Since the first publishing of the guidelines, the industry has grown around authentication and new technologies such as cryptographic keys or physical tokens are becoming authentication methods systems rely on.
Tim Polk, NIST computer security expert and Cryptographic Technology Group manager at NIST indicated that changes in the document are reflection of ”changes in the state of the art.”
“There are new techniques and tools available to government agencies, and this provides them more flexibility in choosing the best authentication methods for their individual needs, without sacrificing security,” he said.
In the release, NIST encourages agencies to take advantage of commercial systems or of other government entities since guidelines apply whether or not authentication services are handled by the agency itself or if the service is outsourced to other firms.
The revision defined assertion-based authentication as being able to have single-sign on or multiple online services. A verified user will have additional information in regard to what level access (levels are defined in the full length revision) can possible without manual intervention.