m (Mdscott moved page NIST Special Publication 800-63-3 to NIST Special Publication 800-63 over redirect) |
m (→Overview) |
||
| (3 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
== Citation == |
== Citation == |
||
| − | [[NIST]], |
+ | [[NIST]], Digital Identity Guidelines ('''NIST Special Publication 800-63''') (June 22, 2017) ([http://csrc.nist.gov/publications/nistpubs/800-63/SP800-63V1_0_2.pdf full-text]). |
== Overview == |
== Overview == |
||
| + | [[Digital identity]] is the [[online]] [[persona]] of a subject, and a single definition is widely debated internationally. The term [[persona]] is apropos as a subject can represent themselves [[online]] in many ways. An individual may have a [[digital identity]] for [[email]], and another for personal finances. A personal [[laptop]] can be someone's [[streaming music]] [[server]] yet also be a [[worker-bot]] in a [[distributed network]] of [[computer]]s performing complex genome calculations. Without context, it is difficult to land on a single definition that satisfies all. |
||
| − | [[E-authentication]] presents a technical challenge when this process involves the [[remote authentication]] of individual people over a [[network]], for the purpose of [[electronic government]] and [[e-commerce|commerce]]. This recommendation provides technical guidance to agencies to allow an individual person to [[remote authentication|remotely authenticate]] his/her identity to a federal [[IT system]]. This guidance addresses only traditional, widely implemented methods for [[remote authentication]] based on [[secret]]s. With these methods, the individual to be [[authenticate]]d proves that he or she knows or possesses some [[secret information]]. [[NIST]] expects to explore other means of [[remote authentication]] (for example using [[biometric]]s, or by extensive knowledge of private, but not truly secret, [[personal information]]) and may develop additional guidance on the use of these methods for [[remote authentication]]. |
||
| + | [[Digital identity]] as a legal identity further complicates the definition and ability to use [[digital identities]] across a range of social and economic use cases. [[Digital identity]] is hard. Proving someone is who they say they are &mash; especially remotely, via a [[digital service]] — is fraught with opportunities for an [[attacker]] to successfully [[impersonate]] someone. As correctly captured by Peter Steiner in ''The New Yorker,'' "On the internet, nobody knows you're a dog." These [[guidelines]] provide [[mitigation]]s to the [[vulnerabilities]] inherent [[online]], while recognizing and encouraging that when [[access]]ing some low-risk [[digital service]]s, "being a dog" is just fine; while other, high-risk services need a level of confidence that the [[digital identity]] [[access]]ing the service is the legitimate [[proxy]] to the real-life subject. |
||
| − | This document was developed by the [[National Institute of Standards and Technology]] ([[NIST]]) in furtherance of its statutory responsibilities under the [[Federal Information Security Management Act of 2002]] ([[FISMA]]). |
||
| + | For these [[guidelines]], [[digital identity]] is the unique representation of a subject engaged in an [[online transaction]]. A [[digital identity]] is always unique in the context of a [[digital service]], but does not necessarily need to uniquely identify the subject in all contexts. In other words, [[access]]ing a [[digital service]] may not mean that the subject's [[real-life]] [[identity]] is known. |
||
| − | This document supplements [[OMB]], "E-Authentication Guidance for Federal Agencies," [[OMB Memorandum M-04-04]]. |
||
| + | |||
| + | [[Identity proofing]] establishes that a subject is who they claim to be. [[Digital authentication]] establishes that a subject attempting to [[access]] a [[digital service]] is in control of one or more valid [[authenticator]]s associated with that subject's [[digital identity]]. For services in which return visits are applicable, successfully [[authenticating]] provides reasonable risk-based assurances that the subject [[access]]ing the service today is the same as that which [[access]]ed the service previously. [[Digital identity]] presents a technical challenge because this process often involves proofing individuals over an [[open network]], and always involves the [[authentication]] of individual subjects over an [[open network]] to [[access]] [[digital]] government services. The [[process]]es and [[technologies]] to establish and use [[digital identities]] offer multiple opportunities for [[impersonation]] and other [[attack]]s. |
||
| + | |||
| + | These technical [[guidelines]] supersede NIST Special Publication 800-63-2. Agencies use these [[guideline]]s as part of the [[risk assessment]] and [[implementation]] of their [[digital service]](s). These [[guideline]]s provide [[mitigation]]s of an [[authentication]] error's negative impacts by separating the individual elements of [[identity assurance]] into discrete, component parts. |
||
| + | |||
| + | This set includes: |
||
| + | |||
| + | * SP 800-63A Enrollment and Identity Proofing ([https://doi.org/10.6028/NIST.SP.800-63a full-text]) |
||
| + | * SP 800-63B Authentication and Lifecycle Management ([https://doi.org/10.6028/NIST.SP.800-63b full-text]) |
||
| + | * SP 800-63C Federation and Assertions ([https://doi.org/10.6028/NIST.SP.800-63c full-text]). |
||
[[Category:Publication]] |
[[Category:Publication]] |
||
[[Category:Security]] |
[[Category:Security]] |
||
| + | [[Category:2017]] |
||
Latest revision as of 04:02, 19 February 2019
Citation[]
NIST, Digital Identity Guidelines (NIST Special Publication 800-63) (June 22, 2017) (full-text).
Overview[]
Digital identity is the online persona of a subject, and a single definition is widely debated internationally. The term persona is apropos as a subject can represent themselves online in many ways. An individual may have a digital identity for email, and another for personal finances. A personal laptop can be someone's streaming music server yet also be a worker-bot in a distributed network of computers performing complex genome calculations. Without context, it is difficult to land on a single definition that satisfies all.
Digital identity as a legal identity further complicates the definition and ability to use digital identities across a range of social and economic use cases. Digital identity is hard. Proving someone is who they say they are &mash; especially remotely, via a digital service — is fraught with opportunities for an attacker to successfully impersonate someone. As correctly captured by Peter Steiner in The New Yorker, "On the internet, nobody knows you're a dog." These guidelines provide mitigations to the vulnerabilities inherent online, while recognizing and encouraging that when accessing some low-risk digital services, "being a dog" is just fine; while other, high-risk services need a level of confidence that the digital identity accessing the service is the legitimate proxy to the real-life subject.
For these guidelines, digital identity is the unique representation of a subject engaged in an online transaction. A digital identity is always unique in the context of a digital service, but does not necessarily need to uniquely identify the subject in all contexts. In other words, accessing a digital service may not mean that the subject's real-life identity is known.
Identity proofing establishes that a subject is who they claim to be. Digital authentication establishes that a subject attempting to access a digital service is in control of one or more valid authenticators associated with that subject's digital identity. For services in which return visits are applicable, successfully authenticating provides reasonable risk-based assurances that the subject accessing the service today is the same as that which accessed the service previously. Digital identity presents a technical challenge because this process often involves proofing individuals over an open network, and always involves the authentication of individual subjects over an open network to access digital government services. The processes and technologies to establish and use digital identities offer multiple opportunities for impersonation and other attacks.
These technical guidelines supersede NIST Special Publication 800-63-2. Agencies use these guidelines as part of the risk assessment and implementation of their digital service(s). These guidelines provide mitigations of an authentication error's negative impacts by separating the individual elements of identity assurance into discrete, component parts.
This set includes: