NIST SP 800-63-4 Digital Identity Guidelines 2nd public draft summary

National Institute of Standards and Technology (NIST) has published?NIST?SP 800-63-4 Digital Identity Guidelines 2nd public draft published a week ago:?https://csrc.nist.gov/pubs/sp/800/63/4/2pd .

?

NIST team ran a great webinar overnight to run through the proposed changes. Here is my summary so you don’t have to wake up in the middle of the night (at least for the Australians).

TLDR; Why is it important?

• NIST?cybersecurity and digital identity standards set best practices not just for the US. Governments in many countries outside the US (e.g.: Australia, the UK, EU and many others) and many standard organisations refer to?NIST?or use?NIST?guidelines in their digital identity standard-setting process and trust framework design. It's a high-quality publication relevant to the digital identity industry.??
• The guidelines needed to change to support new technologies (e.g.: Passkeys), newish architecture models (e.g.: digital wallets and credentials) and new best practices (e.g.: continuous risk evaluation).

?

Here is a longer story...

My general observations:

1. Very open and public process run by a very competent team with the wide industry participation.
2. It's great to see strong ongoing collaboration with other industry standards bodies, such as the OpenID Foundation , FIDO Alliance , W3C , European Commission and others.

Base volume changes:

1.??? It's exciting to see the User-Controlled Wallet role introduced into the guidelines, recognising more available and mature architecture.

2.??? Metrics for continuous risk evaluation recognising that we should guard more than just a front door.

3.??? RP and CSP requirements for issue handling.?

4.??? Online service definition. A person may have multiple digital identities and while a digital identity may relay a unique and specific meaning within the context of an online service.

Part A - Identity Proofing

1. New proofing roles (proofing agent, trusted referee, process assistant and applicant referee).
2. Clearer proofing types (remote and onsite, attended and unattended).
3. IAL adjustments based on real-life experience and community feedback.
4. Fraud management.?A recognition that fraud management is essential for identity proofing for both CSPs and RPs. It establishes fraud communications between RP and CSP.

Part B - Authentication

1. Recognition of?syncable authenticators. FIDO Passkeys play a critical role as phishing and replay-resistant authenticators. But implementers need to understand what it means exactly and how different these are from other types of authenticators. If syncable authenticators are used, a?maximum AAL2 can be achieved.
2. Closing?account recovery gap. Your account recovery options impact your AAL.
3. Recognition that?User Controlled Wallets?can be used for authentication. Nice!

Part C - Federation and Assertions

1. A User Controlled Wallet Federation?is recognised in addition to a General-Purpose IDP Federation. However, these have different characteristics and requirements.
2. Bound authenticators.?Clear separation of Holder of key (IDP bound authenticator) vs Bound authenticator (RP bound authenticator) for FAL3.
3. Protocol based illustrative examples for each FAL (for OIDC and SAML federation protocols) bridge the gap between core requirements (protocol-agnostic) and implementations. More work is required on specific profiles of these protocols.

?

More details...?

While I was writing this up Nat Sakimura ?? published even more detailed notes, so for more details see this article: https://lnkd.in/gkyaSi6A.