The four levels of authentication and assurance are often the target of scorn and ridicule in the identity market. The oft-criticized NIST Special Publication 800-63 might be revised, depending on multiple factors in the coming months, to something that can scale across markets.
NIST will be releasing a request for information before the end of the year asking the industry to comment on revising 800-63, says Paul Grassi, senior standards and technology advisor at NIST.
The hope is to come up with something that can account for and adapt to private sector led innovation and the specific risk models of relying parties. “It’s time to look at things with a different lens,” Grassi adds.
The levels certainly have their issues, and while these four levels might not be the sole problem, the processes and rigidity of 800-63 may have run their course, Grassi adds.
The hope is to get information from the private sector on how to either update 800-63 or create something new that can be used across the private sector. “We want to know what risk models and alternative techniques have worked but aren’t aligned with our current documents,” Grassi explains. “Do we stick with four levels? Collapse to less than four since we know there is no such thing as a secure password? Do some vector or gradient based assurance standard instead that takes into account the multiple components that comprise trust in online identities?”
The request will be released before the end of 2014. “Hopefully we can use this to accelerate and catalyze the market to create a public, open standard that we adopt instead of different markets, including the U.S. government, having their own types of standards,” Grassi adds.