63 suite provides technical requirements for federal agencies implementing digital identity services. The publication includes: an overview of identity frameworks; using authenticators, credentials, and assertions in a digital system; and a risk-based process to select assurance levels. Organizations have the flexibility to choose the appropriate assurance level for their needs. SP 800-63 comprises a suite of documents that can be used independently or in concert to meet identity needs.
Implementation Guidance for NIST’s Digital Identity Guidelines
NIST will work with the community to prepare implementation guidance for the Digital Identity Guidelines. The goal is to give implementers easily deployable guidance and help them meet the requirements.
NIST Internal Report (NISTIR) 8062: An Introduction to Privacy Engineering and Risk Management in Federal Systems
NISTIR 8062 provides an introduction to the concepts of privacy engineering and risk management for Federal systems. These concepts establish the basis for a common vocabulary to facilitate better understanding and communication of privacy risk within Federal systems, and the effective implementation of privacy principles. NISTIR 8062 introduces two key components to support the application of privacy engineering and risk management: privacy engineering objectives and a privacy risk model. | PDF
TIG Lead Mike Garcia on FedScoop's Cyber Innovation Heroes Series
Innovating the delivery of digital services
User-friendly authentication at scale
In their NIST pilot, Daon updated its IdentityX authentication technology to a federated, interoperable, standards-based capability designed to offer strong authentication in a manner that improves both security and usability. Daon’s IdentityX solution provides multi-factor authentication on the iOS and Android platforms with the ability to selectively combine a variety of traditional and non-traditional authentication methods of varying strength—voice and face biometrics, device authentication, password, PIN, one-time password, and location—depending on the risk level of the transaction and customer choice.
Simplifying multi-factor authentication (MFA) enablement
Internet2 has developed tools to encourage the adoption of privacy-enhancing technology. Their work includes deploying smartphone-based MFA across three major university campuses, establishing a collaborative group to accelerate the adoption of MFA across universities, developing a user-centric privacy management tool, and assessing the current state of anonymous credential technologies.
Spreading the word about impacts and benefits
The pilots aren't about changing everything on their own. It's about a partnership model and an ecosystem approach. One good deployment leads to another, which attracts new innovation, which becomes a virtuous cycle of its own. One of the best ways to foster this is to tell folks what's going right and what's going wrong. For all of our pilots, we require our partners to talk publicly about their successes and failures. For those pilots that work with government partners, we require an independent evaluation to assess the impacts and benefits to constituent services. You can find the report on one of those pilots here, and as other pilots wrap up, we'll be publishing reports on those as well.
Learn more about the trusted identities pilots.
Laying the foundation to improve online privacy and security
Privacy Engineering Program
The NIST Privacy Engineering Program supports the development of trustworthy systems by applying measurement science and systems engineering principles to the creation of frameworks, risk models, guidance, tools, and standards that protect privacy and, by extension, civil liberties. | more
Cybersecurity for the Internet of Things (IoT) program
NIST’s Cybersecurity for IoT program supports the development and application of standards, guidelines, and related tools to improve the cybersecurity of connected devices and the environments in which they are deployed. By collaborating with stakeholders across industry, government, international bodies, and academia, the program aims to cultivate trust and promote U.S. leadership in IoT. | more
- Cybersecurity for IoT program | more
- Privacy Engineering Program | more
- Digital Identity Guidelines (NIST SP 800-63-3) | more
- An Introduction to Privacy Engineering and Risk Management in Federal Systems (NISTIR 8062) | PDF
- Developing Trust Frameworks to Support Identity Federation (draft NISTIR 8149) | GitHub | PDF
- NSTIC Pilots: Catalyzing the Identity Ecosystem (NISTIR 8054) | PDF
- TIG pilot projects | more
- Trusted identities 2016 year in review | blog
Check back soon for upcoming events!