NIST embraces assertion-based remote e-authentication


An updated special publication from the National Institute of Standards and Technology on remote e-authentication includes more detail about identity assertions and permits protocols not included in the last version.

The special publication, 800-63-1, is the official document agencies must look to when implementing e-authentication technology for use across open networks such as the Internet.

According to NIST, the last iteration of the special publication, released in 2006, assumed that most agencies would handle themselves the business of issuing credentials and assigning attributes to users. But, since that time "an industry has grown around providing authentication services, and it is often in the best interest of agencies to take advantage of commercial systems or those of other government entities," NIST says in a release.

Assertion-based authentication, the revised publication says, permits single-sign on for multiple online services since once a user has verified himself to an identifier verification service, additional information about his level of access could be sent to other requesting parties without manual intervention. Assertions are statements about the user, including attribute information such as age or trustworthiness. Assertion-based authentication would support implementation of a federated identity for subscribers, it adds, under which a user centrally manages multiple online identities.

The publication also endorses Security Assertion Markup Language assertions and Kerberos Tickets as means for authentication.

Another change from the past version is a new onus for verifiers to safeguard shared secrets.

Publication authors say they've kept the emphasis on authentication through secret tokens and eschewed biometric authentication "because their security is often weak or difficult to quantify," especially in the remote logons that the document is meant to make more secure.

For more:
- download SP-800-63-1 (.pdf)

Related Articles:
VanRoekel: Government websites must accept externally-issued identity credentials
SSA online authentication implementation wanting, says OIG
Minibus makes science cuts; NSTIC survives