NIST's coming digital ID update includes standards for biometric proofing

The National Institute of Standards and Technology is due to release its first update to its digital identity guidelines in five years, officials said on Thursday.

The updates to NIST Special Publication 800-63 have been in the works since 2020 and respond to changes in the cybersecurity threat landscape, new technologies and concerns about equity, according to an presentation from NIST officials at an October 27 meeting of the agency's Information Security and Privacy Advisory Board. They also incorporate lessons learned from the pivot to digital services at the onset of the COVID-19 pandemic.

The forthcoming draft will include biometric performance requirements designed to make sure there aren't major discrepancies in the tech’s effectiveness across different demographic groups. NIST research published in 2019 found that most facial recognition software products are less effective at identifying people of color than white people when it comes to one-to-one matching.

The update will also increase identity proofing options that don’t require facial recognition, according to slides shown at the presentation. 

New standards from NIST could help government agencies avoid the kind of situation that the IRS endured earlier this year after fielding a biometric tool as a gateway to accessing digital services. The tax agency asked users to submit a selfie video as part of an identity verification process for taxpayers who wanted to take advantage of a new direct-file service. The use of facial recognition tech proved onerous for some users, drew criticism from privacy advocates in Congress and was quickly abandoned.  

At the same time, the IRS and other agencies don't have many choices for confirming the identities of users.

Ryan Galluzzo, digital identity program lead for the applied cybersecurity division at NIST, said "there weren't that many alternatives that states that agencies and organizations can turn to, to really address some of the threats that they were seeing.” 

Overall, a major lesson learned since the last update has been the interdisciplinary nature and impact of identity management.

“Identity doesn't operate in a vacuum," Galluzzo said. "It doesn't just sit in front, do what it's supposed to do and then move on like nothing ever happened. It should be part of a continuous process, integrated with your product teams, integrated with the privacy teams, integrated with your response teams and your cybersecurity teams.”

David Temoshok, senior advisor for applied cybersecurity at NIST, said the new draft supports a new level of identity proofing to be used for lower risk levels. This is important because some agencies currently struggle to meet existing standards.

Additionally, the updated guidelines will also have requirements for a “subscriber account,” where individuals will be able to access information collected about themselves, change it and even delete it.