FIDO Calls for More Clarity in NIST Comments

The FIDO Alliance has weighed in on the NIST’s upcoming revisions to its Digital Identity Guidelines. The NIST put out a call for comments back in June, and indicated that the feedback it received would help it construct its Digital Identity Guideline version SP 800-63-4.

In its comments, the Alliance focused primarily on authentication, which is to be expected given FIDO’s role in establishing passwordless security standards. The organization took particular issue with current Authenticator Assurance Level (AAL) classifications, which place authentication methods that leverage shared secrets (including OTP apps and tokens) on the same AAL2 tier as FIDO solutions with asymmetric public key cryptography.

The problem, according to FIDO, is that cybercriminals have found reliable ways to beat shared secrets, which simply do not provide the same level of security as FIDO authentication. However, grouping them with FIDO methods makes it seem as if they are equivalent, and that could instil a false sense of confidence in those who still rely on some form of shared secret for their security. FIDO consequently advises the NIST to update its classification to reflect the fact that FIDO security is stronger than the alternatives.

FIDO’s other recommendations concern its working relationship with the NIST. In its comments, FIDO notes that most major browser vendors no longer support token binding. Unfortunately, the SP 800-63-3 Guidelines require FIDO authenticators to use Token Binding in order to meet the AAL3 standard. With that in mind, the Alliance is hoping to consult with the NIST to create a more modern pathway towards AAL3 compliance.

FIDO also asked the NIST to make more explicit references to FIDO standards, especially when discussing technologies like OTP and PKI. The organization is hoping that the references will clear up some confusion for those who may not understand how they can use FIDO tech to meet certain NIST security requirements.

The NIST recently scheduled its International Face Performance Conference for October. Earlier this year, FIDO unveiled a new I-Mark symbol that will make it easier to differentiate FIDO-certified security products from their competitors.

Partners

FaceTec’s patented, industry-leading 3D Face Verification and Reverification software anchors digital identity, creating a chain of trust from user onboarding to ongoing authentication on all modern smart devices and webcams. FaceTec’s 3D FaceMaps™ finally make trusted, remote identity verification possible. As the only technology backed by a persistent spoof bounty program and NIST/iBeta Certified Liveness Detection, FaceTec is the global standard for 3D Liveness and Face Matching with millions of users on six continents in financial services, border security, transportation, blockchain, e-voting, social networks, online dating and more. www.facetec.com

The Biometric Digital Identity Prism is a market landscape framework designed to help influencers and decision makers understand, innovate, and implement digital identity technologies and solutions. This innovative framework for understanding and evaluating the rapidly evolving biometric digital identity marketplace is the only market model that is truly biometric-centric based on the foundational conviction that in the age of digital transformation the only true, reliable link between humans and their digital data is biometrics. https://www.the-prism-project.com

Mobile ID World is here to bring you the latest in mobile authentication solutions and application providers. Our company is dedicated to providing users with the best content and cutting edge information on technology, news, and mobile solutions for your mobile identity management needs. https://mobileidworld.com

ID R&D combines extensive R&D capabilities with advances in AI to deliver superior biometrics and liveness detection software. Our products work across mobile, web, and telephone channels, as well as conversational interfaces, IoT devices, and embedded hardware to improve security and significantly reduce friction in the user experience. https://www.idrnd.ai

AuthenticID’s disruptive and cutting-edge, AI-driven solution quickly, accurately, and securely reproduces real-world identity verification so that companies can be assured of who they are conducting business with, strengthen underwriting, reduce the losses associated with fraud, and streamline onerous customer onboarding procedures, leading to higher conversion rates. https://www.authenticid.com/

Identity Week aims to be a significant identity industry catalyst. It’s our mission is to help accelerate the move towards a world where trusted identity solutions enable governments and commercial organisations to provide citizens, employees, customers and consumers with a multitude of opportunities to transact in a seamless, yet secure manner. All the while preventing the efforts of those intent on doing harm. https://identityweek.net/

Related News & Articles

Footer

Follow Us