Skip to main content

Back to Blog

NIST Special Publication 800-63 is Final

When NIST Special Publication 800-63 was finalized years ago, it marked a significant shift in how security teams protected authentication. Today, we’re revisiting these changes to understand their lasting impact and how the recommendations have evolved in response to the rapidly changing risk-based threat landscape.
The comprehensive overhaul introduced by NIST SP 800-63 was about much more than just updating password policies. It redefined the framework for digital identity, providing a suite of documents that offered a flexible approach to identity proofing, authentication, and federation.

The parent document is 800-63 and there are three child documents:

Identity Proofing is described in SP800-63A
Proofing refers to the initial confirmation of the identity of an actual person. The new approach moves away from NIST specifying particular items (e.g., a drivers license) to now simply explaining the “characteristics” of what makes good proofing evidence. This provides more flexibility to allow what will work best in a particular environment. This is especially important with the increase in remote work since the introduction of SP 800-63.

Authentication is described in SP800-63B
Authentication refers to checking something you “Know”, “Have”, or “Are” before allowing access to a system or resource. We’ve discussed passwords as the “something you know”, but there are major changes in the other digital authentication factors.

For “Something You Have” (e.g. your smartphone), NIST is advising against email and most uses of SMS for delivery of one-time-passwords (OTP). These communication channels can be compromised. NIST suggests a host of options, but the use of authenticator apps will likely increase as a result of their enhanced cybersecurity and validation methods.

NIST is also advising caution around authentication protocols using “Something You Are” (e.g., facial recognition or fingerprint scanning), calling these methods “probabilistic”. The current state of these biometric technologies introduces too much risk from false positive and false negative identification.

Federation is described in SP800-63C
Federation is where proofing and authentication occurs in one system that other systems will trust. Federation is strongly encouraged by NIST, and the new guidelines include privacy-enhancing requirements that can make federation appealing.

More adaptable to individual situations
NIST SP 800-63 has become a lot more flexible. While the previous document had a single Level of Assurance (LOA) and accessing risk and determining appropriate practices, this new version has separate “xALs” for Identity Assurance Level (IAL), Authenticator Assurance Level (AAL), and Federation Assurance Level (FAL). The result is a clearer alignment of requirements to risk management.

Implementation of 800-63 Digital Identity Guidelines
With NIST 800-63 as an established standard, organizations should consider its guidelines when creating their own internal security program, particularly in the realm of identity and access management.

We’ve spoken with members of the NIST team, and they have offered implementation resources to help organizations meet these guidelines.

The first section of the implementation guide is around the identity-proofing process. For the password screening outlined in section 5.1.1 of 800-63B, the effort to maintain a blacklist is substantial but not necessarily complicated. Organizations interested in automating this process with one click are invited to contact us or sign up for free.

The development of NIST SP 800-63 was a collaborative effort, incorporating over 1,400 comments from the community. This process underscored NIST’s commitment to creating guidelines that are not only practical and clear but also aligned with international standards, technical requirements, and commercial market needs.

Despite the guidelines’ potential to significantly enhance security postures, an Enzoic survey in 2023 found that one-third of organizations were still unfamiliar with these critical guidelines, relying on outdated practices such as time-based password resets, even though compromised credentials remain the top cause of data breaches, according to Verizon’s Data Breach Investigations Report. This highlights the importance of continued education and adaptation to these evolving standards, which are more relevant than ever.

 

Read more:
3 Key Elements of the NIST Password Requirements for 2020
Automate Password Policy & NIST Password Guidelines
Creating a NIST Password Policy for Active Directory