SP 800-63 comments, revisions to take place on GitHub
The four levels of identity assurance and risk assessment can be a contentious topic among those in the identity industry. Well this summer the debate can rage in real time as the National Institute of Standards and Technology will propose a “transformational change” of Special Publication 800-63 with a large portion of the comments and editing to take place on GitHub this summer, says Paul Grassi, senior standards and technology advisor at NIST.
Some of the major changes include:
- Eliminates level two
- Deprecates over the air one-time passcodes
- Defines acceptable use of knowledge-based verification
- Specifies acceptable password policies
- Ends visual-only document inspection for identity proofing at higher levels
Traditionally, NIST will release an update to a standard or special publication, comments will be accepted for a set amount of time, revisions will be made and then the final will be released. But with the revision to 800-63, NIST is taking a more collaborative approach by releasing the draft on GitHub and working with participants all summer.
After the GitHub process is complete, NIST will still conduct a traditional public comment period before the release of the final special pub. “While we are being iterative and innovative we won’t be able to finish the publication on GitHub,” Grassi says. “Since this is a document bound by White House Office of Management and Budget policy we have to give our agency and private sector stakeholders a period of time for thoughtful review. We’re excited about the iterative approach on Github, but we can’t ask the whole of government to stop their mission to join the authoring process.”
As for changes to the SP 800-63, NIST is advocating that the four levels of assurance and authentication go down to three, with the revised special pub essentially eliminating level two, Grassi says. “Level two looks very similar to level three proofing but only uses a level one credential, which doesn’t provide the security and privacy elements we want at this level in today’s online environment,” he explains. “Essentially, the new levels roughly equate to the old one, three and four.”
In addition, this revision will also see NIST decouple the levels of assurance into its individual parts, namely the assurance levels for identity proofing, authenticators and assertions.
“This will enable agencies to mix and match the level of identity assurance with credential strength,” Grassi explains. “This gives agencies a real opportunity to protect sensitive data while only completing a full identity proofing process when necessary.” In addition, they are preserving the technical requirements for PIV, which will be at the highest level – the new level three — exceeding the current requirements for level four.
The identity proofing requirements were also rewritten and include some of the bigger changes, Grassi says. NIST looked at what was being done with identity verification in the UK and Canada, as well as NSTIC pilots and market innovation, and incorporated some of those ideas into the revisions.
The idea is to offer more options to get to the necessary identity assurance level, Grassi says. “Now we have steps that focus on characteristics and outcomes to reach an assurance level, rather than a singular, prescriptive process,” he explains. “With the revisions, we’ve given characteristics of evidence that must be supplied by an applicant, as well as various steps to validate and verify the evidence and the identity to reach the levels.”
For example, if an individual provides an electronic passport that is validated with the chip, that would be a high value document and something the draft language considers “superior,” Grassi says. If other documents – driver licenses and birth certificates – are validated by a trained expert with specialized equipment that would also contribute to a higher score.
The revised proofing document will also enable remote video-based identity proofing, such as scanning a driver license or passport with a mobile device, Grassi says. “Smartphone cameras and the underlying technology have the resolution and algorithms that can check the security features on documents and detect pretty sophisticated fraud,” he adds.
The revision basically does away with visual only document inspection at the higher levels, Grassi says. “If you can’t do machine-based checks you need to incorporate addition validation and verification steps,” he explains.
One of the more controversial revisions may be the addition of virtual in-person identity proofing as an equivalent to traditional in-person proofing for the highest level of identity assurance, Grassi says. The requirements for this will be stringent. “It’s not meant to be for me sitting in my home office but instead sitting in front of specialized, hardened equipment like a kiosk,” he explains.
There are also changes to the oft-maligned knowledge-based authentication (KBA) – which NIST now calls knowledge-based verification (KBV). The last version of 800-63 did not allow KBV but the latest draft hones the requirements of how it can be used. “Rather than pretend it doesn’t exist, we provide careful requirements for its acceptable purpose and use,” Grassi explains. “The mechanism can be used as a starting point in resolving identity, but there are stringent requirements to use KBV as a way to verify identity.”
Also, the draft attempts to specify acceptable data sources that can be the source for KBV. “KBV has never been based on secrets, and currently is rarely based on private data. We’re trying to hone acceptable, limited use of KBV to that which uses the most non-publicly data as possible,” Grassi says.
NIST kills the token
The revised draft also does away with the word “token,” instead opting for authenticator, Grassi says. There has been some overlap and confusion with some of the security APIs when it came to the phrasing, so it was easier to get rid of it altogether.
While everyone might want to kill the password, the revision doesn’t do away with them, rather it updates the requirements for passwords based on modern research and best practices.
The new requirement is a password with a minimum of eight characters, regardless of the assurance level – but we encourage the use of 64-character passwords that allow a complete set of characters, with no composition rules and expiration, Grassi says. This would make passphrases possible, such as “NIST is making many changes to 800-63.”
Making users change their password after a set period of time has little security advantage and significant usability challenges, which could lead to unintended vulnerabilities, he adds.
The revision is also deprecating SMS one-time passcodes as an authenticator, Grassi says. “They remain allowed but we are sending a strong signal that we hope agencies will transition to other techniques rather than depend on SMS, with an expectation that it will be removed in a future version.”
Man-in-the-middle attacks and other hacks have found these systems vulnerable so NIST is recommending that agencies start investigating other authenticators. App-based OTPs, however, such as Google Authenticator, would be enabled with the revision as well as others. NIST has also expanded the scope for biometrics while specifying security and performance requirements, which in the past have been omitted.
These updates — both to the process for reviewing documents and to the content itself — are intended to reflect NIST’s commitment to meeting the needs of today’s digital environment, Grassi says.
“It’s cliché to say that technology moves fast, but we face a massive challenge to address evolving technologies and threat environments at a global scale and Internet speed — all without compromising on our responsibility to protect individuals’ security and privacy,” says Grassi. “We rely on the broad identity community to help us create smart, modern and practical guidance, and we hope this approach provides a more nimble way for our stakeholders to do just that.”
The draft special publication is live on GitHub and additional information can be found here and here. As the summer rolls on, it will be interesting to watch the document evolve and change as different aspects are considered.