NIST Releases Second Public Draft of Digital Identity Guidelines for Final Review

GAITHERSBURG, Md. - When we need to show proof of identity, we might reach for our driver's license - or perhaps, sooner than many of us imagine, we may opt for a digital credential stored on a smartphone. To ensure we can use both novel and time-tested methods to prove our identities securely when accessing essential services, the U.S. Department of Commerce's National Institute of Standards and Technology (NIST) has updated its draft digital identity guidance.

The draft Digital Identity Guidelines(NIST Special Publication [SP] 800-63 Revision 4and its companion publications SPs 800-63A, 800-63Band 800-63C) have been updated to reflect the robust feedback that NIST received in 2023 as part of a four-month-long comment period and yearlong period of external engagement.

"Today's draft revision from NIST highlights the Biden-Harris administration's commitment to strengthening anti-fraud controls while ensuring broad and equitable access to digital services," said Jason Miller, deputy director for management at the Office of Management and Budget. "By incorporating feedback from private industry, federal agencies, privacy and civil rights advocacy groups, and members of the public, NIST has developed strong and fair draft guidelines that, when finalized, will help federal agencies better defend against evolving threats while providing critical benefits and services to the American people, particularly those that need them most."

"Everyone should be able to lawfully access government services, regardless of their chosen methods of identification," said Under Secretary of Commerce for Standards and Technology and NIST Director Laurie E. Locascio."These improved guidelines are intended to help organizations of all kinds manage risk and prevent fraud while ensuring that digital services are lawfully accessible to all."

The suite of documents is the second public draft of the updated guidelines, which NIST first announced in December 2022. NIST is seeking public comment on this new iteration, which is intended to make access to online services both secure and straightforward, regardless of the means by which a person chooses to prove their identity.

"We are trying to make sure we maintain as many pathways as possible to enable secure online access to services," said NIST Digital Identity Program Lead Ryan Galluzzo, one of the publication's authors. "We want to open up the use of modern digital pathways while still allowing for physical and manual methods whenever they may be necessary."

Proving one's identity is often a necessary step in accessing servicesfrom federal agencies. Identity management is important to these agencies and other organizations, especially because fraudulent claimscan be very costlyto both organizations and individuals, but not everyone uses the same methods to demonstrate their identity either in person or online. Defending against fraud while maintaining accessibility for a multitude of potential users are two of the goals NIST is trying to balance with the update, Galluzzo said.

NIST received nearly 4,000 comments from 140 organizations and individuals on the 2022 version of the draft. Many of these comments focused on expanding the guidance on two technologies that are rapidly growing in use: syncable authenticators and digital credentials presented through user-controlled wallets. Syncable authenticators, often called passkeys, offer greater security than passwords while allowing a user to save a single passkey on multiple devices. User-controlled wallets, which several major companiescurrently offer, can securely store payment information along with other items like plane tickets and digital versions of physical identification documents like driver's licenses.

The expanded guidance around passkeys is found in volume SP 800-63B, Galluzzo said, while additions concerning digital wallets are in volume SP 800-63C.

"In response to the comments we received on the first draft, we added more detail about wallets," he said. "We added guidance on how to trust the wallet itself and on how to trust its contents. There is more about how to securely present the information stored on the wallet, as well as how the other party can trust it."

Not everyone will feel comfortable or be able to use digital passkeys or wallets, however, and not everyone has a smartphone. The updated draft also expands guidance on how agencies can maintain access to services for people using more traditional forms of identification, Galluzzo said. This includes details on in-person identity proofing and mechanisms for handling exceptions. It also includes the concept of the "applicant reference" -meaning a trusted individual who can vouch for a person who doesn't have access to identification documents, including a person who may not qualify for traditional forms of evidence or one whose evidence may have been lost or destroyed.

The authors also sought input from NIST's team of face recognition and analysisexperts to refine the guidance on using biometrics to identify a person through a face image. Galluzzo said that biometric-based methods of identity verification have been maintained in the guidance, but that for this path to achieve NIST's goal of balancing security and access, systems that use these technologies must perform accurately, adhere to the privacy requirements articulated in the guidance, and include manual processes to address errors or challenges that users may encounter.

"We continue to augment the guidance to emphasize the importance of providing alternatives to face recognition and biometrics, particularly for systems supporting public services," he said.

NIST is accepting public comments on the suite of publications at dig-comments[at] nist.gov(dig-comments[at]nist[dot]gov)until Oct. 7, 2024. Complete submission instructions are included in the Note to Reviewers found in each volume. NIST is also planning a webinar about the updates to the guidance for Aug. 28. Registration is requiredfor the webinar.