NIST previews new federal authentication guidelines

NIST previews new federal authentication guidelines

By posting four documents on GitHub, the National Institute of Standards and Technology is calling on the public to help it map out new guidelines for federal agencies' digital authentication practices.

Under NIST's scheme for digital authentication, individuals would establish their identity through what's called identity assurance and prove their credentials to access a given system through authenticator assurance -- possibly a chipped and encrypted identity card.

The documents also state that passwords could be entirely numeric. NIST's experts say a mix of character types in passwords (such as at least one digit, uppercase letter and symbol) "is not nearly as significant as initially thought, although the impact on usability and memorability is severe."

Instead, NIST recommends that user-chosen passwords be compared against a list of unacceptable passwords. That list should include passwords from previous breaches, dictionary words and specific words (such as the name of the service itself) that users are likely to choose.

Users also won't be able to have a password "hint" that is accessible to unauthenticated personnel. The verification process shouldn't user specific types of information in the authentication process. In other words, the typical "first pet" or "mother's maiden name" password prompt is out of bounds.

The guidelines said biometrics for authentication matching should be performed locally on a user's device or possibly by a central verifier, but biometrics must be used with another authentication factor that is revocable.

Besides the guidelines for digital authentication, NIST is seeking comments on:

  • Enrollment and identity proofing -- the processes by which a credential, and authenticator(s) associated with that credential, can be bound to a specific individual.
  • Authentication and lifecycle management -- the selection, use and management of authenticators (or tokens) to authenticate a remote subscriber to an identity system at specified assurance levels.
  • Federation and assertions -- the use of federated identity and assertions to convey the results of authentication to a relying party.

The public preview aims to solicit input through successive open comment periods and editing iterations. GitHub comments are being accepted through the summer, and NIST said it would maintain its tradition of extended public comment after this process comes to a close.

This article originally appeared on FCW, a sister site to GCN.

About the Author

Mark Rockwell is a senior staff writer at FCW, whose beat focuses on acquisition, the Department of Homeland Security and the Department of Energy.

Before joining FCW, Rockwell was Washington correspondent for Government Security News, where he covered all aspects of homeland security from IT to detection dogs and border security. Over the last 25 years in Washington as a reporter, editor and correspondent, he has covered an increasingly wide array of high-tech issues for publications like Communications Week, Internet Week, Fiber Optics News, magazine and Wireless Week.

Rockwell received a Jesse H. Neal Award for his work covering telecommunications issues, and is a graduate of James Madison University.

Click here for previous articles by Rockwell. Contact him at [email protected] or follow him on Twitter at @MRockwell4.


  • business meeting (Monkey Business Images/

    Civic tech volunteers help states with legacy systems

    As COVID-19 exposed vulnerabilities in state and local government IT systems, the newly formed U.S. Digital Response stepped in to help. Its successes offer insight into existing barriers and the future of the civic tech movement.

  • data analytics (

    More visible data helps drive DOD decision-making

    CDOs in the Defense Department are opening up their data to take advantage of artificial intelligence and machine learning tools that help surface insights and improve decision-making.

Stay Connected