NIST has tips on buying authentication IT

The first draft of a technical guide for a governmentwide electronic-authentication policy will begin circulating no later than the end of this month, National Institute of Standards and Technology officials said.

After revising the draft, NIST will post the guidance on its Web site, at, for public comment.

The Office of Management and Budget has asked agencies to delay as much as possible buying e-authentication tools until governmentwide policy had been set.

The need for broad federal authentication stems from the rise in electronic transactions prompted by the 1998 Government Paperwork Elimination Act. GPEA orders agencies to make most transactions electronic by October.

A NIST working group presented its technical definitions and password requirements to the Federal Identity and Credentialing Committee, which OMB has chartered to develop a common credentialing policy.

NIST's technical guidance will cover passwords and cryptographic keys, as well as knowledge-based authentication, which asks automated questions to verify users' identities, said Bill Burr, manager of NIST's Security Technology Group.

Authentication technology vendors want 'strong direction' from NIST's technical guidance, said Randy Vanderhoof, executive director of the Smart Card Alliance of New York.

'Vendors will have a target to shoot for,' Vanderhoof said. 'If there's a clear direction toward what the government is going to buy, they can build toward that specification.'

Otherwise, he said, vendors tend to develop systems that they're 'continually having to update and revise and change for the next customer.'

Burr warned at a June meeting that the e-authentication technical guidance is also subject to change. 'This is an ongoing process,' he said. 'We probably won't get it right the first time, but hopefully we'll get close enough.'

The working group is stating requirements for passwords at each of OMB's prescribed four levels of security risk. Each level has its own threshold for consequences, ranging from inconvenience all the way up to safety threats.

Level 1 passwords, Burr said, are likely to be simple personal identification numbers. Level 2 would probably handle passwords via commercial software.

Beyond common software

The third and fourth levels would involve cryptographic keys beyond the reach of common software, Burr said. Level 3 keys would work as browser add-ons, and Level 4 keys'the highest authentication'would reside in hardware tokens, such as smart cards that comply with Federal Information Processing Standard 140-2.

'We'll lay out a bunch of protocol rules about the kinds of attacks they have to defend against,' Burr said. For instance, Level 1 protection must prevent online guessing at PINs. Levels 3 and 4 must guard against eavesdropping, impersonating or hijacking of access privileges.

The process of developing guidance carries its own risks, he said, such as carelessly blending apples-and-oranges authentication products.

The technical guidance will not take up biometric authentication, Burr said, but instead will concentrate on remote network authentication.

'This is a really challenging thing to do in a comprehensive kind of way,' he said.

Vanderhoof said vendors are ready to come to NIST's aid. 'It's up to the vendor community to work together with NIST and make sure it's going down the right track,' he said.

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.