NIST Biometric Authentication Accuracy Bar Rises.
NIST biometric authentication accuracy – Biometrics performance requirements have been upgraded and identity assurance levels revised in the latest draft update to the U.S. National Institute of Standards and Technology’s Digital Identity Guidelines, which has been subject to significant input from government and private sector.
The changes to biometrics guidelines include more stringent accuracy requirement for authentication to align with other standards advanced since the previous version was finalized in 2017. Biometric performance requirements have been revised with mandated false match rates strengthened from 1 in 1000 to 1 in 10,000. This better aligns with the FIDO Alliance’s Biometric Certification Program standards.
New biometric requirements for ID proofing have been added that are specific to the identity proofing context, as opposed to those in volume B. Performance, testing, consent and privacy requirements for facial recognition have been integrated into the guidance. NIST is also still considering alternative non-biometric options for identity proofing.
The concept of digital evidence has been introduced, and the trusted referee system has been mandated at the system level, and generally updated. A component identity proofing service can provide it, but the system must have a trusted referee, per NIST guidelines.
NIST Biometric Authentication Accuracy
A revamp to the risk management approach makes it more process-oriented, and there’s an amended process for assurance level selection, which also now includes tailoring. The update supports additional deployment options, including federation, adds a section on continuous system evaluation and improvement, and emphasizes a multi-disciplinary approach to risk assessment and management. There are also considerations for risk assessments for individuals and communities.
In the new digital identity model, NIST refers to the “subject” of revision 3 as the “holder” of an ID, to better align with current industry terminology. The “credential service provider” becomes the “issuer,” and “relying parties” are “verifiers,” which includes those doing the verifying and those who use the verified information.
NIST is also planning further consultations to provide guidance on equity within the Base Volume, while risk scoring metrics may be introduced.
Phishing resistance is defined, a restriction on cloning cryptographic authenticators is removed, so organizations can sync keys, and ineffective techniques around passwords, like expirations and complexity requirements, have been removed.
Like the identity assurance levels, federation assurance levels 1, 2 and 3 have been updated to make them clearer, and to include protection against injection attacks. Trust frameworks have been built into the guidance, and the responsibilities of different parties in trust agreements defined. Provisioning and identity APIs are considered in the revision.
There’s also a section dedicated to new identity credentials, like the W3C’s verifiable credentials and mobile driver’s licenses. Finalized new versions are slated for publication next year.
Push authentication requirements have evolved, but SMS remains in the guidance as a multifactor authentication tool.
You can find out more about NIST here or read more SEN news here.
“NIST Biometric Authentication Accuracy Bar Rises.”
