NIST Requests Comments for Revising Its Electronic Authentication Guideline

The National Institute of Standards and Technology (NIST) is requesting public comment on a possible update of its 2012 Electronic Authentication Guideline.

Electronic authentication verifies the identity of a user when they log in to an information system, ensuring that the remote user is who they claim to be. The identity established during authentication can be pseudonymous—that is, the true identity of the person is unknown, but the fact of the right to access is established.

Many online interactions demand a high level of confidence in authentication, so the methods that go beyond the familiar username/password combination are imperative for the future.

"Given innovations in the marketplace and the increase of online federal services, including Connect.gov, we think it is appropriate to consider an update of NIST's Electronic Authentication Guideline," says NIST senior advisor Paul Grassi. "In addition, as the Identity Ecosystem envisioned by the National Strategy for Trusted Identities in Cyberspace (NSTIC) continues to evolve, NIST guidelines should reflect and support it."

As the first step in revising the publication, NIST is soliciting recommendations from experts (including those in industry, government, and educational fields) on which sections of the document need to be revised. In addition to overall technology changes, the revision is driven by three recent developments in the federal government.

• The October 2014 Executive Order 13681, Improving the Security of Consumer Financial Transactions, requires "...that all agencies making personal data accessible to citizens through digital applications require the use of multiple factors of authentication and an effective identity proofing process, as appropriate."
• The roadmap accompanying the February 2014 Framework for Improving Critical Infrastructure Cybersecurity acknowledges that updates to NIST special publications may be considered to support improved authentication practices. The framework was published in response to Executive Order 13636, Improving Critical Infrastructure Cybersecurity.
• NSTIC charts a course for public and private-sector collaboration to raise the level of trust of identities involved in online transactions through an Identity Ecosystem. NSTIC calls for the federal government to "lead by example and implement the Identity Ecosystem for the services it provides internally and externally." In addition, as the NSTIC pilots continue to gather critical lessons learned, it is imperative to consider applying these outcomes to the Electronic Authentication Guideline.

Like the original version, the revised guideline will supplement the Office of Management and Budget's E-Authentication Guidance for Federal Agencies.

The current version of NIST's Electronic Authentication Guideline is available at http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63-2.pdf. The Note to Reviewers is available online. Please send your questions and comments by May 22, 2015, to eauth-comment [at] nist.gov (eauth-comment[at]nist[dot]gov).

Edited on April 15, 2015, to correct deadline date for comments.