US NIST publishes digital identification guidelines

13 Jun 2019

The US National Institute of Standards and Technology (NIST) has published new guidelines on digital identities, after a year long consultation process. The guidelines define digital identity as the unique representation of a subject engaged in an online transaction. They supercede previous guidelines that promoted measures such as regular changing of passwords and call for appropriate business and privacy risk management practices. Dubbed 800-63-3, the guidelines reconceptualise online identification in two processes- identity proofing and authentication proofing.

They also recognise the existence of federated identity systems and encourage minimal dissemination of identifying information. They promote pseudonymous access to government digital services whenever possible. Federated identity providers are instead required to support a range options for querying data for example by asserting whether an individual is older than a certain age instead of seeking their full date of birth.  

The digital identity guidelines also support limited use of biometrics in authentication, noting that while they are unique, biometrics are not secret. Therefore use of biometrics for authentication is only allowed when strongly bound to a physical authenticator.

NIST is a federal agency under the Department of Commerce that is responsible for developing information security standards and guidelines, including minimum requirements for federal systems under the Federal Information Security Modernization Act (FISMA), 2014. The guidelines apply to agencies using federal systems over a network, credential service providers, verifiers and relying parties.

Explore the issues

Privacy and data protection are two interrelated Internet governance issues. Data protection is a legal mechanism that ensures privacy. Privacy is usually defined as the right of any citizen to control their own personal information and to decide about it (to disclose information or not). Privacy is a fundamental human right. It is recognised in the Universal Declaration of Human Rights, the International Covenant on Civil and Political Rights, and in many other international and regional human rights conventions. The July 2015 appointment of the first UN Special Rapporteur on the Right to Privacy in the Digital Age reflects the rising importance of privacy in global digital policy, and the recognition of the need to address privacy rights issues the the global, as well as national levels.

Broadly speaking, digital signatures are linked to the authentication of individuals on the Internet, which affects many aspects, including jurisdiction, cybercrime, and e-commerce. The use of digital signatures should contribute to building trust on the Internet.

What are technical standards?

 

The GIP Digital Watch observatory is provided by

 

 

and members of the GIP Steering Committee



 

GIP Digital Watch is operated by

Scroll to Top