The technology that supports digital identity is like magic. A quick scan of your face and you can open your phone or get on a plane. But what happens when the promise of technology falls short for significant segments of the population?
This is top of mind because of the newly proposed NIST 800-63 rev 4 draft, which is out for public comment through 24 March 2023.
NIST SP 800-63 Digital Identity Guidelines
NIST 800-63 is one of the most influential standards in the identity and access industry. Governments and businesses worldwide refer to this set of documents as the baseline for their own practices and regulations. The NIST guidelines offer guidance on how an organization (specifically a Credential Service Provider, or CSP) should determine whether an individual is not just Pat Doe but THE Pat Doe that lives on 999 Baker Avenue. They also differentiate between “sort of sure,” “really sure,” and “absolutely no question.” Similarly, when it’s not just about identity assurance, it extends into authentication assurance. How likely is it that Pat Doe is the one logging into this account? “It’s a good guess.” “No, really, we’re pretty sure.” Or “The hand of Gandalf is upon them and their account – no question that Pat Doe controls this account at login time.”
Obviously, there is a lot more in the standard. If you work at all with digital identities, you should read through it at least once. (You might also wait for the final version before reading the night away.)
NIST SP 800-63-4 and Equity
In this latest draft, the authors of NIST 800-63 have added a new section on Equity. This new section aims to help organizations responsible for identity proofing and registration to “[assess] the risks associated with inequitable access, treatment, or outcomes for individuals using its identity services.”
I love that. I love that this standard highlights the problems associated with systems not equipped to handle non-Western names. That people who are transitioning might have issues with the records they can use to validate their existence. And definitely that verifying that information with tools like facial recognition is fine in theory, but in practice, technology is fallible.
But there are still parts I do not love.
The Trusted Referee
The proposed guidelines recognize that technology is fallible. In fact, it offers potential mitigations when the tech is not up to snuff. The phrase “Providing Trusted Referees … who can make risk-based decisions based on the specific applicant circumstances” is included several times in the section on Equity.
“Trusted referees are agents of the CSP or its partners who are trained and authorized to make risk-based decisions to facilitate the identity proofing and enrollment of individuals who are unable to complete the identity proofing process on their own or meet the specified requirements for a given IAL.”NIST SP 800-63A-4, Section 5.1.9
Humans are fairly bad at assessing risk. Some level of risk assessment skill can be taught, but it helps when everyone works from the same playbook. NIST offers provisions for human intervention when technology gets in the way of equity. That’s good. Those provisions, however, fall short of clearly stating what the training needs to look like. NIST also states that whatever policies and procedures the trusted referee are expected to follow must be written down. It’s unclear what they need to say or what points they need to cover, but they need to be written down.
Every organization will almost certainly interpret the guidance on equity as they see it through their unique lens. That will not result in standard guidelines for the trusted referees to follow.
Others with more IAM experience than me are working their way through the draft proposal; I know several are focusing on this area of equity and the associated risk assessments. Hopefully, when the standard is finished with the review and revision process, we’ll have more guidance on what a trusted referee can handle in a way that continues to support the equitable use of technology.
Thank you for reading my post! Please leave a comment if you found it useful.
If you want to start your own blog or improve your writing, you might be interested in another effort I’m spinning up, The Writer’s Comfort Zone.