NIST Digital Identity and Authentication

Digital Identity

• A unique representation of a subject engaged in an online transaction.

Digital Authentication

• The process of determining the validity of one or more authenticators used to claim a digital identity.

Basic Security Requirements

• Identify information system users, processes acting on behalf of users, or devices.
• Authenticate (or verify) the identities of those users, processes, or devices as a prerequisite to allowing access to organizational information systems.

Derived Security Requirements

• Use multifactor authentication for:
  • Local and network access to privileged accounts.
  • Network access to non-privileged accounts.
• Employ replay-resistant authentication mechanisms for:
  • Network access to privileged accounts.
  • Network access to non-privileged accounts.
• Prevent reuse of identifiers for a defined period.
• Disable identifiers after a defined period of inactivity.
• Enforce minimum password complexity and change of characters when new passwords are created.
• Prohibit password reuse for a specified number of generations.
• Allow temporary password use for system logons with an immediate change to a permanent password.
• Store and transmit only cryptographically-protected passwords.
• Obscure feedback of authentication information.