NIST’s final digital identity guidance could open door for new tech in government

The National Institute of Standards and Technology’s recently finalized digital identity guidelines wrap up nearly four years of work, expanding the guidance to cover a range of new technologies and paving the way for government adoption.

“We’re definitely opening the door for federal agencies to take advantage of new technologies that are starting to emerge,” said Ryan Galluzzo, the digital identity program lead for NIST’s Applied CyberSecurity Division. That includes incorporating things that have already been adopted in the commercial space, he added.

New tech accounted for in the final Revision 4 guidance includes best practices for mobile drivers licenses, using passkeys, methods of recovering accounts, and addressing the threat of deepfakes. While agencies could technically explore new identity technologies on their own and assume the risk themselves, the new guidance gives them a clear framework to do so, Galluzzo explained.

“It’s a bit of an empowerer to make sure that we are covering these technologies within the guidelines and giving people the right kind of direction to be able to take advantage of new innovations within the space,” he said.

NIST’s initial call for comments on an update to its 2017 digital identity guidance came in 2020, around the time that COVID-19 was spreading across the globe and forcing many sectors to transition to remote forms of work. That, in itself, impacted the guidance, Galluzzo said.

The ecosystem “learned from the pretty rapid transition of systems from manual to digital in order to deal with the changes that were occurring during the pandemic that really exposed a lot of things that we needed to focus on from an identity perspective,” he said.

One such area where pandemic lessons played a role was the emphasis in the guidance of digital identity as a “team sport,” Galluzzo said. Digital identity teams had, in the past, operated in their own worlds, but the guidance reflects the importance of ensuring that more teams are involved in risk management and understand how it supports the goals of their organization, he said.

The first draft came in 2022, capturing feedback from nearly 4,000 comments from 140 organizations. And eventually, in 2024, a second public draft was published, including additional detail for things like passkeys — known as syncable authenticators — and digital wallets. 

Given how substantial the changes in that second draft were, NIST wanted to again open it for public comment. During that period, it received about 2,000 comments, which ultimately led to changes in the final draft announced Aug. 1.

One complicating factor during the process of updating the guidelines was adapting to advances in technologies happening even within the past year, Galluzzo said. While things like mobile driver’s licenses and verifiable credentials existed at the time of the initial public draft, the underlying specifications and protocols were still evolving, even after the second public draft was released, he said.

As a result, over the past year, Galluzzo said NIST has been working through accounting for both feedback as well as changes in the technologies themselves.

Final additions

Since the second public draft, the final guidance has several key additions, including a new section on “injection attacks.” 

The draft guidance had already accounted for dealing with scenarios where someone might be putting on a mask or holding up a picture of someone in front of a camera, but it hadn’t addressed a newer form of attack in which deepfakes are injected into the communication channel, Galluzzo said. A new section deals with control of those attacks.

The final guidance also addresses feedback NIST received on the account recovery process and provides a complete “revamp” of that section, he said. Account recovery includes “forgot my password” options or losing a multifactor authenticator, and is one of the vectors that’s most commonly attacked. 

While the draft addressed account recovery, the new version aims to be more descriptive and provide more options for people, Galluzzo said. For example, NIST looked at a few approaches from industry and included a concept of a recovery contact — or someone else designated to receive a user’s information. 

“We really had to try and come up with some new techniques and approaches that can allow organizations to have more confidence and security in the processes for recovering accounts,” he said.

Finally, the new guidance includes more information related to customer experience — in other words, making sure whatever is deployed is actually usable for its intended population, Galluzzo said. 

“You can create the most secure system in the world, and if no one has the know-how, technology, or capabilities to use that system, it’s useless,” he said. 

An example of bad customer experience might be telling people who don’t have smartphones that the only authentication option they have is a passkey, Galluzzo explained. “It makes it much, much harder for them to actually use that kind of technology.”

While the guidance is a milestone for the NIST efforts, Galluzzo said the agency isn’t done. The Department of Commerce agency is working on implementation resources and is looking to continue having conversations with organizations and agencies about what would be most helpful.