U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Cybersecurity Insights

a NIST blog

Announcing Draft Special Publication 800-63-3: Digital Authentication Guideline!

Share

Today, we’re releasing the public preview of draft Special Publication 800-63-3, Digital Authentication Guideline. We’re excited to share the updates we’ve made—along with the new process that enables our stakeholders to contribute to the document in a more dynamic way.
  First things first  There are too many changes to list in a blog, but let’s highlight a few of the biggest:
  • We broke down level of assurance into its independent parts: identity proofing, authenticators, and federated assertions and provide three assurance levels for each of identity proofing and authenticators. We provide guidance to keep this compatible with OMB 04-04 and the four existing levels of assurance while OMB revises existing identity policy.
  • There are now multiple volumes consisting mostly of normative language. By cutting down on the informative language, each volume is now a one-stop shop for mandatory requirements and recommended approaches.
  • Identity proofing got a major overhaul, for which we owe many thanks to our UK and Canadian peers. Plus, the draft guidance supports in-person proofing over a virtual channel—though under a strict set of requirements.
  • We’ve clarified that knowledge-based verification (nee authentication) is limited to specific portions of the identity proofing process and never sufficient on its own. Emailing a one-time password (OTP) is gone too—and we’ve deprecated SMS OTP, so it's in there but we expect to remove it in a future revision.
  • We address the security required for centralized biometric matching.
  • We have terminology updates to clarify language across the identity space. For example, remember ‘token’? It’s ‘authenticator’ now, since ‘token’ has plenty of other definitions and uses in the real world. It just didn’t make sense to stick with it.
Last, but not least, we modernizing our feedback process to allow greater, more dynamic participation in the development of this document. We’re releasing it on GitHub, a public-facing, simple to use interface, and we’ll solicit comments via GitHub and respond to them and make edits continually over multiple document iterations this summer. Once these summer iterations come to a close, we‘ll hold a more traditional 30- or 60-day public comment period with comment matrices and email, as an additional option to using GitHub. But for the current public preview, GitHub is place to be! What we’re looking for from you Now is your chance to let us know: Did we miss anything? Have we gotten ahead of what is available in the market? Have we made appropriate room for innovations on the horizon? In this public preview, we’re focused on getting the technical content right. So you’ll probably find an uncrossed ‘t’ and dot-less ‘i’ here and there. We ask that you focus your suggestions in this phase on the substantive (think technical and procedural requirements). Unless they impact the meaning of the statement, we’ll get to minor grammatical issues in due time—but we’ll gladly accept them if you can’t contain your inner grammarian. GitHub uses markdown for editing, so the document may look a shade different from what you’d typically expect. But don’t let that put you off. You can conveniently access the repository’s ‘Issues’ tab, where you can contribute comments via a simple form. There, you can summarize your suggested changes and submit them for further discussion in a forum-style format. You and your fellow reviewers can then can consider the changes, discuss them, and suggest new ones as the conversation develops. More instructions are available online. And while we want this process to be interactive, we prefer suggested changes over forum chatter. How we’ll review your comments Our 800-63-3 team will review and update the draft document by looking over each issue. After careful review, we can incorporate changes directly into the draft and close the issue. The process will be fluid; comment periods will lead to new updates, which in turn will generate new opportunities for public collaboration and more updates. Our team will regularly update the document, so you can see changes as they occur over time. And after these cycles, we’ll end up with a completed version this winter built on community participation. Now, please, go forth and contribute! We look forward to engaging with the community in this new process for 800-63-3 and developing effective, updated guidance. Twitter: @NSTICnpo
What’s GitHub? GitHub is an open source collaboration and development tool that will allow us to share the document and track your comments and suggestions. You can learn more about GitHub and how to sign up for an account here: https://github.com/

Comments

Many of us, some quite vociferously, have urged a more open and interactive means of reviewing and revising NIST publications, particularly in a standard which has such broad-ranging impact and influence. NIST deserves recognition for being responsive to these appeals. Thank you for listening.

Add new comment

CAPTCHA
Image CAPTCHA
Enter the characters shown in the image.
This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.
Please be respectful when posting comments. We will post all comments without editing as long as they are appropriate for a public, family friendly website, are on topic and do not contain profanity, personal attacks, misleading or false information/accusations or promote specific commercial products, services or organizations. Comments that violate our comment policy or include links to non-government organizations/web pages will not be posted.