By: Patrick W. Hearn
In late June, the National Institute of Standards and Technology (NIST) released a special publication entitled 800-63-3 better known as “Digital Identity Guidelines”. This standard outlines a series of sections including Enrollment and Proofing, Authentication and Lifecycle Management, followed by Federation and Assurances. It is designed for fluid, digital identity.
In a world of “Phishing, Vishing, Smishing, and Qrishing”, this document sets the “rules of the road” for essentially anyone who interacts with government or is subject to some kind of regulated environment. In short, everyone is impacted be it a Social Security Check, your new Medicare card, your IRS return, and so much more in what is $4 Trillion of money.
If you log on, you are using a digital identity and you are impacted.
In the next year, Agencies will be spending quite a bit of time and money over the next year trying to take this standard and apply it to their own Digital Identity roadmap. This means improvement to how, the holder of the Digital ID is better protected.
One of the biggest challenges facing Agencies is how the standard can be applied to reduce the fastest growing form of identity fraud as mentioned above. Each of these types of attacks are not simply within an enrollment process but also after a session is “in process”. This is will be the key to a successful “63”
Successful planning and execution means adopting some principles that are consistent and included within 800-63-3 (specifically within Part A). They include:
1. Accepting that any G2C (Government to Citizen), where value is involved, must have an Identity Assurance Level of at least 2 or above.
2. That both the enrollment and proofing process uses similar and continuous authentication tools ensuring consistent real time processes.
3. That any system will need at a core level an approach that combines physical and cognitive authentication. This process will play a major role in defeating fraudsters.
4. That any new process is passive and seamless to the user and reduces False Positives and False Negatives too often seen in the user experience.
5. That there is no new adoption or requirement to onboard more “Personal Identifiable Information”.
6. That scalability is immediate in any deployment (in the billions+ of transactions)
While the above principles have much more detail behind them, they are part of an essential “Statement of Principles” in achieving compliance and more importantly ensuring the integrity of digital services from the Government to the citizens it serves.
If you are focused on Digital Identity, be you a Government Employee, Contractor, or deal in this area in any way, these 6 basic pointers can help. This how to practice Fluid, Digital ID.