Stories from the Future: How New U.S. Digital Identity Rules Will Change Our Lives

Last week, as various friends in southern California were sharing status updates in social media, comparing details on how to prepare to flee nearby wildfires, and in some cases, seeking new places to live, several shared the below image of what documents to be sure to collect. It’s a very thorough list, and I’ll be the first to admit, I might have a hard time gathering all these documents with just a couple hours’ notice — especially while also preparing to evacuate my family.

I would guess most Americans would have a similarly hard time. It’s terrifying to think about all your life’s most important papers going up in smoke (or floating downstream, or getting blown away). That’s one of many reasons I’m so proud of the work that SpruceID, and so many organizations across the world, are doing to make sure crucial documents can be safely and securely digitized, in a privacy-preserving and owner-controlled manner. 

Within the next decade, you’ll be able to store even sensitive documents like birth certificates, health records, and social security cards on your phone, using the digital identity technology SpruceID builds. It will be a huge boon for disaster victims and other vulnerable groups.

I’m enough of an identity and policy wonk to be excited about one of the relatively unsung drivers of that future: U.S. Federal government standards for digital identity management. The fourth revision of the NIST 800-63 Digital Identity Guidelines was recently issued by the National Institute of Standards and Technology, and they describe how user identities are first proven and then recorded for use in accessing government benefits or tax systems. NIST standards are widely referenced in government procurement standards, leading most private U.S. firms to follow their lead. Foreign governments also look to NIST to inform their own guidance, so the standards have a global impact.

This round of updates have particularly major implications. NIST standards now include various roles and guidelines for digital credentials (such as California’s mobile driver’s license) for logging on to government systems. 

That means digital credentials are going to be a much bigger part of our future.

Logging On In a Whole New Way

The most important part of the new NIST standards is simply that they include roles for encryption-backed digital credentials for the first time. This will fuel a huge step forward in adoption and acceptance of these technologies, thanks to both its implications for government contractors, and the more general “stamp of approval” their acknowledgement by NIST carries.

Most notably, this includes guidelines for using digital credentials stored in user-controlled wallets to log in to Federal services. For the vast majority of users, this will be a new experience of logging on – not with a password, but with a digitally-signed proof of identity stored on a secure hardware chip on your phone. This should lead to broad improvements in security, since passwords have been the chronic target of malicious hackers.

These new rules will add to the ongoing adoption of digital wallets as a part of digital life. “Wallets” are pieces of software that manage and display digital credentials, both for real-world and online purposes. More and more people are already relying on them instead of physical wallets, and defining them for use in U.S. government systems will only make them more useful, and more ubiquitous. It’s a huge win for cybersecurity – and that’s about more than replacing passwords.

Security That Fits

The revised digital identity standards also include guidance for using digital credentials as the basis for what’s known as ‘federated’ account management. This would essentially mean one credential, tied to one account, could give access to a host of different services or platforms. For everyday digital citizens, this reduces the surface area they need to protect - only one account to secure with strong passwords+mfa (or even better, phishing-resistant passkeys), as opposed to the over 150 accounts that most adults have today.  

The NIST guidance also presents an overarching approach to risk management for online services, defining three levels of rigor for identity proofing and authentication, used to set varying requirements depending on the sensitivity of the service being controlled. For instance, Identity Assurance Level 1 (IAL1) simply involves proof that the user is human and not a bot, and that’s enough protection to let a user access, for instance, a purely informational government web page. Higher levels of verification can require more rigorous in-person identity “proofing” for the issuance of a credential, or require multiple authenticators that show control of that credential.

Descriptions of the new NIST assurance levels now include specific reference to features of digital credentials. The highest Authentication Assurance Level (AAL3) specifically requires encrypted credentials based on key-pair cryptography, and a “hardware-based authenticator with a non-exportable private key”. 

That’s effectively a description of digital credentials stored on trusted hardware, and many of those credentials are issued based on in-person identity proofing that also meets the highest assurance level. That means that in the future, a rigorously-issued digital credential such as a driver’s license could be used as a login for even quite sensitive Federal services.

More Security, More Access, More Stability

Taken together, updates to the NIST-800 identity standards mean there will be more opportunities to use secure digital credentials, kicking off a virtuous cycle with many, many benefits. Obviously we’re big fans of the improved security digital credentials can provide, and the added privacy thanks to features like selective disclosure.

But my thoughts return to the folks across the U.S. who have been displaced and disrupted this past year – whether by a storm, fire, family struggles, or other hardships. With smartphones nearly ubiquitous, digital credentials securely tied to a hardware you carry everywhere – and usable in many cases even without a cellular signal – will become a widespread boon. Whether you’re filing paperwork that will help you get back on your feet, or just logging in to a website you use every day, digital identity means a better future is coming soon.

About SpruceID: SpruceID is building a future where users control their identity and data across all digital interactions.