NIST looks to transform federal authentication
- By Mark Rockwell
- May 09, 2016
That password you use? Even if it includes uppercase and lowercase letters, special characters and numbers, it's probably obsolete under new guidance for federal system authentication.
In four documents posted to GitHub, the National Institute of Standards and Technology offers what it says are dramatic changes to its guidelines for federal agencies' digital authentication practices.
NIST is renovating the approach to identity proofing to more closely support current Office of Management and Budget guidance. NIST said its guidelines are aimed at helping agencies choose the proper digital authentication technologies. That approach includes separating individual elements of identity assurance into discrete, component parts.
Under NIST's scheme, individuals would establish their identity through what's called identity assurance and prove their credentials to access a given system through authenticator assurance -- possibly a chipped and encrypted identity card.
The documents also state that passwords could be entirely numeric. NIST's experts say a mix of character types in passwords (such as at least one digit, uppercase letter and symbol) "is not nearly as significant as initially thought, although the impact on usability and memorability is severe."
Instead, NIST recommends that user-chosen passwords be compared against a list of unacceptable passwords. That list should include passwords from previous breaches, dictionary words and specific words (such as the name of the service itself) that users are likely to choose.
Users also won't be able to have a password "hint" that is accessible to unauthenticated personnel. The verification process shouldn't user specific types of information in the authentication process. In other words, the typical "first pet" or "mother's maiden name" password prompt is out of bounds.
The guidelines said biometrics for authentication matching should be performed locally on a user's device or possibly by a central verifier, but biometrics must be used with another authentication factor that is revocable.
NIST said biometric systems used in those applications should have a tested equal error rate of 1 in 1,000 or better, with a false-match rate of 1 in 1,000 or better.
Mark Rockwell is a senior staff writer at FCW, whose beat focuses on acquisition, the Department of Homeland Security and the Department of Energy.
Before joining FCW, Rockwell was Washington correspondent for Government Security News, where he covered all aspects of homeland security from IT to detection dogs and border security. Over the last 25 years in Washington as a reporter, editor and correspondent, he has covered an increasingly wide array of high-tech issues for publications like Communications Week, Internet Week, Fiber Optics News, tele.com magazine and Wireless Week.
Rockwell received a Jesse H. Neal Award for his work covering telecommunications issues, and is a graduate of James Madison University.
Click here for previous articles by Rockwell.
Contact him at firstname.lastname@example.org or follow him on Twitter at @MRockwell4.