Ride the Lightning

NIST Guidelines Require Second Authentication Factor When Using Biometrics

February 15, 2017

On January 30, the National Institute of Standards and Technology (NIST) released a public draft of new Digital Identity Guidelines. Described as "a significant update from past revisions," the new guidelines reflect evolving industry innovation and more advanced threats since the publication of the Electronic Authentication Guideline in August 2013.

As reported by InfoQ, one of the motivations for revising the guidelines was an Executive Order issued by President Obama in October 2014, requiring "…that all agencies making personal data accessible to citizens through digital applications require the use of multiple factors of authentication and an effective identity proofing process, as appropriate."

The guidelines describe acceptable use of multi-factor authentication (MFA), comprised of a combination of something you know (ex. a password), something you have (ex. a cryptographic key) and/or something you are (biometric data). Furthermore, when using biometric data as one authentication factor, it must be combined with something you have.

The guidelines are available for a public comment period until March 31, 2017. NIST is utilizing a GitHub repo for editor collaboration and public comment. The full text of the guidelines, and instructions for commenting are available here.

E-mail: Phone: 703-359-0700
Digital Forensics/Information Security/Information Technology
http://www.senseient.com
http://twitter.com/sharonnelsonesq
http://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson