One of this year’s biggest positive cybersecurity events comes from the National Institute of Standards and Technology (NIST). For the first time since 2017, NIST is updating its digital identity guidelines.
These new guidelines will help set the course for best practices in handling digital identity for organizations across all sectors.
What is digital identity?
To grasp the update’s importance, it helps to understand the role of digital identity in an organization’s security posture.
In its 2017 guidelines, NIST defines digital identity as the online persona of a subject and how that subject is represented online, adding, “Digital identity is the unique representation of a subject engaged in an online transaction. A digital identity is always unique in the context of a digital service, but does not necessarily need to uniquely identify the subject in all contexts.”
The security risk around digital identities stems from verification. In real life, you can hand over your picture ID and prove your identity. For a long time, there was no way to offer up proof in online interactions. The business or person on the other end of the transaction simply had to trust you were who you said you were. This created an environment that made identity theft and impersonation easy.
The role of biometrics
The 2017 version of NIST’s Digital Identity Guidelines established proof of digital identity. The guidelines relied on any number of familiar authenticators, like passwords and MFA. They also touched on biometrics, both physical and behavioral, to prove digital identity. But in 2017, the guidelines only supported limited use of biometrics. They stated that some metrics could be spoofed or unauthorized, like a photo taken and posted without permission.
Facial recognition, which helps streamline identity authentication, mixes human identification with digital identification. This ensures, for example, that the person walking through airport security matches their digital identities stored electronically through various networks. NIST conducted research after the 2017 guidelines were released and found facial recognition algorithms offer highly accurate (99.5%) identification, especially if there are multiple photographs or digital facial identities to use.
The proposed guidelines will update the use of facial recognition while downgrading the use of biometrics from the 2017 version. Biometrics won’t be required in low-risk situations, FCW reported, but will have performance requirements when used for proving identity.
“This draft update reinforces that NIST’s guidelines have always allowed for alternatives to facial recognition as well as appropriate and fair use of facial recognition technologies and that NIST will be more fully defining these alternatives in the final guidelines,” Jason Miller, deputy director for management at the Office of Management and Budget, stated in a NIST news release.
The goal of these new performance changes is to cut down on common cyber risks like phishing and fraud. They also aim to bring greater emphasis to the processes around multi-disciplinary risk management and improve the best practices around digital identity information sharing between government agencies and other entities.
Who will the new NIST guidelines impact?
NIST guidelines have become the standard for federal government agencies, federal contractors and companies within the federal supply chain. These entities must follow the compliance requirements outlined in all NIST guidelines, including those for digital identity.
The NIST framework already covers a lot of organizations, especially those that are third-party subcontractors for federal contractors. For those not connected to the federal government, however, NIST guidelines are not a requirement. However, many companies find that the NIST framework offers directions for implementing best security practices.
Modern consumers are growing more aware of the need for organizations to have solid cybersecurity policies and platforms. In addition, they are increasingly frustrated with how poorly companies protect their personal digital identities.
The new NIST guidelines will update its digital identity risk management model, which integrates digital identity risk with overall organizational risk management. In addition, they will address an area of biometric digital identity that most organizations have struggled with – discrepancies in facial recognition software.
The trouble with facial recognition software
Both government and private industries have been collecting and using facial images for years. However, critics of facial recognition technology accuse it of racial, ethnic, gender and age-based biases, as it struggles to properly identify people of color and women. The algorithms in facial recognition tend to perpetuate discrimination in a technology meant to add security rather than adding risk.
The updated NIST digital guidelines will directly address the struggles of facial recognition in particular, and biometrics overall.
“The forthcoming draft will include biometric performance requirements designed to make sure there aren’t major discrepancies in the tech’s effectiveness across different demographic groups,” FCW reported. Rather than depend on digital photos for proof, NIST will add more options to prove identity.
Lowering risk is as important to private industries as it is to federal agencies. Therefore, it would behoove enterprises to take steps to rethink their identity proofing.
Feedback on the new digital guidelines
The new NIST digital guidelines likely won’t go into effect until 2024. In the meantime, NIST is looking for feedback by email ([email protected]) on the proposed guideline changes until March 24, 2023.
NIST particularly wants feedback on identity proofing that offers both security and convenience to the user without a facial recognition component, as well as the requirements around establishing and maintaining fraud detection.
Users will state how they wish to entrust their digital identity — or even which identities they want to be protected. There are concerns within the security and technology industry regarding how this guideline can be implemented. Control over OAUTH tokens and the data they use is another question that has come up.
“Identity doesn’t operate in a vacuum,” Ryan Galluzzo, digital identity program lead for the applied cybersecurity division at NIST, told FWC.
The standards that worked in 2017 no longer meet the evolving needs of digital identity. The new NIST Digital Identity Guidelines will bring digital identity security in line with any changes in overall risk management to the benefit of all.