Let’s get Digital! Updated Digital Identity Guidelines are Here!

Today is the day! Digital Identity Guidelines, Revision 4  is finally here…it’s been an exciting journey and NIST is honored to be a part of it. 

What can we expect?

Serving as a culmination of a nearly four-year collaborative process that included foundational research, two public drafts, and about 6,000 individual comments from the public, Revision 4 of Special Publication 800-63, Digital Identity Guidelines, intends to respond to the changing digital landscape that has emerged since the last major revision of this suite, published in 2017. 

The guidelines presented in Revision 4 explain the process and technical requirements for meeting digital identity assurance levels for identity proofing, authentication, and federation—including requirements for security and privacy, as well as considerations for improved customer experience of digital identity solutions and technology. The guidelines also establish identity management as a cross-functional process involving professionals representing cybersecurity, privacy, usability, program integrity, mission and business units, and other disciplines. Identity risk management in Revision 4 has continued its evolution towards a “team sport” that can more effectively address the needs of the organization and the individuals it seeks to serve.

Revision 4 also includes many substantial content changes, including:

• Updates to context setting for risk management, reframed risk management processes, and new expectations for greater cross-functional engagement.
• New recommended continuous evaluation metrics.
• Expanded fraud requirements and recommendations for identity proofing processes.
• Restructured identity proofing controls to better define roles and types of identity proofing.
• Added controls for addressing injection attacks and forged media (e.g., “deep fakes”).
• Integration of syncable authenticators (e.g., synced passkeys).
• Representation of subscriber-controlled wallets in the federation model.

And…for those of you looking for it, since we know you are out there, changes to the password composition and rotation expectations are also included in the document. All these changes represent an extensive update from NIST SP 800-63 Revision 3—drawing heavily from real-world lessons and innovations.

These guidelines are ultimately intended to make navigating the digital world more secure and convenient by providing a framework to understand online risks and controls that can better protect our critical online services.

Where will we go from here?

Our journey certainly does not end with Revision 4.

As with previous revisions, implementation resources are already in development, and we are exploring concepts such as machine-readable conformance criteria and a Digital Identity Risk Management tool.

While the comment period has closed, we always welcome engagement, feedback, and questions. Email us: dig-comments [at] nist.gov (dig-comments[at]nist[dot]gov). 

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts