Remote authentication guidelines updated for a mobile world
NIST's update provides minimum technical requirements for remotely authenticating users over open networks.
The National Institute of Standards and Technology has updated technical guidelines for remote authentication of users, reflecting the growing use of mobile and other remote devices for accessing government resources.
“E-authentication presents a technical challenge when this process involves the remote authentication … over an open network,” the authors write in Special Publication 800-63-2, Electronic Authentication Guideline. The document provides minimum technical requirements for each of four levels of assurance, from registration and identity proofing through the assertion methods used to communicate results of remote authentication. The guidelines assume the authentication and transaction are taking place across an open network such as the Internet.
This is the second revision of the guidelines and replaces the previous version, published in 2011. NIST describes the current version as a limited update, with substantive changes made only in the registration and issuance processes for identity proofing. Other changes are minor explanations and clarifications.
The guidelines supplement Office of Management and Budget memo M-04-04, E-Authentication Guidance for Federal Agencies, which defines four levels of assurance based on levels of risk presented by systems being accessed. Increased levels of risk require greater assurance of the identity being verified. The guidelines are for remote authentication of human users, not machine-to-machine authentication.
The proliferation of increasingly powerful mobile devices such as smartphones and tablet computers, in addition to the use of laptops and home PCs, has changed the way systems control access to online assets. Passwords still are the most common mechanism for authenticating user identity, but a growing number of systems rely on cryptographic keys or physical tokens to provide stronger authentication for resources that require greater security. Biometric characteristics are not included for conventional remote authentication protocols, although biometrics can be used to unlock authentication tokens.
Assertions are made during the authentication process though the Security Assertion Markup Language, an XML-based security specification developed by the Organization for the Advancement of Structured Information Standards. Although SAML was emerging in 2006 when SP 800-63 was first published, it was not widely used in government at that time. It can provide scalability in authentication schemes and is one of the significant advances in the guidelines as they have been revised.