NIST revises electronic authentication guideline, releases for public comment
The National Institute of Standards and Technology has updated the registration and issuance processes section of its Electronic Authentication Guideline, according to a revised NIST draft (.pdf).
The document, which will supersede NIST Special Publication 800-63-1, provides technical guidelines for federal agencies implementing electronic authentication, and defines requirements for each of four levels of assurance in the areas of identity proofing, registration, tokens, management processes, and authentication protocols. Its recommendations cover remote authentication of users, such as employees, contractors or private individuals who interact with government IT systems over open networks.
"The substantive changes in the revised draft are intended to facilitate the use of professional credentials in the identity proofing process, and to reduce the need to use postal mail to an address of record to issue credentials for level 3 remote registration," NIST states.
Level 3 provides multi-factor remote network authentication. At least two authentication factors are required for Level 3. At this level, identity proofing procedures also require verification of identifying materials and information. At Level 4, only in-person registration is permitted.
"Other changes to section 5 are minor explanations and clarifications," says NIST.
New or revised text is highlighted in the draft to make it easier to review, according to NIST. Public comments to the revised draft will be accepted until March 4.