In June, NIST put out a call for comments on the next iteration of its Digital Identity Guidelines, SP 800-63-4. We welcomed the opportunity to comment; read our full comments in the Government & Public Policy area of the website.

Up front, we note that SP 800-63-3 represented a significant improvement in NIST’s Digital Identity Guidelines, taking a more modern approach to identity proofing, authentication, and federation. That said, technology and threat are both never static, and we are encouraged to see that NIST is embarking on another revision of the document.

In our comments, we make three recommendations for SP 800-63-4:

1. NIST should adjust its approach to AALs to help implementers clearly differentiate between tools that are phishing resistant and those that are not

Today, a variety of authenticators based on shared secrets – including Look-Up Secrets, Out-of-Band Devices (i.e., Push), and OTP apps and tokens – are given the same weight in AAL2 as authenticators based on asymmetric public key cryptography, such as FIDO. Given how attackers have caught up with the former, it no longer makes sense to combine  these two types of authenticators under a single designation. Doing so misleads implementers into thinking these two categories of authenticators are equivalent in strength or resiliency. In our comments, we provide NIST with several ideas for how it can adjust the AALs to provide more differentiation between tools that are phishing resistant and those that are not. 

2. NIST should engage with FIDO Alliance to explore other alternatives to enable FIDO authenticators to meet AAL3 requirements

When SP 800-63-3 was first published, it created a path for some FIPS 140 validated FIDO authenticators to meet AAL3 – if those authenticators were deployed in concert with Token Binding to deliver Verifier Impersonation Resistance. Since that time, most major browser vendors have withdrawn support for token binding. Per discussions with NIST, we understand that this means that FIDO authenticators can no longer meet AAL3 without implementing other approaches to mitigate the loss of token binding. As NIST embarks on the next revision of SP 800-63, we urge NIST to engage with FIDO Alliance to explore other alternatives to enable FIDO authenticators to meet AAL3 requirements.

3. Provide more direct references to FIDO

SP 800-63B describes Requirements by Authenticator Type but is inconsistent in how it points to standards that support that type. This has created some confusion in the marketplace when implementers consult SP 800-63B and see reference to standards like OTP and PKI but do not see any specific reference to FIDO. In our comments, we offer three suggestions for how the guidance can directly reference FIDO so that implementers have a clearer understanding of where FIDO fits in and supports the requirements. 

We greatly appreciate NIST’s consideration of our comments and look forward to ongoing dialogue and collaboration as they seek to update the Digital Identity Guidance.


More

Recap: 2024 Identity, Authentication and the Road Ahead Policy Forum

What’s the state of identity and authentication in 2024? That was the primary topic addressed…

Read More →

FIDO Alliance Announces Call for Speakers for Authenticate 2024

Carlsbad, Calif., January 24, 2024 – The FIDO Alliance is pleased to announce the return…

Read More →

2023 FIDO Seoul Public Seminar: Charting the Future of Online Authentication with Passkeys

The FIDO Seoul Public Seminar, “Passkeys – Online Authentication Paradigm Shift,” was hosted on December…

Read More →