New NIST Digital Identity Guidelines Make Password Resets a Requirement

The National Institute of Standards and Technology (NIST) recently released a draft of its Digital Identity Guidelines, known as NIST SP 800-63. This document outlines standards for identity management and authentication processes to enhance security and privacy in digital transactions.

In a nutshell, it’s calling for a stop to 30/90-day password resets and changing it from a recommendation to a REQUIREMENT.

What does this mean for your business and your passwords? Let’s dive in.

What Changed in the NIST’s New Draft?

This latest draft is part of NIST's ongoing efforts to improve digital identity systems and align them with current technology and threat landscapes. Stakeholders are encouraged to review and provide feedback on the draft to help shape the final guidelines.

Key components of the draft include:

1. Identity Assurance Levels (IALs): These levels define the degree of confidence in the asserted identity, ranging from low to high, based on the verification methods used.
2. Authentication Assurance Levels (AALs): Similar to IALs, these levels assess the strength of the authentication methods employed.
3. Federated Identity Management: Guidelines for managing identities across multiple organizations, allowing users to authenticate with one credential across different platforms.
4. User-Centric Design: Emphasis on privacy and user control over personal data, ensuring users can manage their identities effectively.
5. Technical Controls: Recommendations for implementing secure authentication methods, such as multi-factor authentication and secure credential storage.

How Does the New NIST Draft Affect Passwords?

When it comes down to it, many businesses really just want to know the applicable elements to their business – namely, what are the changes we can expect to things like passwords?

The following requirements apply to passwords:

1. Verifiers and Communication Service Providers (CSPs) SHALL require passwords to be a minimum of eight characters in length and SHOULD require passwords to be a minimum of 15 characters in length.
2. Verifiers and CSPs SHOULD permit a maximum password length of at least 64 characters.
3. Verifiers and CSPs SHOULD accept all printing ASCII [RFC20] characters and the space character in passwords.
4. Verifiers and CSPs SHOULD accept Unicode [ISO/ISC 10646] characters in passwords. Each Unicode code point SHALL be counted as a single character when evaluating password length.
5. Verifiers and CSPs SHALL NOT impose other composition rules (e.g., requiring mixtures of different character types) for passwords.
6. Verifiers and CSPs SHALL NOT require users to change passwords periodically. However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.
7. Verifiers and CSPs SHALL NOT permit the subscriber to store a hint that is accessible to an unauthenticated claimant.
8. Verifiers and CSPs SHALL NOT prompt subscribers to use knowledge-based authentication (KBA) (e.g., “What was the name of your first pet?”) or security questions when choosing passwords.
9. Verifiers SHALL verify the entire submitted password (i.e., not truncate it).

What Do Microsoft Admins Need To Do?

If you are a Microsoft admin, you need to perform two critical steps.

1. Turn on risk-based conditional access policy 
2. Stop periodic password resets

This will reduce help desk calls and result in happier users. If you are not licensed for Entra ID P2, you are still able to use the logs and trigger a workflow to get your users to change their passwords. 

The Future of Passwords and Digital Identities 

One thing is certain – constant change is inevitable. As security concerns grow from rising cyber threats and data breaches, the future of passwords and digital identities is poised for a transformative shift in user experience. The end goal is simple: create a more secure and user-friendly landscape where digital identities are verified seamlessly and securely, reducing the reliance on passwords and fostering greater trust in online interactions. 

On a micro level, businesses must be certain they adhere to constantly changing federal compliance guidelines. This is not the last new draft that you can expect from NIST and similar cybersecurity compliance organizations. 

That’s where we come in.  As a managed IT service provider, PK Tech is proud to offer 15 years of experience with a focus on the financial sector. We boast AICPAs SOC 2 Type II attestation, proving via third-party audit by an independent firm that we passed a rigorous and comprehensive assessment of our security and privacy controls. Schedule a time to chat with our team here.