NIST publishes new digital identity guidelines

The US National Institute of Standards and Technology (NIST) has published new guidelines on digital identities, after a year-long consultation process. The guidelines define digital identity as the unique representation of a subject engaged in an online transaction. They supercede previous guidelines that promoted measures such as regular changing of passwords and promote appropriate business and privacy risk management practices. Dubbed the 800-63-3, the guidelines reconcept online identification with two processes; identity proofing and authentication proofing.

They also recognise the existence of federated identity systems and encourage minimal dissemination of identifying information. They promote pseudonymous access to government digital services whenever possible. Federated identity providers are instead required to support a range options for querying data for example by asserting whether an individual is older than a certain age instead of seeking their full date of birth.  

The guidelines only allow the use of biometrics for authentication when strongly bound to a physical authenticator.The guidelines apply to agencies using federal systems over a network, credential service providers, verifiers and relying parties.