Technology moves fast, and so do the protocols for securely managing identities. The United States National Institute of Standards and Technology (NIST) recently released a new version of its Electronic Authentication Guidelines, now aptly named the Digital Identity Guidelines, an industry standard in how organizations secure digital identities followed by industry, government, and academic organizations.

 

LOA’s replaced with IAL, AAL, FAL

 

The new suite of documents from NSIT highlights many new recommendations for all things digital identity and risk. One of the biggest changes includes shifting from traditional LOA’s (Levels of Assurance) to sections for each part of the identity workflow (IAL, AAL, FAL) enabling architects more flexibility in their design.

 

Here are the new categories:

 

• IAL:  The identity proofing process, or how organizations can compare your real-life vs digital identity.
• AAL: The authentication process, including how additional factors (MFA) can reduce security risks.
• FAL:  The assertion used in a federated environment to communicate authentication and attribute information to a relying party, or what happens when identities move from one domain to another.

These new levels of assurance are intended to allow organizations to combine the categories when possible to use Federation.

 

The Big Changes for Passwords

 

The authentication document updates many guidelines for protecting the ever changing world of passwords including:

 

No more using ‘what was your first pet’s name’ to authenticate or recover a lost, stolen, or forgotten credential. If the breadth of recent breaches taught us anything about passwords, it’s that password hints provide about as much security as writing your credentials on a post-it note.

 

Passwords should be changed when a breach occurs or after a specific threat.  Users often react to scheduled password changes by adding a number or letter to their existing credential which can be easily guessed. Focus on making password policies user friendly and place the burden on the authenticator when possible to encourage users to employ stronger password practices.

 

Password complexity is important. Users substituting letters for characters or symbols does not stop a potential attack. A strong password manager allows you to generate and securely store strong credentials.

 

Multi-Factor Authentication: Out of Band SMS, Email, Authenticators instead of Tokens

 

You might remember the NIST making news last year when they announced that authentication using out of band SMS is no longer recommended.  In the new Authentication and Lifecycle Management document, several recommendations for secure multi-factor authentication (MFA) are given:

 

Basic SMS based OTP’s (one-time passwords) are not recommended; however SMS is allowed with certain risk-based measures.

 

Email is not a secure method to send one-time passcodes. If your users don’t have a mobile device for secure push, look for agent-based workstation options to secure MFA communications.

 

Tokens are now called authenticators. Tokens have other meanings in cybersecurity, so they are now referred to as authenticators when talking about identity access management.

 

Companies should have secure protocols in the event that a user loses their authenticator.

 

As the complicated world of digital identity continues to evolve, so will the guidelines offered by NIST. If you would like to keep up with the project, you can visit their GitHub page to check-in on new updates, or visit the NSIT’s own site to read the latest version.

 

Want to ensure you meet the new standards? Learn more about TransAuth’s award-winning Identity Access Management Platform helping organizations secure identities with strong MFA and password management.