This blog is co-authored by John Fontana, Standards Analyst at Yubico.
On both sides of the Atlantic, standards and regulations on electronic identification are being revised more or less simultaneously. In the United States, the National Institute of Standards and Technology (NIST) accepted public comments on its SP 800-63-3 Digital Identity Guidelines last month, which is on track for a scheduled revision in 2022. In the European Union, the eIDAS regulation is also up for review.
As an active member in the FIDO Alliance, W3C, Better Identity Coalition, and OpenID Foundation, Yubico was invited to provide input on both the NIST and eIDAS revisions. While this takes place on a predetermined schedule, our feedback was heavily influenced by our learnings and observations from the COVID-19 pandemic and the influx of remote work. This shaped a majority of our recommendations, which were focused on improving guidance on strong authentication and remote identity proofing.
NIST SP 800 63-3
NIST last revised its Digital Identity Guidelines in June 2017 just as multi-factor authentication (MFA) entered a robust innovation cycle led by FIDO protocols. The latest revision intends to evaluate recent improvements to authentication standards and technologies (WebAuthn), and other new identity and access management innovations.
Last month, Yubico submitted comments and suggestions that ensure stronger identity assurance and authentication, and address the need to eliminate persistent vulnerabilities in aging authentication technologies such as SMS and OTP.
- We asked that the updated guidelines address modern attack vectors, and re-classify grading systems to recognize credential phishing resistance as a distinct and important advancement in modern hardware authenticators that are needed to close security holes.
- We also suggested NIST recognize and classify new identity proofing and binding techniques for strong remote identification systems. Additionally, we recommended guidance around a combination of technologies that support authenticated and protected communication channels for security techniques such as verifier impersonation resistance.
- Lastly, we pointed out that the previous NIST Digital Identity Guideline revisions showed an affinity for hardware-backed, web-based strong authentication as defined by FIDO and WebAuthn. We emphasized that this innovation must continue in the 800-63-4 revision.
In Europe, eIDAS (EU regulation 910/2014), is subject for revision and open for feedback to a public consultation. The EU Commission proposed three new options for the revised eIDAS regulation, and Yubico submitted feedback accordingly:
- Option 1 would revise and complement the existing eIDAS framework. In this scenario, our recommendation is that eIDAS should specify well-defined rules for remote identity proofing, be harmonized with the EU Cybersecurity Act, require phishing resistance, reuse pre-approved eID products for notification, allow for backup eID schemes during disasters, and make the ‘High’ level of assurance mandatory for access to Qualified Trust Service Providers.
- Option 2 would extend the scope of eID schemes to the private sector. We are positive to this initiative, since existing identity providers would extend the reach of notified eID schemes, which could also be aligned with the PSD2 requirements on financial transactions. The eID approval process and the architecture of eIDAS-Nodes would however have to be adjusted for private identity providers.
- Option 3 would introduce a European Digital Identity scheme (EUid). Instead of a pan-European EUid, we believe that federated solutions would allow for better international interoperability, higher scalability, and be based on modern technology.
Yubico’s complete response to the eIDAS inception impact assessment can be found at the EU Commission portal. In addition to our eIDAS contributions, Yubico also provided feedback to promote remote identity proofing for ETSI TS 119 461, the European Telecommunications Standards Institute’s (ETSI) new standard on identity proofing.
Fortunately, the development of legislation and standards for electronic identification continues to progress in the US and EU with consistent input from leading security and identity experts across the globe. As we account for evolving threat landscapes and innovative technologies that offer the best combination of security and usability, we can collectively continue to serve and protect governmental agencies, the private sector, and citizens even better in the future.
To learn how the YubiKey FIPS Series can enable government agencies and regulated industries to meet the highest authenticator assurance level 3 requirements from the NIST SP 800-63 guidance, read more here.