July 16, 2019
NIST Digital Identity Guidelines: The Good and the Opportunity for Better
Posted June 19, 2017
The National Institute of Standards and Technology (NIST) has long been an authoritative reference source for authentication assurance guidance. Its latest publication, “Digital Identity Guidelines,” is no exception. The guidelines update previous standards and extend them to address identity and authentication as a service, providing the concepts and language necessary for proper care and feeding of digital identities.
Digital identity and authentication is the bedrock of online security, which is fast becoming a national security priority. The Digital Identity Guidelines represent a prudent expenditure of taxpayer dollars. What follows is a discussion of important areas where the NIST guidelines can be enhanced to provide the guidance necessary to make digital infrastructure more robust, more secure and easier to use.
Relative vs. absolute assurance levels
In 800-63B section 4, the three authenticator assurance levels (AAL) are defined in relative terms:
- SP800-63B 4.1: AAL1 provides some assurance that the claimant controls an authenticator registered to the subscriber.
- SP800-63B 4.2: AAL2 provides high confidence that the claimant controls authenticator(s) registered to the subscriber.
- SP800-63B 4.3: AAL3 provides very high confidence that the claimant controls authenticator(s) registered to the subscriber.
“Some assurance,” “high confidence” and “very high confidence” are conjunctive abstractions that are used in place of certainty. The NIST guidelines would be more valuable if AAL1, AAL2 and AAL3 were defined directly in terms of the attacks they mitigate. The target list should include online guessing/cracking, phishing, keyboard logging, OS-based attacks, network-based attacks, emulation, cloning, spoofing, and others.
Device identity confusion
The NIST guidelines lack a definition of device identity. There are multiple references to “device identity” that include statements to the effect of — while device identity mitigates risk and eliminates false positives, it does not increase assurance.
Here are examples of statements in the NIST guidelines that imply device identity does not enhance the assurance level.
- 800-63-3 Section 4.3.1: As discussed in Section 5.1, other types of information, such as location data or device identity, may be used by an RP or verifier to evaluate the risk in a claimed identity, but they are not considered authentication factors.
- 800-63-3, Section 4.1: As part of authentication, mechanisms such as device identity or geolocation may be used to identify or prevent possible authentication false positives. While these mechanisms do not directly increase the AAL, they can aid in enforcing security policies and mitigate risks.
The challenge with these statements is that there is no definition of “device identity,” which creates opportunity for speculation. Logically, if “device identity or geo-location may be used to identify or prevent possible authentication false positives” then shouldn’t it result in increased assurance levels? One can speculate that “device identity” refers to probabilistic methods for measuring device identity. Even so, if a probabilistic device/transaction risk score helps identify risk and identifies or mitigates false positives, then it does enhance the assurance level or confidence level. The NIST guideline should minimize these opportunities for ambiguity and provide an accurate definition of “device identity.” The NIST guidelines should also explain how it is possible for an identity artifact (probabilistic or deterministic) that improves the authentication outcome to not raise the assurance level.
The confusion is compounded with other references stating that a device is “something you have” and can be used as an independent authentication factor, which increases assurance level, as in 63-3B Section 4.2.1, which states: “Therefore, it is unnecessary to implement another factor with biometrics as the device is ’something you have,’ which serves as a valid second factor of the authenticator.”
Device identity mitigates false negatives
The NIST Digital Identity Guidelines state that “As part of authentication, mechanisms such as device identity or geolocation may be used to identify or prevent possible authentication false positives” but that they do not increase assurance levels. An authentication false positive is where the claimant is falsely authenticated as a fraudster. Device identity and contextual authentication are effective in identifying false positives. However, equally important is the prevention of false negatives, where a fraudster is falsely authenticated as the legitimate subscriber. There are common scenarios that result in authentication false negatives, including:
- Identity spoofing with stolen credentials (i.e. key logging, phishing, etc.)
- Device spoofing using a secret key stolen from one device (i.e. side channel attacks in tee/trust zone)
- Social engineering (i.e. password reset by guessing security questions)
- Fraudulent enrollment of a companion device (i.e. fraudulent access to corporate email via a mobile device)
Device identity is an effective way to protect credentials that can be stolen, guessed or fraudulently reset to a new value. When device identity is used in combination with contextual authentication (location, IP address, etc.) and behavioral analytics, it provides a powerful, flexible way to bind an authenticator to a user in real time. This continuous real-time validation of the user/authenticator bind prevents authentication false positives and authentication false negatives. In the interests of broader understanding and uniform best practices, the NIST should provide rational justification for its claim that device identity and geolocation do not enhance the assurance level.
Risk-based mechanisms enhance identity assurance
In-person identity proofing is expensive and is not practical for many scenarios. For remote identity proofing, device identity and contextual factors, such as geolocation, are an effective approach to increasing confidence in the identity of the claimant. Yet there is no mention in the NIST guidelines that risk-based mechanisms increase identity assurance level (IAL). However, Section 4.2 of 800-63A does include geolocation and device characteristics in the requirements section:
- The CSP SHOULD obtain additional confidence in remote identity proofing using fraud mitigation measures, for example inspecting geo-location, examining the device characteristics of the applicant, evaluating behavioral characteristics.
If risk-based approaches, such as geo-location, device characteristics and others, enable the Credential Service Provider (CSP) to obtain additional identity confidence, then the document should include an explicit acknowledgement that risk-based approaches increase the IAL.
The NIST is moving in the right direction but more work is required to make its Digital Identity Guidelines sufficiently robust for the messiness of the real world. In scenarios where embedded authenticators are available, they are singularities that can be bypassed by theft, hijacking or cloning. Future NIST documents on authentication should reflect the reality that risk-based mechanisms (i.e. device identity, contextual authentication, behavioral analytics) provide CSPs and relying parties with higher levels of assurance in the digital identities of their subscribers.