NIST releases final digital identity guidelines after years of drafts
The National Institute of Standards and Technology released new digital identity guidelines on Friday, updating standards dating back to 2017 to respond to a changing landscape.
These guidelines outline the process and technical requirements for digital identity proofing, authentication and federation. Many non-governmental organizations also look to these standards. It took NIST four years, two drafts and 6,000 public comments to update them.
“This is one step in a continued evolution of how we can help organizations deploy more effective, more efficient, more secure identity technology,” Ryan Galluzzo, the digital identity lead for NIST’s applied cybersecurity division, told Nextgov/FCW Monday.
One change from the previous draft updates is the removal of the word “equity,” which was mentioned upwards of 30 times in the first two drafts, though it was not included in the 2017 guidance.
The revision comes as the Trump administration has sought to remove diversity, equity and inclusion efforts from the federal government after the Biden White House made DEI a priority.
Instead, the table of contents in the final standards appears to reference “customer experience” in the sections where equity and usability used to be the focus.
“You can’t deploy technology that just will not work for your population,” said Galluzo of customer experience. “No matter how secure and effective it seems, if no one can use it, no one can use it.”
This isn’t the first time the ideological differences between the Biden and Trump administrations have altered identity efforts within the government.
In June, the White House rolled back parts of a Biden-era cybersecurity executive order focused on digital identity, citing false claims that those policies mandated that immigrants lacking legal status get government-issued IDs, which could be used to get government benefits.
Beyond the removal of equity from the update, the new NIST publication does retain other changes that previous drafts made to the 2017 document, like the addition of mobile drivers licenses and how they can be used to prove identity online.
That is potentially a big change, as mDLs are currently used mostly in person to prove identity, as opposed to online, where some in industry say they could be a major tool in fighting fraud fueled by identity theft.
The revised guidelines also have additional information on controls meant to address deepfakes, which pose enough of a threat that the Treasury Department’s Financial Crimes Enforcement Network issued an alert warning financial institutions about them last fall, writing that it had seen an increase in deepfakes being used in fraud schemes to get around identity and authentication controls.
“Criminals have used GenAI to create falsified documents, photographs and videos to circumvent financial institutions’ customer identification and verification,” that alert reads.
The new NIST guidelines also feature expanded fraud requirements, information on synchable authenticators, or passkeys, and recommended continuous evaluation metrics. The performance of digital identity solutions can vary widely, and some solutions don’t work as well for people with darker skin tones.
Among the questions organizations using digital identity solutions should ask are “How many people are being successful? How many people are failing? Why are they failing? Where are the issues within the process?” said Galluzo.
The goal is to ensure solutions work well both in terms of preventing fraud but also customer experience, he said.
As with older draft versions of the now-final update, the guidelines also offer new options meant to give organizations ways to require digital identity proofing without needing to use biometrics like facial recognition.
Up next, NIST says that it’s working on implementation resources and exploring machine-readable conformance criteria and a digital identity risk management tool.
