After four years of work, the National Institute of Standards and Technology (NIST) has published the long-awaited update to its digital identity guidelines.
Published on Aug. 1, the updated guidelines are the product of two public drafts, 6,000 public comments, and foundational research which aims to respond to a changing digital landscape, NIST said. This is the first major update to the agency’s set of guidelines on identity management dating back to 2017.
“The guidelines presented in Revision 4 explain the process and technical requirements for meeting digital identity assurance levels for identity proofing, authentication, and federation – including requirements for security and privacy, as well as considerations for improved customer experience of digital identity solutions and technology,” said NIST in a blog post.
The agency added that the update establishes identity management “as a cross-functional process” involving professionals across multiple disciplines, and “has continued its evolution towards a ‘team sport.’”
Specific updates included in the new set of guidelines are context setting and reframed risk management; continuous evaluation metrics; expanded identity fraud requirements and recommendations; restructured identity proofing controls; additional injection attack and forged media controls; integrated syncable authenticators; and subscriber-controlled wallets.
New guidelines also address the use of mobile driver’s licenses (mDLs) – which are gaining popularity as more states issue them through platforms such as Apple Wallet and Google Wallet – as well as the adoption of verifiable credentials to strengthen protections against identity fraud.
“These guidelines are ultimately intended to make navigating the digital world more secure and convenient by providing a framework to understand online risks and controls that can better protect our critical online services,” said NIST.
NIST said it is also working on developing implementation resources and considering machine-readable conformance criteria and a “Digital Identity Risk Management tool,” saying “our journey certainly does not end with Revision 4.”