The program within the National Institute of Standards and Technology aiming to make passwords obsolete has released a draft document that proposes a “major transformation” in digital authentication.
The National Strategy for Trusted Identities in Cyberspace, or NSTIC, program released Sunday a public preview of its draft authentication guidelines — NIST Special Publication 800-63-3 — which establishes how individuals authenticate their identity online to a federal digital service.
Think of it as proving to the U.S. government who you really are, on the Internet.
The draft documents make a number of changes, including removing a level from the guidance’s Level of Assurance model, establishing tighter rules for knowledge-based verification, or KBV, and issuing directives around the weakness of passwords.
The guide is broken down into three sections, covering identity proofing, authentication and lifecycle management and technical guidelines for setting up remote authentication.
It also establishes that passwords must be at least eight characters in length if chosen by a user or six characters if they are randomly generated by a service that issues credentials. However, the guide presses credential providers to allow for passwords at least 64 characters long, which would accommodate a move toward passphrases.
An attached appendix further explains the agency’s line of thinking, recommending that those responsible for establishing a minimum password length should address it based on the risk assessment attached to the system. Basically, the longer the password, the better — especially as, once encrypted, the length doesn’t affect the amount of data space required to store it.
“Users should be encouraged to make their passwords as lengthy as they want,” the guide reads. “Since the size of a hashed password is independent of its length, there is no reason not to permit the use of lengthy passwords (or pass phrases) if the user wishes.”
On the topic of KBV — where users prove who they are by selecting addresses where they’ve lived, bank accounts they’ve used, or cars they’ve driven — the guide calls for the process to be “limited to specific portions of the identity proofing process and never sufficient on its own.” Critics have derided the method as easy to spoof in an online world when so many details of a users past life can easily be scraped from the Internet. If KBV is to be used, the guide calls for a minimum of four questions each with no more than three attempts allowed to complete the question.
The term “token” has also been replaced by “authenticator,” defined as something that the claimant possesses and controls in order to establish identity. NIST is moving away from “token” due to confusion over its many other definitions outside of identity management.
“It’s ‘authenticator’ now, since ‘token’ has plenty of other definitions and uses in the real world,” a blog post on NSTIC’s website reads. “It just didn’t make sense to stick with it.”
In addition to the guide itself, NIST is also changing the way it solicits feedback on the document. The guidance has been posted on GitHub, where the public can comment and the authors will continually make edits continually over the summer.
“In this public preview, we’re focused on getting the technical content right,” the blog post reads. “So you’ll probably find an uncrossed ‘t’ and dot-less ‘i’ here and there. We ask that you focus your suggestions in this phase on the substantive (think technical and procedural requirements).”
After the summer iteration, NIST will hold a more traditional 30- or 60-day public comment period along with their GitHub repository.
You can find the full guide here.
Contact the reporter on this story via email at firstname.lastname@example.org, or follow him on Twitter at @gregotto. His OTR and PGP info can be found here. Subscribe to the Daily Scoop for stories like this in your inbox every morning by signing up here: fdscp.com/sign-me-on.