E-Authentication

Application developers are faced with a choice of electronic authentication mechanisms based on a wide variety of technologies, including passwords, biometrics, and physical tokens, to perform local or remote authentication. NIST SP 800-63 Electronic Authentication Guidance is internationally recognized as the definitive reference for secret-based mechanisms for authentication of users over the Internet. NIST continues to develop and enhance authentication guidance to encompass new environments, such as physical access, and new authentication technologies, such as knowledge based authentication.

Password Guidance
Passwords are still the prevalent mechanism for authenticating the identity of users. The most current guidance for password mechanisms may be found in SP 800-63: Electronic Authentication Guideline: Recommendations of the National Institute of Standards and Technology (April 2006 [V 1.0.2]). This guidance is oriented to remote authentication; more general guidance is planned to replace the recently withdrawn FIPS 112: Password Usage (May 1985).

Draft SP 800-63 Revision 1: E-Authentication Guideline is available for a third public comment period. It supplements OMB guidance, by providing technical guidelines for the design of electronic systems for the remote authentication of citizens by government agencies. The revision represents an expansion and reorganization of the original document, broadening the discussion of technologies available to agencies, and giving a more detailed discussion of assertion technologies. Changes intended to clarify the pre-existing requirements are also included in the revision.  

Note that this document may inform, but is not intended to constrict or constrain the development or use of standards for implementation of the National Strategy for Trusted Identities in Cyberspace (NSTIC). NIST SP 800-63 is specifically designated as a guideline for use by Federal agencies for electronic authentication. NSTIC, in contrast, has a broader charge: the creation of an Identity Ecosystem, "an online environment where individuals and organizations will be able to trust each other because they follow agreed upon standards to obtain and authenticate their digital identities." While NIST SP 800-63 may be a starting point for discussion on NSTIC, decisions on approaches to e-authentication in the Identity Ecosystem will be developed through a separate path. For more information, please see http://www.nist.gov/nstic/.  

Comments on the third draft of 800-63-1 will be accepted through July 29, 2011, and must be in the format provided in the Comment Template. Please submit comments to eauth-comments@nist.gov.