Friend
Professional
- Messages
- 2,653
- Reaction score
- 850
- Points
- 113
SP 800-63-4 heralds a new era of digital identity standards.
The U.S. National Institute of Standards and Technology (NIST) has announced the publication of the second draft of the fourth edition of the Digital Identity Manual (Special Publication 800-63) in four volumes.
NIST document. SP.800-63-4.2 provides comprehensive guidance on the processes and technical requirements for achieving different levels of trust in digital identity management. In addition, the new edition focuses on aspects related to improving the privacy, fairness, and usability of digital identity solutions and technologies.
The initial draft of the fourth edition of SP 800-63 was released in December 2022. During the discussion period, the authors received nearly 4,000 comments from various organizations and individuals, who helped to significantly improve the document to meet the requirements of security, privacy, and fairness in digital identity systems.
Based on the feedback received, significant changes were made to all volumes of the manual. Among the key changes is the updating of the text and context of risk management, including the addition of a stage for defining and analyzing the online service that the organization intends to protect with an identity system. Fraud management requirements have also been expanded to better address the challenges that arise when implementing audits. A new structure has been introduced to manage identity verification, based on the types of evidence provided (remote, face-to-face, etc.).
NIST has also identified several key issues on which comments and recommendations from reviewers are expected:
The fourth edition of SP 800-63 aims to adapt to the changing digital landscape and provides organizations with comprehensive guidance for ensuring the security, privacy, and availability of digital identity systems. Attention to these aspects is especially important in the context of growing dependence on online services and increasing threats in the digital environment.
Source
The U.S. National Institute of Standards and Technology (NIST) has announced the publication of the second draft of the fourth edition of the Digital Identity Manual (Special Publication 800-63) in four volumes.
NIST document. SP.800-63-4.2 provides comprehensive guidance on the processes and technical requirements for achieving different levels of trust in digital identity management. In addition, the new edition focuses on aspects related to improving the privacy, fairness, and usability of digital identity solutions and technologies.
The initial draft of the fourth edition of SP 800-63 was released in December 2022. During the discussion period, the authors received nearly 4,000 comments from various organizations and individuals, who helped to significantly improve the document to meet the requirements of security, privacy, and fairness in digital identity systems.
Based on the feedback received, significant changes were made to all volumes of the manual. Among the key changes is the updating of the text and context of risk management, including the addition of a stage for defining and analyzing the online service that the organization intends to protect with an identity system. Fraud management requirements have also been expanded to better address the challenges that arise when implementing audits. A new structure has been introduced to manage identity verification, based on the types of evidence provided (remote, face-to-face, etc.).
NIST has also identified several key issues on which comments and recommendations from reviewers are expected:
- Risk management and identity models:
- The description of the user-controlled wallet model should be detailed enough to allow organizations to understand how it compares to real-world examples of solutions such as mobile driver's licenses and verifiable credentials.
- An updated risk management process should be clearly defined enough to support the effective and repeatable implementation of solutions to protect online services and systems.
- Identity verification and registration:
- The structure of the requirements for the types of identity verification should be sufficiently clear. It is important that the different types of confirmation are described in detail.
- Additional requirements for anti-fraud programs, which can become a common framework for all certification service providers and other organizations, should be introduced as necessary.
- The requirements for verifying the authenticity and validity of identity proofs, as well as their performance metrics, must be realistic and achievable using existing technologies.
- Authentication and Authentication Management:
- Requirements for synchronized authenticators should be clearly defined to enable prudent risk-based decision-making for public and corporate use.
- Consideration should be given to the possibility of adding additional control measures. It is also important to consider specific recommendations or implementation considerations.
- Federation and certifications:
- The concept of "user-controlled wallets" and "attribute sets" should be clearly enough to support their actual implementation. Additional requirements or considerations should be considered to improve the security, usability, and privacy of these technologies.
- General questions:
- Additional implementation guidance, architectural diagrams, metrics, or other supporting resources could accelerate the adoption and implementation of these and future versions of the Digital Identity Guidance.
- The areas of applied research and measurement that can have the greatest impact on the identification market should be identified and contribute to the development of these recommendations.
The fourth edition of SP 800-63 aims to adapt to the changing digital landscape and provides organizations with comprehensive guidance for ensuring the security, privacy, and availability of digital identity systems. Attention to these aspects is especially important in the context of growing dependence on online services and increasing threats in the digital environment.
Source
