NIST unveils draft update of identity proofing tech guidance 

The National Institute of Standards and Technology provided its draft update to the standards that regulate how government agencies identity proof individuals online on Friday, its first major change to the policy in five years. 

The draft has major updates on the use of facial recognition for agencies, testing requirements for facial recognition provided by vendors and more changes meant to help the government respond to changes in the threat landscape, new technologies and concerns about equity.

The standards govern digital identity management in government, which is foundational to cybersecurity efforts like zero trust. They also shape the identity proofing process that  individuals are sometimes required to pass to access certain government services like unemployment or tax records online.

NIST officials said at a public meeting in October that they were hoping to use wisdom garnered from the forced push to digital services at the onset of the pandemic in the new draft – something evident particularly in a new focus on equity throughout the draft version. 

The final publication for the update is slated for fiscal year 2024. The agency is also hosting a virtual event about the draft on Jan. 12, 2023 and taking comments on the draft through March 24, 2023.

NIST Director Laurie E. Locascio said in a statement that the agency is “actively seeking feedback” from “advocacy and community engagement groups that have insight into the potential impacts these technologies can have on members of underserved communities and marginalized groups” in addition to technical experts. 

Ryan Galluzzo, the Digital Identity Program Lead for NIST’s Applied Cybersecurity Division, told FCW one change in the draft is a new mandate for agencies to look at potential impact of a given technology or identity system on individuals and communities, as well as mission delivery, when they consider their risk level and strategy. It also requires continuous evaluation after a system is in place.

The update also has several changes regarding biometrics like facial recognition.

Currently, using biometrics is a common way to reach the lowest level of identity proofing in the guidelines known as “identity assurance level two.”

But the draft essentially creates a new standard for identity proofing that does not require any biometrics for lower-risk situations. The change is meant to give agencies more flexibility, said Galluzzo.

One big question that NIST says it wants help on is what “emerging and alternative” identity verification tech is out there that doesn’t rely on facial recognition. 

“NIST sees a need for inclusion of an unattended, fully remote Identity Assurance Level (IAL) 2 identity proofing workflow that provides security and convenience, but does not require face recognition,” the agency writes.

The draft also includes performance requirements for biometrics in identity proofing. A NIST study in 2019 found demographic differentials like race and gender in some facial recognition algorithms, such as higher rates of false positives for Asian and African American faces relative to Caucasians.

Identity vendors will need to have their algorithms’ performance tested by an independent lab or research institution, post results publicly and remedy any gaps found in how a given algorithm performs. NIST also sets minimum performance thresholds for biometrics in the new draft. 

The goal of the new requirements is “greater transparency, greater accuracy and greater understanding of how the technologies work so that agencies can make the most informed decisions possible [and] individuals can make the most informed decisions possible,” Galluzzo said.

The new draft also includes more alternative means of verifying identity by adding the idea of an “applicant reference” that can vouch for someone being identity proofed if they, for example, do not have identity documents that are commonly used.

The update also includes changes meant to expand the use of digital evidence like mobile driver’s licenses in the identity proofing process. NIST also wants to know more from stakeholders about the potential of emerging tech like mobile driver’s licenses, verifiable credentials and FIDO passkey in terms of authentication.

Finally, the draft also gives a definition for phishing resistance controls.

The update has a “critical role in supporting the administration’s governmentwide efforts to strengthen identity verification for government systems used by the American public while balancing privacy, equity and accessibility,” Jason Miller, deputy director for management at the Office of Management and Budget, said in a statement.

“Identity verification is a front door to federal services and benefits, and it should provide security assurance while enabling access for intended beneficiaries, particularly those from underserved communities and marginalized groups,” he said.