One of this year’s biggest positive cybersecurity events comes from the National Institute of Standards and Technology (NIST). For the first time since 2017, NIST is updating its digital identity guidelines.

These new guidelines will help set the course for best practices in handling digital identity for organizations across all sectors.

What is digital identity?

To grasp the update’s importance, it helps to understand the role of digital identity in an organization’s security posture.

In its 2017 guidelines, NIST defines digital identity as the online persona of a subject and how that subject is represented online, adding, “Digital identity is the unique representation of a subject engaged in an online transaction. A digital identity is always unique in the context of a digital service, but does not necessarily need to uniquely identify the subject in all contexts.”

The security risk around digital identities stems from verification. In real life, you can hand over your picture ID and prove your identity. For a long time, there was no way to offer up proof in online interactions. The business or person on the other end of the transaction simply had to trust you were who you said you were. This created an environment that made identity theft and impersonation easy.

The role of biometrics

The 2017 version of NIST’s Digital Identity Guidelines established proof of digital identity. The guidelines relied on any number of familiar authenticators, like passwords and MFA. They also touched on biometrics, both physical and behavioral, to prove digital identity. But in 2017, the guidelines only supported limited use of biometrics. They stated that some metrics could be spoofed or unauthorized, like a photo taken and posted without permission.

Facial recognition, which helps streamline identity authentication, mixes human identification with digital identification. This ensures, for example, that the person walking through airport security matches their digital identities stored electronically through various networks. NIST conducted research after the 2017 guidelines were released and found facial recognition algorithms offer highly accurate (99.5%) identification, especially if there are multiple photographs or digital facial identities to use.

The proposed guidelines will update the use of facial recognition while downgrading the use of biometrics from the 2017 version. Biometrics won’t be required in low-risk situations, FCW reported, but will have performance requirements when used for proving identity.

“This draft update reinforces that NIST’s guidelines have always allowed for alternatives to facial recognition as well as appropriate and fair use of facial recognition technologies and that NIST will be more fully defining these alternatives in the final guidelines,” Jason Miller, deputy director for management at the Office of Management and Budget, stated in a NIST news release.

The goal of these new performance changes is to cut down on common cyber risks like phishing and fraud. They also aim to bring greater emphasis to the processes around multi-disciplinary risk management and improve the best practices around digital identity information sharing between government agencies and other entities.

Who will the new NIST guidelines impact?

NIST guidelines have become the standard for federal government agencies, federal contractors and companies within the federal supply chain. These entities must follow the compliance requirements outlined in all NIST guidelines, including those for digital identity.

The NIST framework already covers a lot of organizations, especially those that are third-party subcontractors for federal contractors. For those not connected to the federal government, however, NIST guidelines are not a requirement. However, many companies find that the NIST framework offers directions for implementing best security practices.

Modern consumers are growing more aware of the need for organizations to have solid cybersecurity policies and platforms. In addition, they are increasingly frustrated with how poorly companies protect their personal digital identities.

The new NIST guidelines will update its digital identity risk management model, which integrates digital identity risk with overall organizational risk management. In addition, they will address an area of biometric digital identity that most organizations have struggled with – discrepancies in facial recognition software.

The trouble with facial recognition software

Both government and private industries have been collecting and using facial images for years. However, critics of facial recognition technology accuse it of racial, ethnic, gender and age-based biases, as it struggles to properly identify people of color and women. The algorithms in facial recognition tend to perpetuate discrimination in a technology meant to add security rather than adding risk.

The updated NIST digital guidelines will directly address the struggles of facial recognition in particular, and biometrics overall.

“The forthcoming draft will include biometric performance requirements designed to make sure there aren’t major discrepancies in the tech’s effectiveness across different demographic groups,” FCW reported. Rather than depend on digital photos for proof, NIST will add more options to prove identity.

Lowering risk is as important to private industries as it is to federal agencies. Therefore, it would behoove enterprises to take steps to rethink their identity proofing.

Feedback on the new digital guidelines

The new NIST digital guidelines likely won’t go into effect until 2024. In the meantime, NIST is looking for feedback by email ([email protected]) on the proposed guideline changes until March 24, 2023.

NIST particularly wants feedback on identity proofing that offers both security and convenience to the user without a facial recognition component, as well as the requirements around establishing and maintaining fraud detection.

Users will state how they wish to entrust their digital identity — or even which identities they want to be protected. There are concerns within the security and technology industry regarding how this guideline can be implemented. Control over OAUTH tokens and the data they use is another question that has come up.

“Identity doesn’t operate in a vacuum,” Ryan Galluzzo, digital identity program lead for the applied cybersecurity division at NIST, told FWC.

The standards that worked in 2017 no longer meet the evolving needs of digital identity. The new NIST Digital Identity Guidelines will bring digital identity security in line with any changes in overall risk management to the benefit of all.

More from

Vulnerability resolution enhanced by integrations

2 min read - Why speed is of the essence in today's cybersecurity landscape? How are you quickly achieving vulnerability resolution?Identifying vulnerabilities should be part of the daily process within an organization. It's an important piece of maintaining an organization’s security posture. However, the complicated nature of modern technologies — and the pace of change — often make vulnerability management a challenging task.In the past, many organizations had to support manual integration work to get different security systems to ‘talk’ to each other. As…

How I got started: SIEM engineer

2 min read - As careers in cybersecurity become increasingly more specialized, Security Information and Event Management (SIEM) engineers are playing a more prominent role. These professionals are like forensic specialists but are also on the front lines protecting sensitive information from the relentless onslaught of cyber threats. SIEM engineers meticulously monitor, analyze and manage security events and incidents within an organization. They leverage SIEM tools to aggregate and correlate data, enabling them to detect anomalies, identify potential threats and respond swiftly to security…

Tequila OS 2.0: The first forensic Linux distribution in Latin America

3 min read - Incident response teams are stretched thin, and the threats are only intensifying. But new tools are helping bridge the gap for cybersecurity pros in Latin America.IBM Security X-Force Threat Intelligence Index 2023 found that 12% of the security incidents X-force responded to were in Latin America. In comparison, 31% were in the Asia-Pacific, followed by Europe with 28%, North America with 25% and the Middle East with 4%. In the Latin American region, Brazil had 67% of incidents that X-Force…

Cost of a data breach 2023: Geographical breakdowns

4 min read - Data breaches can occur anywhere in the world, but they are historically more common in specific countries. Typically, countries with high internet usage and digital services are more prone to data breaches. To that end, IBM’s Cost of a Data Breach Report 2023 looked at 553 organizations of various sizes across 16 countries and geographic regions, and 17 industries. In the report, the top five costs of a data breach by country or region (measured in USD millions) for 2023…