NISTs New Guidelines for Digital Identity Security

The National Institute of Standards and Technology (NIST) has released the second public draft of its updated Digital Identity Guidelines, aiming to improve the way people verify their identity online. The updated guidance focuses on both traditional identification methods, such as physical ID cards, and newer technologies like digital wallets and passkeys. The draft, which addresses security, privacy, and accessibility, is open for public comments until October 7, 2024.

Digital Pathways for Identity Verification

NIST’s revised guidelines cover a range of tools used for identity proofing, including physical forms of ID and modern digital solutions like passkeys. As more people rely on smartphones for various services, the guidance offers pathways to securely access government services using digital credentials. NIST states the need for both secure and accessible methods, allowing users to choose between digital and physical identity options based on their needs and comfort levels.

NIST Digital Identity Program Lead Ryan Galluzzo explains, “We want to open up the use of modern digital pathways while still allowing for physical and manual methods whenever they may be necessary.” This approach shows NIST’s intent to support broad access to government services, especially for those who may not have access to the latest technologies. Whether using a driver’s license or a digital credential, users must be able to verify their identity securely.

Improvements to Passkeys and Digital Wallets

The new draft features updates responding to nearly 4,000 comments received from over 140 organizations and individuals during NIST’s previous comment period. Among the areas of focus are passkeys and digital wallets, both of which are becoming increasingly popular for secure online authentication. Passkeys, which allow users to store a single authentication key across multiple devices, offer greater security than traditional passwords. Digital wallets, available from technology companies, securely store payment information and digital versions of physical identification documents like driver’s licenses.

NIST’s guidance includes expanded details on how to verify and trust the information stored in digital wallets. Galluzzo notes, “We added more detail about wallets, including guidance on how to trust the wallet itself and the information it holds.” This new guidance helps ensure that users and service providers can securely exchange credentials using digital wallets without compromising personal data or privacy.

Inclusion of Non-Biometric Methods for Identity Proofing

Not everyone uses or is comfortable with biometric methods like facial recognition for identity proofing. Recognizing this, NIST has widened its guidance to include non-biometric methods of verification. The revised draft allows organizations to meet identity assurance levels through methods that don’t require biometrics, such as sending enrollment codes to physical postal addresses.

This responds to feedback that biometrics might pose challenges for lower-risk applications. As Galluzzo explains, “There was a lot of friction for lower- to moderate-risk applications,” leading to the inclusion of more accessible options in the new draft. NIST also changed its existing sections on facial recognition to ensure compliance with privacy standards and manual redress processes for users who experience errors or difficulties.

Addressing Fraud While Ensuring Accessibility

The guidelines underscore the importance of fraud prevention while maintaining accessibility to services. Fraudulent claims can have a financial impact on organizations, making identity verification important. At the same time, the new guidelines seek to balance security with accessibility, particularly for individuals who may not have access to traditional forms of ID or whose documentation has been lost or destroyed.

One solution is the applicant reference,”where a trusted individual can vouch for someone who cannot provide the necessary identification. This measure expands access to critical services for marginalized populations, aligning with the goal of equitable access to government resources. NIST continues to solicit feedback and make refinements, ensuring that these guidelines will effectively manage risks, prevent fraud, and enhance security in a way that remains accessible to all users.

NIST’s revised Digital Identity Guidelines aim to address identity proofing in an increasingly digital world. By integrating both traditional and modern methods, the guidance ensures security, privacy, and accessibility for all users accessing government services. As feedback continues to change the final guidelines, NIST’s efforts show the importance of applying security with equitable access to services.

Organizations and individuals have until October 7, 2024, to submit comments on the draft guidelines, providing a final opportunity to influence how identity verification will be managed in the future.

Photo credits: Pakin, AdobeStock

Twitter Facebook LinkedIn Reddit Copy link Link copied to clipboard
Photo of author

Posted by

Elizabeth Hernandez

Elizabeth Hernandez is a news writer on Defensorum. Elizabeth is an experienced journalist who has worked on many publications for several years. Elizabeth writers about compliance and the related areas of IT security breaches. Elizabeth's has focus on data privacy and secure handling of personal information. Elizabeth has a postgraduate degree in journalism. Elizabeth Hernandez is the editor of HIPAAZone. https://twitter.com/ElizabethHzone
Twitter