How NIST and eIDAS revisions are shaping the future of e-identification

Sebastian Elfors

Sebastian Elfors

4 minute read

This blog is co-authored by John Fontana, Standards Analyst at Yubico. 

On both sides of the Atlantic, standards and regulations on electronic identification are being revised more or less simultaneously. In the United States, the National Institute of Standards and Technology (NIST) accepted public comments on its SP 800-63-3 Digital Identity Guidelines last month, which is on track for a scheduled revision in 2022. In the European Union, the eIDAS regulation is also up for review. 

As an active member in the FIDO Alliance, W3C, Better Identity Coalition, and OpenID Foundation, Yubico was invited to provide input on both the NIST and eIDAS revisions. While this takes place on a predetermined schedule, our feedback was heavily influenced by our learnings and observations from the COVID-19 pandemic and the influx of remote work. This shaped a majority of our recommendations, which were focused on improving guidance on strong authentication and remote identity proofing. 

NIST SP 800 63-3 

NIST last revised its Digital Identity Guidelines in June 2017 just as multi-factor authentication (MFA) entered a robust innovation cycle led by FIDO protocols. The latest revision intends to evaluate recent improvements to authentication standards and technologies (WebAuthn), and other new identity and access management innovations. 

Last month, Yubico submitted comments and suggestions that ensure stronger identity assurance and authentication, and address the need to eliminate persistent vulnerabilities in aging authentication technologies such as SMS and OTP. 

  • We asked that the updated guidelines address modern attack vectors, and re-classify grading systems to recognize credential phishing resistance as a distinct and important advancement in modern hardware authenticators that are needed to close security holes.
  • We also suggested NIST recognize and classify new identity proofing and binding techniques for strong remote identification systems. Additionally, we recommended guidance around a combination of technologies that support authenticated and protected communication channels for security techniques such as verifier impersonation resistance. 
  • Lastly, we pointed out that the previous NIST Digital Identity Guideline revisions showed an affinity for hardware-backed, web-based strong authentication as defined by FIDO and WebAuthn. We emphasized that this innovation must continue in the 800-63-4 revision. 

eIDAS

In Europe, eIDAS (EU regulation 910/2014), is subject for revision and open for feedback to a public consultation. The EU Commission proposed three new options for the revised eIDAS regulation, and Yubico submitted feedback accordingly:

  • Option 1 would revise and complement the existing eIDAS framework. In this scenario, our recommendation is that eIDAS should specify well-defined rules for remote identity proofing, be harmonized with the EU Cybersecurity Act, require phishing resistance, reuse pre-approved eID products for notification, allow for backup eID schemes during disasters, and make the ‘High’ level of assurance mandatory for access to Qualified Trust Service Providers.
  • Option 2 would extend the scope of eID schemes to the private sector. We are positive to this initiative, since existing identity providers would extend the reach of notified eID schemes, which could also be aligned with the PSD2 requirements on financial transactions. The eID approval process and the architecture of eIDAS-Nodes would however have to be adjusted for private identity providers.
  • Option 3 would introduce a European Digital Identity scheme (EUid). Instead of a pan-European EUid, we believe that federated solutions would allow for better international interoperability, higher scalability, and be based on modern technology.

Yubico’s complete response to the eIDAS inception impact assessment can be found at the EU Commission portal. In addition to our eIDAS contributions, Yubico also provided feedback to promote remote identity proofing for ETSI TS 119 461, the European Telecommunications Standards Institute’s (ETSI) new standard on identity proofing. 

Fortunately, the development of legislation and standards for electronic identification continues to progress in the US and EU with consistent input from leading security and identity experts across the globe. As we account for evolving threat landscapes and innovative technologies that offer the best combination of security and usability, we can collectively continue to serve and protect governmental agencies, the private sector, and citizens even better in the future.

To learn how the YubiKey can be used for national electronic ID-card projects and eIDAS-compliant eID schemes, such as the National Digitalisation Programme at the Faroe Islands, read more here

To learn how the YubiKey FIPS Series can enable government agencies and regulated industries to meet the highest authenticator assurance level 3 requirements from the NIST SP 800-63 guidance, read more here

, ,
Talk to our teamTalk to our team

Share this article:
  • Introducing new features for Yubico Authenticator for iOSWe’re excited to share the new features now available for Yubico Authenticator for iOS in the latest app update on the App Store. Many of these improvements aim to address frequently requested features from our customers, while providing additional new functionalities for a seamless authentication experience on iOS.  With increased interest in going passwordless and […]Read moreiOSYubico Authenticator
  • Platform independent digital identity for all Many are understandably concerned that the great invention called the Internet, initially created by researchers for sharing information, has become a major threat to democracy, security and trust. The majority of these challenges are caused by stolen, misused or fake identities. To mitigate these risks, some claim that we have to choose between security, usability […]Read moreDigital IdentityEUDIFounderStina Ehrensvard
  • Q&A with Yubico’s CEO: Our move to the main Nasdaq market in StockholmAs 2024 draws to a close, it’s the perfect time to reflect on the incredible journey we’ve had this year and how it has shaped where we stand today as a company. To mark this moment, I sat down with our CEO, Mattias Danielsson, to look back on the milestones and achievements of 2024—culminating in […]Read moreCEOMattias Danielsson
  • Exploring DORA: A look at the next major EU mandateFinancial institutions have historically managed operational risk using capital allocation, but under EU Regulation 2022/2554 – also known as the Digital Operational Resilience Act (DORA) – the financial sector and associated entities in the European Economic Area (EEA) must also soon follow new rules. These new rules focus on the protection, detection, containment, and the […]Read moreDORAEU