The National Institute of Standards and Technology (NIST) has released a revised set of authentication standards for government agencies.
The Electronic Authentication Guideline (NIST Special Publication 800-63-1) updates the previous 2006 publication to take into account new authentication technologies that are now available.
“Changes made to the document reflect changes in the state of the art. There are new techniques and tools available to government agencies, and this provides them more flexibility in choosing the best authentication methods for their individual needs, without sacrificing security," said NIST's Cryptographic Technology Group manager Tim Polk.
At the time of the original 2006 publication, NIST was working under the assumption that most authentication challenges would be handled by agencies internally. The new revisions take into account a broad array of options now offered by the private sector as well as authentication systems already in use in other government departments.
"When SP 800-63 was first released, its authors assumed that most agencies would handle the business of figuring out if users were who they claimed to be in-house. But since that time, an industry has grown around providing authentication services, and it is often in the best interest of agencies to take advantage of commercial systems or those of other government entities," an NIST press release states.
Some of these new options offer a greater level of security than the traditional username and password combination as well.
"While passwords are still the leading mechanism for authenticating user identity, a growing number of systems rely on cryptographic keys or physical tokens. The revision broadens the discussion of technologies available to agencies and gives a more detailed discussion of these technologies. The guideline applies whether agencies choose to handle authentication directly or leverage services provided by other parties, including commercial companies," the NIST release stated.
For expedience, NIST recommends agencies in search of improved authentication methods utilize those already certified through the TFPAP, as they have already been vetted for compliance with federal guidelines.
"Government agencies have the option of using the services of companies that have had their authentication systems certified through the Federal Chief Information Officer Council’s Trust Framework Provider Adoption Process (TFPAP). This program assesses credentialing processes against federal requirements, including those established in 800-63. To ensure consistency and avoid redundant analysis, NIST strongly encourages agencies to leverage the TFPAP process," NIST advises.
The NIST SP 800-63-1, Electronic Authentication Guideline, is available here: