NIST Updates Digital Identity Guidelines to Address Modern Threats
Summary
Hide β²
Show βΌ
The National Institute of Standards and Technology (NIST) has updated its Digital Identity Guidelines to enhance the security of the identity ecosystem. The revision, the first since 2017, addresses new threats such as AI-driven phishing and deepfakes. It introduces new authentication measures, including passwordless technologies and FIDO passkeys, to improve identity proofing and fraud prevention. The guidelines also emphasize continuous evaluation and risk-based identity management. The update reflects the evolving threat landscape and the need for more robust identity and access management (IAM) protocols. Organizations are encouraged to adopt phishing-resistant authenticators and strengthen cross-functional risk management. The changes are designed to be implementable with existing security frameworks, focusing on configuration rather than complete overhauls.
Timeline
-
14.08.2025 22:55 π° 1 articles
NIST updates Digital Identity Guidelines to address modern threats
In August 2025, NIST released updated Digital Identity Guidelines to enhance security against modern threats. The revision introduces new authentication measures, including passwordless technologies and FIDO passkeys, and emphasizes continuous evaluation and risk-based identity management. Organizations are encouraged to adopt phishing-resistant authenticators and strengthen cross-functional risk management.
Show sources
- NIST Digital Identity Guidelines Evolve With Threat Landscape β www.darkreading.com β 14.08.2025 22:55
Information Snippets
-
NIST updated its Digital Identity Guidelines to address modern threats like AI-driven phishing and deepfakes.
First reported: 14.08.2025 22:55π° 1 source, 1 articleShow sources
- NIST Digital Identity Guidelines Evolve With Threat Landscape β www.darkreading.com β 14.08.2025 22:55
-
The update introduces new authentication measures, including passwordless technologies and FIDO passkeys.
First reported: 14.08.2025 22:55π° 1 source, 1 articleShow sources
- NIST Digital Identity Guidelines Evolve With Threat Landscape β www.darkreading.com β 14.08.2025 22:55
-
The guidelines emphasize continuous evaluation and risk-based identity management.
First reported: 14.08.2025 22:55π° 1 source, 1 articleShow sources
- NIST Digital Identity Guidelines Evolve With Threat Landscape β www.darkreading.com β 14.08.2025 22:55
-
Organizations are encouraged to adopt phishing-resistant authenticators and strengthen cross-functional risk management.
First reported: 14.08.2025 22:55π° 1 source, 1 articleShow sources
- NIST Digital Identity Guidelines Evolve With Threat Landscape β www.darkreading.com β 14.08.2025 22:55
-
The changes are designed to be implementable with existing security frameworks, focusing on configuration rather than complete overhauls.
First reported: 14.08.2025 22:55π° 1 source, 1 articleShow sources
- NIST Digital Identity Guidelines Evolve With Threat Landscape β www.darkreading.com β 14.08.2025 22:55
Similar Happenings
Axios Abuse and Salty 2FA Kits in Microsoft 365 Phishing Campaigns
Threat actors are leveraging HTTP client tools like Axios and Microsoft's Direct Send feature to execute advanced phishing campaigns targeting Microsoft 365 environments. These campaigns have demonstrated a 70% success rate, bypassing traditional security defenses and exploiting authentication workflows. The attacks began in July 2025 and have targeted executives and managers in various sectors, including finance, healthcare, and manufacturing. The phishing campaigns use compensation-themed lures to trick recipients into opening malicious PDFs containing QR codes that direct users to fake login pages. Additionally, a phishing-as-a-service (PhaaS) offering called Salty 2FA is being used to steal Microsoft login credentials and bypass multi-factor authentication (MFA). The Salty2FA kit includes advanced features such as subdomain rotation, dynamic corporate branding, and sophisticated evasion tactics to enhance its effectiveness and evade detection. Salty2FA activity began gaining momentum in June 2025, with early traces possibly dating back to MarchβApril 2025. The campaigns have been active since late July 2025 and continue to this day, generating dozens of fresh analysis sessions daily. Salty2FA targets industries including finance, energy, telecom, healthcare, government, logistics, IT consulting, education, construction, chemicals, industrial manufacturing, real estate, consulting, metallurgy, and more.
Clickjacking flaws in multiple password managers
Six major password managers have unpatched clickjacking vulnerabilities that could allow attackers to steal account credentials, 2FA codes, and credit card details. The flaws were demonstrated at DEF CON 33 by independent researcher Marek TΓ³th. Affected password managers include 1Password, Bitwarden, Enpass, iCloud Passwords, LastPass, and LogMeOnce. The attack exploits browser-based autofill features, overlaying invisible HTML elements to trick users into leaking sensitive information. The vulnerabilities were disclosed to vendors in April 2025, with public disclosure planned for August 2025. Some vendors have acknowledged the issues but downplayed their severity. Bitwarden has released a patch, version 2025.8.0, to address the vulnerabilities. Users are advised to disable autofill and use copy/paste until fixes are available.