This is part two of a two-part series on the latest NIST guidelines. To read part one, check out our blog post here.
Over the past six months, three National Institute of Standards and Technology (NIST) draft guidelines were released that will change how federal agencies manage digital identity services, the authentication of users and the types of credentials that can be issued. These NIST Digital Identity guidelines include:
- The NIST Digital Identity Guidelines (NIST SP 800-63-4) draft, a revision designed to help strengthen digital identity assurance and authentication, recognizes shifts in both risk and emerging authentication models such as passkeys.
- The revised authentication guidance (800-63B-4) includes a re-working of authentication assurance levels (AALs), with each level building on the previous level’s requirements. AAL3 provides very high confidence that the claimant controls one or more authenticators bound to the subscriber account – in plain language, that the person authenticating can, by proof of possession, prove they are who they are claiming to be.
- Government agencies, already bound by the FIPS 140 standard, have until end of Fiscal Year 2024 to also adopt the exclusive use of phishing-resistance multi-factor authentication (MFA) for agency staff for compliance with Executive Order 14028 and Office of Management and Budget (OMB) Memo M-22-09. These two requirements mean that agencies must look for phishing-resistant authenticators that meet AAL2 standards, at minimum. Authenticators that involve any kind of manual entry (e.g. SMS, push notifications and OTP) do not meet the standards for phishing resistance.
These updates expand the use of derived PIV credentials to new form factors, PKI-based and non PKI-based, and to help support PIV identity outside the home agency. The guidelines come at a great time, with exciting new applications for PIV on the mobile device and against Azure AD. NIST isn’t making these changes in a vacuum, and there’s a growing reflection that phishing-resistant protocols such as FIDO2/WebAuthn are available to help agencies protect environments and support a broader range of modern applications and security.
To talk about what these new guidelines mean for federal agencies and how they can be compliant, I recently sat down withJoe Scalone, leading contributor to the FIDO2 standard and senior solutions architect here at Yubico.
How important is FIDO authentication to federal agencies?
New federal regulations, with their strong push towards zero-trust, require agencies to prioritize an identity-focused approach to security. Many federal agencies are moving towards the cloud to help modernize infrastructure; a combination of the existing PKI-based credentials and FIDO-based credentials can help ease that transition, all while still providing strong phishing-resistant authentication.
FIDO-based authentication can also be used in BYOAD programs, used for non-PIV eligible users and cloud services, expanding the footprint of high-assurance authentication and thereby increasing the digital security posture of the entire agency.
Which authentication methods meet the new guidelines?
Both PKI-based authentication (PIV/CAC cards) and FIDO-based authentication meet the requirements for hardware bound phishing-resistant authentication at the AAL3 level.
Do FIDO Passkeys meet the new guidelines?
Passkeys is the new term that describes FIDO credentials. However, differences in implementation determine the applicable AAL level. All passkeys provide phishing-resistant authentication, but only hardware-bound passkeys, like the YubiKey, can meet the AAL3 requirement of ensuring the private key cannot be exported from the hardware device. Syncable passkeys, which allow the FIDO credential to be synced across devices, can meet the AAL2 requirements with a device PIN or biometrics used as the second factor.
Are there any other benefits agencies could see from using FIDO?
FIDO grants agencies the ability to deploy strong authenticators to non-PIV eligible users and allows for the development of self-service, web-based registration processes. FIDO allows for faster integration to applications, due to its reliance on the WebAuthn protocol. Additionally, the simplicity of FIDO’s design means lower overhead, in both financial and human terms.
What are the best practices for deploying FIDO within a smart card ecosystem?
The use of PKI and FIDO together allows agencies to utilize the best of both strong authentication methods. Agencies can implement FIDO solutions strategically to cloud and mobile-based applications, while continuing to utilize their existing PKI investment on traditional networks. With time, agencies can expand FIDO’s footprint to include other use cases, such as application login, computer logon and remote logon.
What investments are needed to support FIDO?
FIDO authentication is an essential part of a larger, flexible, phishing-resistant, Zero Trust identity platform. The federal government has the opportunity to partner with industry and develop a modern, scalable and defensible identity infrastructure that has the potential to become a security asset for years to come. Agencies need to research and understand how FIDO and PKI solutions complement each other to provide end-to-end phishing-resistant authentication.
What is the importance ofAAL3 over AAL2 authenticator assurance levels for government agencies and business?
NIST requires the use of a hardware based authenticator, such as the YubiKey, to meet the AAL3 requirements of proof of possession of a key via a cryptographic protocol to ensure private key material cannot be exfiltrated. Additionally, AAL3 requires the use of phishing-resistant authentication. AAL2 allows for a wide range of MFA approaches and does not require phishing-resistant based solutions to be used. Phishing-resistant MFA at AAL2 is encouraged but not required.
It is important to point out that though NIST defines the authentication level standards, agencies are responsible to decide which authentication level they need to meet based on their risk assessments. EO14028 and OMB M-22-09 require that all agencies must be at least AAL2 for government use. OMB M-22-09 specifically requires the use of phishing-resistant authentication. AAL3 authenticators fulfill the high-impact security guidelines from NIST 800-53 risk assessment completed by all federal agencies and government contractors. Also, to reach FedRAMP High for cloud solutions, AAL3 authenticators are required.
For additional information on NIST’s latest guidelines and what they mean for your organization, check out the first part of this two-part series here.