Events identity

NIST SP800-63-4 Digital Identity Guidelines Second Public Draft (2pd) Workshop Summary

Nat 2024-08-29 No Comments
616 VIEWS
Pinterest LinkedIn LINE

The second public draft (pd) of NIST SP800-63-4 was released a week ago. Today's workshop was the first in a series of planned workshops, outlining some of the most significant changes since the first public draft.

Introduction and Housekeeping

  • The workshop on NIST Special Publication 800-63 Revision 4 Second Public Draft began with administrative communications, including recording of sessions, availability of slides, and use of the Q&A feature for questions. [2:00]
  • Today's agenda includes:

Summary of NIST Special Publication 800-63-4

  • The workshop focused on the second public draft of the Digital Identity Guidelines, covering the key changes, the public comment period, and how to submit comments. [2:02]
  • The guidelines set out basic requirements for digital identity management across the federal government and are made up of four volumes: Volume Basic, Volume A, Volume B, and Volume C. [4:05]

Primary motivation for change

  • Key motivations include improving equitable access to government services, responding to emerging threats and technologies, and incorporating real-world lessons learned from past implementations. [07:00]

Key changes in the first exposure draft

  • Changes included revamped risk management, updated biometric requirements, new identity verification processes, and considerations around privacy, usability, and fairness. [09:00]

Timeline and public comment period

  • 改訂プロセスのタイムラインが確認され、2022年12月の第1次公開草案の発行と2023年8月の第2次公開草案の発行が強調されました。第2次草案のパブリックコメント期間は45日間です。[12:00]

Major changes to Base Volume

  • Connie LaSalle explained the introduction of a user-controlled wallet model (Chapter 16), the addition of a service "define" step in the identity risk management process (Chapter 00), the introduction of metrics for continuous evaluation and improvement, and a redress mechanism when exceptions occur. [XNUMX:XNUMX]
  • Notably, customer-managed wallets, a variant of IdP (Identity Provider), have been introduced, with the "issuer" now being seen as a CSP (Credential Service Provider).
  • The updated digital identity risk management process includes defining online services, conducting an initial impact assessment, and adjusting controls based on ongoing risk assessment. [20:00]
  • Continuous evaluation and improvement is emphasized, and recommended performance indicators and corrective actions are provided to ensure fairness in addressing issues. [25:00]

Major Changes in Volume A (Identity Proofing and Enrollment)

  • David Tamasak highlighted the updates to the role and types of identity verification, the rebalancing of IAL 1 (Identity Assurance Level 1), new identity verification pathways, fraud control requirements, and updated evidence verification requirements. [30:00]
  • Identity verification roles now include identity verification agents, trusted recommenders, process assistants, and applicant references. [32:00]
  • The balancing of IAL 1 focuses on reducing friction and increasing choice for applicants and credential service providers. [35:00]
  • New identity verification pathways in IAL 2 include non-biometric options and digital evidence verification. [38:00]
  • The new Fraud Management section includes requirements for credential service providers and relying parties, mandatory fraud checks, and communication channels for suspected fraud cases. For example, date of death verification is now mandatory. [42:00]
  • Updated evidence verification requirements include performance metrics for document authentication systems and training for identity verification agents. [45:00]

Volume B: Major Changes (Authenticators and Authentication)

  • Andy Reganchid discussed incremental improvements, new requirements for syncable authenticators, and clarification of guidelines for user-managed digital accounts. [50:00]
  • The revised account recovery section provides a clearer pathway and more flexibility in implementing the account recovery process. [55:00]
  • Synchronizable authenticators like passkeys are now supported, with additional requirements for a sync fabric. [52:00]
  • The use of digital wallets as authenticators has been clarified and new account recovery methods have been introduced, including stored recovery codes and trusted recovery contacts. [57:00]

Key changes in Volume C (Federation and Assertions)

  • Ryan Galluzzo discussed the updated structure of 863 C, amendments to Federation Assurance Level 3, and the introduction of protocol-based examples. [3:01:00]
  • The new structure includes core common federation requirements and separate sections for generic IDP federation and user-managed wallet federation. [01:02:00]
  • In the wallet model, wallets can be handled by modeling them as IdPs, so that's how I did it. (← I'm glad my comment was accepted.)
  • The difference between traditional IDPs and wallets is whether they are multi-user or single-user. (←I'm not sure about this. I think it would be better to take time into account.)
  • The third change is the introduction of Bound Authenticators. Federation Assurance Level 3 now includes bound authenticators with key holder assertions. [01:05:00]
  • We've also added a protocol-based example. It provides a high-level explanation of how to implement federation protocols such as OpenID Connect and SAML. (There was a comment in the Q&A that FAL2 can be achieved without using a backchannel. In fact, it should be possible with response type = id_token. It might be a good idea for the iGov WG to create a FAL2 profile.) [01:08:00]

Public comment period and next steps

  • The public comment period closes on October 10th. Comments can be submitted by email or via Excel spreadsheet. The time for a final decision will depend on the volume of comments received. [7:01:15]
  • The team emphasized the importance of public feedback and encouraged participation in the review process. [01:20:00]
  • In particular, we are looking for feedback in the following areas:
  • This will be the final public consultation, with publication planned for the new year.
  • You can engage through the following channels:

Q & A session

  • We addressed a variety of questions, including document false-acceptance rates, biometric performance, and passkey usage. [01:25:00]
  • The team explained their specific requirements and encouraged further comments and feedback from the attendees. [01:30:00]

Closing remarks

  • The workshop concluded with a call for submission of comments and participation in future workshops. The team thanked participants for their time and feedback. [01:35:00]

Leave a comment

This site uses Akismet to reduce spam.For details of how to process comment data, please click here.