Draft e-authentication technical guidance due in September
- By Vandana Sinha
- Jul 24, 2003
A draft version of technical guidance for the new Office of Management and Budget policy on electronic authentication could be released as soon as Labor Day and will arrive no later than the end of September, said a government official managing the process.
The National Institute of Standards and Technology is developing the guidance, which recommends that agencies buy identification technologies that can be implemented governmentwide, rather than individually, to promote interoperability.
NIST officials plan to present the working group's approach to defining password requirements at the July 30 meeting of the Federal Identity and Credentialing Committee, which OMB recently established to develop a common credential policy for federal employees.
The technical guidance will likely cover passwords and cryptographic keys, as well as knowledge-based authentication, which asks users to answer certain questions to verify their identities, said Bill Burr, manager of NIST's Security Technology Group.
"This is an ongoing process," he said. "We probably won't get it right the first time, but hopefully we get close enough. We'll have to evolve." After circulating and revising a draft copy in September, the agency plans to post the full guidance on its Web site for public comment.
For now, however, Burr said the working group is concentrating on building requirements for passwords and keys through OMB's prescribed four levels of security risk.
The lowest-level requirements would likely address personal identification numbers and passwords that don't involve much creativity, he said. The second level would likely address passwords developed through off-the-shelf software.
The third and fourth levels probably will refer to cryptographic passwords. The third is expected to address those that work through software add-ons to Internet browsers, and the fourth will offer guidance on use of keys housed in hardware tokens, such as smart cards.
"We'll lay out a bunch of protocol rules about the kinds of attacks they have to defend against," Burr said. "This is a really challenging thing to do in a comprehensive kind of way."