NIST looks to transform federal authentication

The National Institute of Standards and Technology is planning "transformational" changes to its technical guidelines for digital authentication.

That password you use? Even if it includes uppercase and lowercase letters, special characters and numbers, it's probably obsolete under new guidance for federal system authentication.

In four documents posted to GitHub, the National Institute of Standards and Technology offers what it says are dramatic changes to its guidelines for federal agencies' digital authentication practices.

NIST is renovating the approach to identity proofing to more closely support current Office of Management and Budget guidance. NIST said its guidelines are aimed at helping agencies choose the proper digital authentication technologies. That approach includes separating individual elements of identity assurance into discrete, component parts.

Under NIST's scheme, individuals would establish their identity through what's called identity assurance and prove their credentials to access a given system through authenticator assurance -- possibly a chipped and encrypted identity card.

The documents also state that passwords could be entirely numeric. NIST's experts say a mix of character types in passwords (such as at least one digit, uppercase letter and symbol) "is not nearly as significant as initially thought, although the impact on usability and memorability is severe."

Instead, NIST recommends that user-chosen passwords be compared against a list of unacceptable passwords. That list should include passwords from previous breaches, dictionary words and specific words (such as the name of the service itself) that users are likely to choose.

Users also won't be able to have a password "hint" that is accessible to unauthenticated personnel. The verification process shouldn't user specific types of information in the authentication process. In other words, the typical "first pet" or "mother's maiden name" password prompt is out of bounds.

The guidelines said biometrics for authentication matching should be performed locally on a user's device or possibly by a central verifier, but biometrics must be used with another authentication factor that is revocable.

NIST said biometric systems used in those applications should have a tested equal error rate of 1 in 1,000 or better, with a false-match rate of 1 in 1,000 or better.