NIST 800-63-3 is a set of guidelines published by the National Institute of Standards and Technology (NIST) for digital identity management and authentication. These guidelines provide recommendations for digital identity proofing, authentication protocols, and federation models. NIST 800-63-3 is widely recognized as a valuable resource for organizations looking to improve the security of their digital identity systems and reduce the risk of fraud and identity theft.

It is also essential for government agencies because it works. For instance, state governments using solutions aligned with NIST Identity Assurance Level 2 (IAL2) standards saw a significant decrease in fraudulent COVID-19 unemployment claims. Whether adapting to changing mandates or incorporating industry standards such as NIST 800-63-3, Karsun has a solution to ease the adoption of security best practices during modernization.

The NIST 800-63-Standard

NIST 800-63-3 was released in June 2017. The guidelines were intended to improve online identity verification’s security and usability while addressing new threats and challenges that have emerged in recent years.

The guidelines are organized into three parts:

  1. Digital Identity Guidelines: Guides establishing digital identity proofing and authentication procedures.
  2. Authentication and Lifecycle Management Guidelines: Describes implementing and managing identity credentials and authentication.
  3. Federation and Assertions Guidelines: Provides guidance for federated identity systems and how to use assertions to share identity information between systems.

Since introducing NIST 800-63-3, these standards have become industry best practices for identity management. In addition to NIST 800-63-3 compliance, agencies are prioritizing Zero Trust as a key component of securing the User and App pillar. For example, the FAA’s 2022 AIT annual report states, “[its] network environment now operates within a Zero Trust security model, which requires users to be authenticated, authorized, and continuously validated to be granted access to a network, system, or application.” The agency’s cybersecurity-related improvement activities support the transition to Zero Trust, as well as its implementation of a new multi-factor authentication (MFA) service for users who would like to access the FAA’s network, systems, and applications.

Complementing Secure By Design Architecture

At Karsun, incorporating NIST 800-63-3 standards is part of designing secure digital architecture. Incorporating these guidelines into a secure by design architecture involves creating systems and applications with security considerations at every stage of the development process, from design to deployment.

The guidelines recommend using risk-based authentication (RBA) to assess the risk associated with each access attempt. We design systems and applications with RBA in mind and implement automated risk assessment tools to make real-time decisions about access requests.

Key to our solutions is NIST 800-63-3 adherent identity proofing. This process involves verifying user identities using multiple sources of data. We incorporate these guidelines into the design process to ensure that user identities are verified before granting access. We also consider federation and assertions. We integrate NIST 800-63-3 standards into the design process if the system or application interacts with other systems or applications.

In addition, NIST 800-63-3’s guidelines on digital identity proofing can help organizations implement identity verification procedures consistent with the zero trust principle of “never trust, always verify.” By using a risk-based approach to identity proofing, organizations can better assess the trustworthiness of each user and device and limit access to sensitive data and applications only to those users and devices verified to be trustworthy.

We design systems and applications with secure coding practices in mind and follow best practices for secure coding throughout development. In our implementation, we automated mobile testing via functional testing tools like Appium. We used code scanning and container image scanning tools to identify and mitigate vulnerabilities earlier and address those issues before deployment.

By incorporating NIST 800-63-3 guidelines and a zero trust framework into a secure by design architecture, agencies can develop systems and applications that are secure by default and can better protect sensitive data and resources.

Complexities to Implementing Authentication

While adhering to these standards is essential to building a secure application, it introduces added complexity to modernization projects. The standards specify appropriate authentication approaches based on different risk levels. Each has extensive rules, and the requirements for various authenticators may be overwhelming, unclear, ambiguous, and conflicting. Addressing each of these Authentication Levels across devices effectively can hinder the successful adoption of the security standards.

Identity Reference Framework

To meet this challenge, Karsun introduced an Identity, Credential and Access Management (ICAM) reference implementation. We customized the Keycloack open source tool via a specific Service Provider Interface (SPI) to address the complex NIST authenticator requirements while accelerating the adoption of those standards. Our team began with a risk based assessment, identifying the authentication workflows and their requirements based on risk level.

Next, using Keycloak, we created custom implementations for each workflow. Using these workflows, we created custom templates for new user sign-up forms. We also adapted these custom templates to adhere to US Digital Services (USDS) standards. This approach created a repeatable identify framework we could implement as a plug-in that can be deployed over an open source Keycloak container. 

Not only does this approach reduce complexity, but it is also a more secure implementation. It allows the user, when appropriate, to use authentication other than a simple password. When using an authentication type such as FIDO2, the user enters a PIN or uses biometrics to authenticate successfully, then the authenticator uses the key in the device to sign the challenge from the identity provider. Thus the key never leaves the device. Using this highest-level-without-password/passwordless approach was more secure while simultaneously providing a better user experience.

Additionally, by using Keycloak to build our own identity reference framework library, we addressed a common concern with implementing open source tools. Using a template library created a clear separation between Keycloak and our ability to update the plug-in. We designed the library to keep the templates up to date and maintain the application’s security rather than relying on Keycloak itself.

Accelerating Identity and Access Management Adoption

Like many Karsun toolkit components, these identity reference framework resources are available to our team members to use through our InnerSource library. Evolving from an Innovation Center research and development project to a validated implementation, it can now be used as one of our readymade toolkits. All Karsun teams now have access to these vital resources and ensure that our teams can accelerate the implementation of emerging identity and ICAM standards in your agency’s modernization efforts. 

Content from this post initially appeared from Pavan Kurkal as part of Karsun’s Monthly Innovation Town Hall series. These events present innovative solutions from our delivery teams across Karsun. Pavan is an engineer with the Karsun Innovation Center specializing in identity and access management.