One of this year’s biggest positive cybersecurity events comes from the National Institute of Standards and Technology (NIST). For the first time since 2017, NIST is updating its digital identity guidelines.

These new guidelines will help set the course for best practices in handling digital identity for organizations across all sectors.

What is Digital Identity?

To grasp the update’s importance, it helps to understand the role of digital identity in an organization’s security posture.

In its 2017 guidelines, NIST defines digital identity as the online persona of a subject and how that subject is represented online, adding, “Digital identity is the unique representation of a subject engaged in an online transaction. A digital identity is always unique in the context of a digital service, but does not necessarily need to uniquely identify the subject in all contexts.”

The security risk around digital identities stems from verification. In real life, you can hand over your picture ID and prove your identity. For a long time, there was no way to offer up proof in online interactions. The business or person on the other end of the transaction simply had to trust you were who you said you were. This created an environment that made identity theft and impersonation easy.

The Role of Biometrics

The 2017 version of NIST’s Digital Identity Guidelines established proof of digital identity. The guidelines relied on any number of familiar authenticators, like passwords and MFA. They also touched on biometrics, both physical and behavioral, to prove digital identity. But in 2017, the guidelines only supported limited use of biometrics. They stated that some metrics could be spoofed or unauthorized, like a photo taken and posted without permission.

Facial recognition, which helps streamline identity authentication, mixes human identification with digital identification. This ensures, for example, that the person walking through airport security matches their digital identities stored electronically through various networks. NIST conducted research after the 2017 guidelines were released and found facial recognition algorithms offer highly accurate (99.5%) identification, especially if there are multiple photographs or digital facial identities to use.

The proposed guidelines will update the use of facial recognition while downgrading the use of biometrics from the 2017 version. Biometrics won’t be required in low-risk situations, FCW reported, but will have performance requirements when used for proving identity.

“This draft update reinforces that NIST’s guidelines have always allowed for alternatives to facial recognition as well as appropriate and fair use of facial recognition technologies and that NIST will be more fully defining these alternatives in the final guidelines,” Jason Miller, deputy director for management at the Office of Management and Budget, stated in a NIST news release.

The goal of these new performance changes is to cut down on common cyber risks like phishing and fraud. They also aim to bring greater emphasis to the processes around multi-disciplinary risk management and improve the best practices around digital identity information sharing between government agencies and other entities.

Who Will the New NIST Guidelines Impact?

NIST guidelines have become the standard for federal government agencies, federal contractors and companies within the federal supply chain. These entities must follow the compliance requirements outlined in all NIST guidelines, including those for digital identity.

The NIST framework already covers a lot of organizations, especially those that are third-party subcontractors for federal contractors. For those not connected to the federal government, however, NIST guidelines are not a requirement. However, many companies find that the NIST framework offers directions for implementing best security practices.

Modern consumers are growing more aware of the need for organizations to have solid cybersecurity policies and platforms. In addition, they are increasingly frustrated with how poorly companies protect their personal digital identities.

The new NIST guidelines will update its digital identity risk management model, which integrates digital identity risk with overall organizational risk management. In addition, they will address an area of biometric digital identity that most organizations have struggled with – discrepancies in facial recognition software.

The Trouble With Facial Recognition Software

Both government and private industries have been collecting and using facial images for years. However, critics of facial recognition technology accuse it of racial, ethnic, gender and age-based biases, as it struggles to properly identify people of color and women. The algorithms in facial recognition tend to perpetuate discrimination in a technology meant to add security rather than adding risk.

The updated NIST digital guidelines will directly address the struggles of facial recognition in particular, and biometrics overall.

“The forthcoming draft will include biometric performance requirements designed to make sure there aren’t major discrepancies in the tech’s effectiveness across different demographic groups,” FCW reported. Rather than depend on digital photos for proof, NIST will add more options to prove identity.

Lowering risk is as important to private industries as it is to federal agencies. Therefore, it would behoove enterprises to take steps to rethink their identity proofing.

Feedback on the New Digital Guidelines

The new NIST digital guidelines likely won’t go into effect until 2024. In the meantime, NIST is looking for feedback by email ([email protected]) on the proposed guideline changes until March 24, 2023.

NIST particularly wants feedback on identity proofing that offers both security and convenience to the user without a facial recognition component, as well as the requirements around establishing and maintaining fraud detection.

Users will state how they wish to entrust their digital identity — or even which identities they want to be protected. There are concerns within the security and technology industry regarding how this guideline can be implemented. Control over OAUTH tokens and the data they use is another question that has come up.

“Identity doesn’t operate in a vacuum,” Ryan Galluzzo, digital identity program lead for the applied cybersecurity division at NIST, told FWC.

The standards that worked in 2017 no longer meet the evolving needs of digital identity. The new NIST Digital Identity Guidelines will bring digital identity security in line with any changes in overall risk management to the benefit of all.

More from Government

ITG10 Likely Targeting South Korean Entities of Interest to the Democratic People’s Republic of Korea (DPRK)

7 min read - In late April 2023, IBM Security X-Force uncovered documents that are most likely part of a phishing campaign mimicking credible senders, orchestrated by a group X-Force refers to as ITG10, and aimed at delivering RokRAT malware, similar to what has been observed by others. ITG10's tactics, techniques and procedures (TTPs) overlap with APT37 and ScarCruft. The initial delivery method is conducted via a LNK file, which drops two Windows shortcut files containing obfuscated PowerShell scripts in charge of downloading a…

7 min read

Will Commercial Spyware Survive Biden’s Executive Order?

4 min read - On March 27, 2023, reports surfaced that 50 U.S. government employees had been targeted by phone spyware overseas. On the day of that report, President Joe Biden signed an executive order to restrict federal agencies’ use of commercial spyware. The timing of the order was linked to this specific phone-targeting exploit. But spyware infiltration of government officials — and by government officials — has been a recurring problem globally. Commercial spyware has long been entwined with statecraft and spycraft, both…

4 min read

The Biden Administration’s 2023 Cybersecurity Strategy

4 min read - The Biden Administration recently introduced a new national cybersecurity strategy, expected to aggressively address an increasingly complex and dangerous threat landscape. Improving cybersecurity may not be the top priority for the Biden Administration, but it is an issue that the White House has been focused on since the earliest days of President Biden’s tenure. For example, in May 2021, Biden issued an executive order that emphasized sharing information about threats and modernizing cybersecurity across the federal government. In 2022, President…

4 min read

Who Will Be the Next National Cyber Director?

4 min read - After Congress approved his nomination in 2021, Chris Inglis served as the first-ever National Cyber Director for the White House. Now, he plans to retire. So who’s next? As of this writing in January of 2023, there remains uncertainty around who will fill the role. However, the frontrunner is Kemba Walden, Acting Director of the National Cyber Director’s office. Walden is a former Microsoft executive who joined the National Cyber Director’s office in May. Before her appointment, Walden was the…

4 min read