White paper: Bridge to Passwordless best practices
After a year of review, the National Institute for Science and Technology (NIST) today released version 3 of its latest digital identity guidelines, outlining a number of updates that play to the multi-protocol functionality of the YubiKey.
NIST Special Publication 800-63 Revision 3 covers guidelines on identity proofing and authentication of users (such as employees, contractors, private individuals, and commercial entities) working with government IT systems over open networks. These guidelines are used as part of the risk assessment and implementation of federal agencies’ digital services.
There are three notable changes outlined in the document: the separation of identity assurance from authenticator assurance, the deprecation of short message service (SMS) as one-time password (OTP) authentication, and the recognition of technologies like FIDO U2F within the highest level — Authenticator Assurance Level 3 (AAL3).
The first major change we want to highlight is the decoupling of user identity assurance from the strength of the authentication method used. This enables organizations to make quantifiable security improvements by offering alternative feature-compatible devices that act like a smart card, or providing FIDO authentication for all users. The previous model had the unintended consequence of lowering the authentication security for users where the identity proofing was not needed at Identity Assurance Level 3 (IAL3). In this new model (see table 6-2, Acceptable Combinations of IAL and AAL in section 6.4), a higher Authenticator Assurance Level can be paired with a lower Identity Assurance Level to meet an acceptable combination.
Another change worth noting is NIST’s update on the framework for quantifying authenticator security, particularly for guidance on using SMS as a form of OTP authentication. In July 2016, NIST put out a blog deprecating the process for delivering an OTP over SMS. This position is bolstered by the updated classification of authenticators allowing OTP to be used in lower-security systems. Additionally, the YubiKey’s OTP capabilities do not fall under NIST’s deprecation of SMS/OTP out-of-band authenticators.
Lastly, the guidelines recognize technologies like FIDO U2F at AAL3. This opens the door for FIDO U2F and classifies the protocol as a strong credential option, as it meets government guidelines for asymmetric, public-key (PK) cryptography for authentication. With FIDO U2F’s ease of use and quick deployments, the number of services implementing FIDO U2F integrations is steadily growing. Federal agencies now have more options to deploy strong authentication for cloud applications.
The YubiKey meets all these tenets in its versatility and flexibility as a multi-protocol authentication device that combines three of the permitted authenticator types in one physical device.
Single-factor OTP device = OTP
- The YubiKey spans various OTP capabilities, including Yubico OTP, HOTP, TOTP, and communicates via the HID keyboard interface. This allows the OTP protocol to work across all OS/Environments that support USB keyboards.
Single-factor cryptographic device = FIDO U2F
- Developed by Yubico and Google, FIDO U2F is the newest protocol supported by the YubiKey. This protocol allows the YubiKey to work securely and instantly with hundreds of applications, and with no secrets shared across separate services.
Multi-factor cryptographic device = Smart card / PIV-compatible / OpenPGP
- The YubiKey identifies itself as a smart-card reader with a smart card plugged in, and will work with most common smart-card drivers.
“While the guidelines themselves are final, we strongly believe that work on this document isn’t truly complete until, like open standards, it has been implemented to tease out bugs and complexities,” said Paul Grassi, one of the 800-63 authors, in a blog post. “Our ability to predict and respond to changes in the market and technology needs to match the speed of innovation, as well as threats.” He added, “Over time, NIST wants the [guidelines] to be adaptive to innovations in the market so anyone, public or private, can better serve their users.”
We celebrate this historic release of NIST SP 800-63-3, as it ushers in a bright future for the YubiKey, FIDO U2F, and federal agencies here in the US and abroad. With this latest revision, the overwhelming response of over 1,400 contributor submissions from within and outside the US validates NIST SP 800-63-3 as a leading resource for global digital identity.