What NIST’s new guidance means for companies verifying ID

The last time the National Institute of Standards and Technology (NIST) revised its framework about digital identity, it was 2017. Fidget spinners and Ed Sheeran were big, and far fewer people could define a “deepfake.” Now, with companies facing tons of new identity-related cyber threats, NIST has given its framework a much-needed update.

Specifically, the NIST framework’s fourth revision for its Digital Identity Guidelines shares the technical requirements for “meeting digital identity assurance levels for identity proofing, authentication, and federation,” which include security and privacy requirements and improved customer experience, according to NIST’s blog post.

For IT pros responsible for ensuring employees access sensitive and identifiable information in a safe and reliable way, the NIST framework can help provide guidance for navigating fraud threats, especially as cyberattackers look for new and sophisticated ways to access secrets and systems.

“These guidelines are ultimately intended to make navigating the digital world more secure and convenient by providing a framework to understand online risks and controls that can better protect our critical online services,” NIST stated.

The new framework includes updated recommendations for continuous evaluation metrics and identity proofing processes, along with updates to controls for addressing injection attacks and fake media, context for risk management, and more.

While a lot of companies are able to mitigate cybersecurity risks in-house, Philipp Pointner, chief of digital identity at Jumio, said that there is a “rich vendor landscape” for companies specializing in identity cybersecurity that is effective in combating threats relevant specifically to identity verification.

“The recommendation is to not try to do this in-house, but to go to the established vendor landscape and find the service that you like and let them do it,” Pointner said. “We see people trying to digitize by just bringing whatever they have in the real world, brick and mortar into the digital world, and that’s just not good enough.”

Expert says…Pointner said while most companies are not required to follow the NIST standards (unless they work directly with the US government), companies within healthcare, banking, and financial services have started to treat guidelines like this as the standard for identity verification services.

“They’re not IT companies, they’re not security companies, and yet they have to verify,” Pointner said. “It’s not in their core nature or expertise to know how to verify someone’s identity and deal with fraud threats, and so they’re looking for guidance.”

For example, Pointner added, old-time fraudsters used to spend significant amounts of time producing physical fake identification methods. Now, he said, fraudsters are able to use generative AI to create fake physical IDs at scale.

“The threat landscape, and what’s going on in reality, has changed dramatically in those last eight years,” Pointner said.

It began, he said, “about three years ago during the pandemic, where we are now dealing less with a lone wolf actor in his basement trying to create some fake IDs and accounts to sell them on the web and make some money.” When the identification scammers are caught, Pointner said they can oftentimes be out of an organized operation.

The guidance acknowledges new methods to fight fraud as an enterprise and offers guidelines to adapt to the changed threat vector, according to Pointner.

Now, professionals are able to renew certifications on the basis of the new guidance from NIST. While organizations will move to transition so they are compliant with the next version, Pointner said, “companies live in this reality of the modern threat landscape already.”

Companies who are new to introducing identity verification, however, are going to have new guidelines that reflect modern requirements for security, according to Pointner.