NIST Seeks Comments on Electronic Authentication Guideline

By Renee Dopplick, ACM Director of Public Policy
May 11, 2015

NIST seeks public input on which sections of its Electronic Authentication Guideline need updating. Given the evolving landscape of cybersecurity technological innovations and threats targeting remote authentication, NIST is considering a “significant update.” This technical guideline for federal agencies implementing electronic authentication was last updated in 2013. It supplements OMB’s E-Authentication Guidance for Federal Agencies.

NIST specifically invites input on:

1. What schemas for establishing identity assurance have proven effective in providing an appropriate amount of security, privacy, usability, and trust based on the risk level of the online service or transaction? How do they differentiate trust based on risk? How is interoperability of divergent identity solutions facilitated?

2. Could identity assurance processes and technologies be separated into distinct components? If so, what should the components be and how would this provide appropriate level of identity assurance?

3. What innovative approaches are available to increase confidence in remote identity proofing? If possible, please share any performance metrics to corroborate increased confidence levels.

4. What privacy considerations arising from identity assurance should be included in the revision? Are there specific privacy-enhancing technologies, requirements or architectures that should be considered?

5. What requirements, processes, standards, or technologies are currently excluded from the Electronic Authentication Guideline that should be considered for future inclusion?

6. Should a representation of the confidence level in attributes be standardized in order to assist in making authorization decisions? What form should that representation take?

7. What methods can be used to increase the trust or assurance level (sometimes referred to as “trust elevation”) of an authenticated identity during a transaction? If possible, please share any performance metrics to corroborate the efficacy of the proposed methods.

Comments are due by May 22.