Today, we’re releasing the public preview of draft Special Publication 800-63-3, Digital Authentication Guideline. We’re excited to share the updates we’ve made—along with the new process that enables our stakeholders to contribute to the document in a more dynamic way.
First things first
There are too many changes to list in a blog, but let’s highlight a few of the biggest:
- We broke down level of assurance into its independent parts: identity proofing, authenticators, and federated assertions and provide three assurance levels for each of identity proofing and authenticators. We provide guidance to keep this compatible with OMB 04-04 and the four existing levels of assurance while OMB revises existing identity policy.
- There are now multiple volumes consisting mostly of normative language. By cutting down on the informative language, each volume is now a one-stop shop for mandatory requirements and recommended approaches.
- Identity proofing got a major overhaul, for which we owe many thanks to our UK and Canadian peers. Plus, the draft guidance supports in-person proofing over a virtual channel—though under a strict set of requirements.
- We’ve clarified that knowledge-based verification (nee authentication) is limited to specific portions of the identity proofing process and never sufficient on its own. Emailing a one-time password (OTP) is gone too—and we’ve deprecated SMS OTP, so it’s in there but we expect to remove it in a future revision.
- We address the security required for centralized biometric matching.
- We have terminology updates to clarify language across the identity space. For example, remember ‘token’? It’s ‘authenticator’ now, since ‘token’ has plenty of other definitions and uses in the real world. It just didn’t make sense to stick with it.
Last, but not least, we modernizing our feedback process to allow greater, more dynamic participation in the development of this document. We’re releasing it on GitHub, a public-facing, simple to use interface, and we’ll solicit comments via GitHub and respond to them and make edits continually over multiple document iterations this summer.
Once these summer iterations come to a close, we‘ll hold a more traditional 30- or 60-day public comment period with comment matrices and email, as an additional option to using GitHub. But for the current public preview, GitHub is place to be!
What we’re looking for from you
Now is your chance to let us know: Did we miss anything? Have we gotten ahead of what is available in the market? Have we made appropriate room for innovations on the horizon?
In this public preview, we’re focused on getting the technical content right. So you’ll probably find an uncrossed ‘t’ and dot-less ‘i’ here and there. We ask that you focus your suggestions in this phase on the substantive (think technical and procedural requirements). Unless they impact the meaning of the statement, we’ll get to minor grammatical issues in due time—but we’ll gladly accept them if you can’t contain your inner grammarian.
GitHub uses markdown for editing, so the document may look a shade different from what you’d typically expect. But don’t let that put you off. You can conveniently access the repository’s ‘Issues’ tab, where you can contribute comments via a simple form. There, you can summarize your suggested changes and submit them for further discussion in a forum-style format. You and your fellow reviewers can then can consider the changes, discuss them, and suggest new ones as the conversation develops. More instructions are available online. And while we want this process to be interactive, we prefer suggested changes over forum chatter.
How we’ll review your comments
Our 800-63-3 team will review and update the draft document by looking over each issue. After careful review, we can incorporate changes directly into the draft and close the issue. The process will be fluid; comment periods will lead to new updates, which in turn will generate new opportunities for public collaboration and more updates. Our team will regularly update the document, so you can see changes as they occur over time. And after these cycles, we’ll end up with a completed version this winter built on community participation.
Now, please, go forth and contribute! We look forward to engaging with the community in this new process for 800-63-3 and developing effective, updated guidance.
GitHub is an open source collaboration and development tool that will allow us to share the document and track your comments and suggestions. You can learn more about GitHub and how to sign up for an account here: https://github.com/