The reason for this revision is the advance in technologies and computing practices. “There are new techniques and tools available to government agencies,” says NIST security expert Tim Polk; and there is growing use of cloud technologies to deliver both web-based services to users and managed authentication services to websites.
When the original report was issued, it was assumed that government agencies would tackle the problem of user authentication in-house. "But since that time," says NIST, "an industry has grown around providing authentication services, and it is often in the best interest of agencies to take advantage of commercial systems or those of other government entities. And while passwords are still the leading mechanism for authenticating user identity, a growing number of systems rely on cryptographic keys or physical tokens." The new guidelines give agencies the scope to employ these new technologies and remain in conformance with NIST guidelines.
The NIST security guides are important documents. Not only are they de rigueur for government departments, they are an important standard for the general business market. Accreditation to NIST guidelines is a strong selling point for the authentication suppliers, demonstrating that their product has been developed to the highest standards.
However, Robin Wood, senior security engineer and a CREST certified application tester at RandomStorm, points to two further considerations: the quality of the NIST accreditation auditors, and the security of the software vendor itself.
“NIST will have to make sure that the third parties doing the authentication are regularly and thoroughly audited themselves," he says. What NIST doesn't want is the situation we now have with SSL certificate issuing authorities, where there are many out there, but they are regularly hacked. This undermines the whole system of trust and reduces the effectiveness of the whole process.
“Hacking one of these authentication providers to give an attacker the ability to pretend to be any of its registered users would make them a very appealing target.” Just as the hack of RSA undermined the credibility of SecurID, an otherwise excellent authentication device.
The revised NIST report should not be confused with, and does not constrain, the National Strategy for Trusted Identities in Cyberspace (NSTIC). NSTIC, says NIST, is charged with the creation of “an online environment where individuals and organizations will be able to trust each other because they follow agreed upon standards to obtain and authenticate their digital identities,” a very different requirement to the need for government agencies to authenticate their users.