The FIDO Alliance has weighed in on the NIST’s upcoming revisions to its Digital Identity Guidelines. The NIST put out a call for comments back in June, and indicated that the feedback it received would help it construct its Digital Identity Guideline version SP 800-63-4.
In its comments, the Alliance focused primarily on authentication, which is to be expected given FIDO’s role in establishing passwordless security standards. The organization took particular issue with current Authenticator Assurance Level (AAL) classifications, which place authentication methods that leverage shared secrets (including OTP apps and tokens) on the same AAL2 tier as FIDO solutions with asymmetric public key cryptography.
The problem, according to FIDO, is that cybercriminals have found reliable ways to beat shared secrets, which simply do not provide the same level of security as FIDO authentication. However, grouping them with FIDO methods makes it seem as if they are equivalent, and that could instil a false sense of confidence in those who still rely on some form of shared secret for their security. FIDO consequently advises the NIST to update its classification to reflect the fact that FIDO security is stronger than the alternatives.
FIDO’s other recommendations concern its working relationship with the NIST. In its comments, FIDO notes that most major browser vendors no longer support token binding. Unfortunately, the SP 800-63-3 Guidelines require FIDO authenticators to use Token Binding in order to meet the AAL3 standard. With that in mind, the Alliance is hoping to consult with the NIST to create a more modern pathway towards AAL3 compliance.
FIDO also asked the NIST to make more explicit references to FIDO standards, especially when discussing technologies like OTP and PKI. The organization is hoping that the references will clear up some confusion for those who may not understand how they can use FIDO tech to meet certain NIST security requirements.
The NIST recently scheduled its International Face Performance Conference for October. Earlier this year, FIDO unveiled a new I-Mark symbol that will make it easier to differentiate FIDO-certified security products from their competitors.