The Trusted Identities Group (TIG) is committed to advancing measurement science, technology, and standards adoption to improve digital identity for individuals and organizations alike. To do so, NIST's subject matter experts collaborate with the community on technical projects and publications covering a variety of foundational digital identity topics—from biometrics to federated identity solutions. The TIG is getting particularly NIST-y with several initiatives focused on developing measurement science to aid organizations with identity management decision-making.
NIST is collaborating with experts from the public and commercial sectors to tackle tough issues in digital identity with measurement science. To date, the community still lacks a true set of measurements to indicate the effectiveness of various identity technologies. While organizations can determine technologies’ strength within a range, to manage risk properly, they cannot empirically calculate effectiveness. Some of the most pressing topics include: strength of authentication with a focus on biometrics, attribute confidence, and strength of identity proofing. NIST’s goal is to establish frameworks that enable objective measurement of identity solutions so that organizations can more easily mitigate risk and compare and combine these solutions.
There are many different methods for authenticating users to applications, devices, and services, from “traditional” usernames and passwords, to software one-time passwords, to multiple modalities of biometric systems. With all these options and the persistent drive towards stronger authentication, the emerging question is: “How can I compare the security of these technologies and determine which fits my risk environment?”
The purpose of the SOFA framework is to provide guidance for measuring, evaluating, and comparing the strength of authentication systems. Given the growing ubiquity of biometric-capable devices and their convenience, they represent the ideal initiation point for the SOFA framework—a diverse and emerging set of technologies with varying performance, configurations, and capabilities—but, typically, with limited security guidance in place. This effort begins with identifying the ways in which biometric authenticator strength can be measured and evaluated. | more
Draft NIST Internal Report (NISTIR) 8112: Attribute Metadata defines a schema for metadata that describe a subject’s attributes. It is intended to give relying parties (RPs) greater insight into the methods through which attributes are determined to assist in making risk-based business decisions. As a result, RPs can examine this metadata and determine if they have the confidence they need in the attribute value before making an authorization decision. This document is being treated like an “implementer's draft”—an approach that focuses on real-world implementation results and lessons learned before the document can be finalized. | more
The Privacy-Enhanced Identity Federation project will examine how emerging privacy-enhancing technologies that leverage open standards, can be integrated into identity federation solutions to meet users' and organizations' privacy objectives. This project is a joint effort between the National Cybersecurity Center of Excellence (NCCoE) and the TIG. Ultimately, this project will result in a NIST Cybersecurity Practice Guide, a publicly-available description of the practical steps needed to implement a reference design. | more
While NIST guidance supports the U.S. Federal government’s implementation of services, there is also a broader need for global interoperability in digital identity. Just like standards for cars, standards for digital identity need not be just for the U.S. The need for global interoperability can be met by harnessing expertise from across communities. As such, NIST collaborates with government and industry partners on global digital identity, cybersecurity, and privacy standards. NIST was one of the first government members of the FIDO Alliance to support the development of standards-based, interoperable authentication specifications. NIST also participates in efforts with the OpenID Foundation (OIDF)—like iGov, International Organization for Standardization (ISO), and Internet Engineering Task Force (IETF), among others.