Article
NIST Special Publication 800-63B
What is NIST?
The National Institute of Standards and Technology (NIST) is a non-regulatory federal agency within the United States (U.S.) Department of Commerce. It was established in 1901 as the National Bureau of Standards (NBS) to address a poor measurement infrastructure that was putting the U.S. at a significant competitive disadvantage in the industrial sector. The organization was renamed in 1988 to reflect its expanded role and responsibilities.
NIST’s mission is to promote innovation and industrial competitiveness in the U.S. by advancing measurement science, standards, and technology with the objective of enhancing economic security and improving quality of life. Its core competencies are measurement science, rigorous traceability, and the development and use of standards.
While the original focus of NIST was on the physical and engineering sciences, it has expanded to include information technology, cybersecurity, and other emerging technologies. NIST conducts cutting-edge research in a number of fields, including physics, engineering, information technology, nanotechnology, and materials science.
NIST is best known for its role in developing and promoting standards. These standards serve as a basis for compatibility between different technologies, ensuring that they can work together seamlessly.
“NIST supports the development of standards by identifying areas where they are needed, convening stakeholders, and providing technical and scientific guidance and expertise to help stakeholder groups reach a consensus.”
The standards provided by NIST are used in a wide variety of sectors, including manufacturing, telecommunications, biotechnology, information technology, and healthcare. NIST’s work impacts everything from advanced nanomaterials and electronic health records to computer chips and smart power grids.
NIST also develops cybersecurity standards, guidelines, and best practices to support U.S. industry, federal agencies, and the broader public. In addition, NIST works to advance understanding and improvement of the management of privacy risks. Among the security and privacy areas that NIST contributes to are:
- Cryptography
- Cybersecurity education and workforce development
- Cybersecurity measurement
- Identity and access management
- Privacy engineering
- Risk management
- Securing emerging technologies
- Trustworthy networks
- Trustworthy platforms
What is NIST 800-63B?
NIST Special Publication 800-63B Digital Identity Guidelines, Authentication and Lifecycle Management, provides technical requirements for federal agencies implementing digital identity services. It covers identity proofing and authentication of users interacting with government IT systems over open networks. Authenticating digital identities over an open network presents opportunities for impersonation and other attacks that can result in their fraudulent use.
NIST 800-63B is also used in a number of industries, including healthcare and financial services, as a baseline for identity and access management requirements. Among the other standards that reference NIST SP 800-63 are:
- Financial Industry Regulatory Authority (FINRA) notice on multi-factor authentication
- U.S. Drug Enforcement Administration (DEA) Electronic Prescriptions for Controlled Substances (EPCS)
- U.S. Federal Risk and Authorization Management Program (FedRAMP)
NIST 800-63B Authenticator Assurance Levels
NIST 800-63B addresses how an individual can securely authenticate to a credential service provider (CSP) to access a digital service at three Authenticator Assurance Levels (AAL). It includes specific recommendations on types of authentication processes, including choices of authenticators, that may be used at various levels.
The nine authenticator types recognized by NIST are:
- Memorized secrets
By far, this is the most common type of authenticator. It includes passwords, passphrases, and personal identification numbers (PINs). Passwords and passphrases are equivalent. The difference is that the paraphrase is longer than a password and can contain spaces. PINs typically denote a numeric secret. - Look-up secrets
A CSP issues these to the subscriber. A look-up secret can only be used once. They are most often used as a backup authenticator if a primary authenticator is lost, stolen, or malfunctions. - Out-of-band devices
Use a private communication channel that is separate from the channel being authenticated to establish the claimant’s control of a specific physical device, such as a smartphone. - Single-factor one-time password (OTP) device
This is a device in the possession of the subscriber that generates one-time passwords that are displayed and manually entered. - Multi-factor OTP devices
Similar to single-factor OTP devices, they require activation by input of a memorized secret or the successful presentation of a biometric in order to obtain a one-time password. - Single-factor cryptographic software
A secret cryptographic key is associated with software stored on a software-accessible medium. - Single-factor cryptographic devices
Similar to single-factor cryptographic software, except that the private key is contained within a hardware device and cannot be exported in normal operation. - Multi-factor cryptographic software
Similar to single-factor cryptographic software authenticators, except that they require the input of a memorized secret in order to access the private key for authentication. - Multi-factor cryptographic devices
Similar to single-factor cryptographic devices, except that they require activation by the entry of a memorized secret or verification of a biometric.
NIST 800-63B ranks the strength of authentication according to its Authenticator Assurance Level. The stronger the authentication, the more resources and skills threat actors must use to circumvent the controls. The following is a summary of the three Authenticator Assurance Levels.
Authenticator Assurance Level 1 (AAL1)
Authenticator Assurance Level 1 offers some assurance that the user controls an authenticator bound to the account being accessed. The requirement for AAL1 is the use of either single-factor or multi-factor authentication. Any of the nine authenticators referenced above are acceptable at AAL1.
Successful authentication at AAL1 requires that the user proves possession and control of the authenticator through a secure authentication protocol. Re-authentication of the subscriber should be repeated at least once every 30 days during an extended usage session, regardless of user activity. The session must be terminated when this time limit is reached.
Authenticator Assurance Level 2 (AAL2)
At Authenticator Assurance Level 2, there is a high degree of confidence that the user controls the authenticators. Approved cryptographic techniques are required at this level. Proof of possession and control of two different authentication factors is required through secure authentication protocols.
When a multi-factor authenticator is used, these types may be employed:
- Multi-factor OTP device
- Multi-factor cryptographic software
- Multi-factor cryptographic device
When a combination of two single-factor authenticators is used, one must be a memorized secret authenticator, and the other must be a possession-based (i.e., something you have) authenticator. Options for possession-based authenticators are:
- Look-up secret
- Out-of-band device
- Single-factor OTP device
- Single-factor cryptographic software
- Single-factor cryptographic device
At AAL2, the required reauthentication of users’ sessions must be repeated at least once every 12 hours during an extended usage session, regardless of user activity. Reauthentication of the user must be repeated following any period of inactivity lasting 30 minutes or longer. The session must be terminated when either of these time limits is reached.
Authenticator Assurance Level 3 (AAL3)
Authenticator Assurance Level 3 provides very high confidence that the user controls authenticators. This level requires proof of possession of a key through a cryptographic protocol.
AAL3 authentication requires a hardware-based authenticator and an authenticator that provides verifiable impersonation resistance. Approved cryptographic techniques are required.
In order to authenticate at AAL3, users are required to prove possession and control of two distinct authenticators through secure authentication factors. Approved authenticators at AAL3 are:
- Multi-factor cryptographic device
- Single-factor cryptographic device used in conjunction with a memorized secret
- Multi-factor OTP device (software or hardware) used in conjunction with a single-factor cryptographic device
- Multi-factor OTP device (hardware only) used in conjunction with a single-factor cryptographic software
- Single-factor OTP device (hardware only) used in conjunction with a multi-factor cryptographic software authenticator
- Single-factor OTP device (hardware only) used in conjunction with a single-factor cryptographic software authenticator (Section 5.1.6) and a memorized secret
Periodic reauthentication of user sessions at AAL3 must be repeated at least once per 12 hours during an extended usage session, regardless of user activity. Reauthentication of the subscriber must be repeated following any period of inactivity lasting 15 minutes or longer and must use both authentication factors. The session must be terminated when either of these time limits is reached.
NIST 800-63B Authenticator Lifecycle Management
The authenticator lifecycle management section of NIST 800-63B covers the treatment of authenticators at all stages. This takes into account the use of bring-your-own authenticators in addition to or as an alternative to those issued by CSPs.
The guidelines use the term binding rather than issuing to include those authenticators that come from users rather than being issued by CSPs. There are four categories of binding—binding at enrollment, post-enrollment binding, binding to a subscriber-provided authenticator, and renewals.
Binding at enrollment involves the binding of one or more authenticators. This usually immediately follows the verification that a user is actually who they claim to be, referred to as an identity proofing transaction in NIST 800-63B. It is important that the binding of authenticators be strongly associated with the identity proofing process to ensure that the subject associating an authenticator with a subscriber’s credential is, in fact, that subscriber.
Post-enrollment binding includes the additional authenticators for backup purposes as well as in response to the loss, theft, or damage to an existing authenticator, often referred to as account recovery. This most commonly occurs when a user wants to bind an additional authenticator to their account. Post-enrollment also occurs when a user needs to replace a lost or damaged authenticator.
Binding to a subscriber-provided authenticator (i.e., bring your own authenticator) requires a CSP to understand the type and security of authenticators that are bound to the subscriber’s account. If this cannot be done satisfactorily, the CSP defaults to the assumption of the weaker authenticator type (e.g., single-factor as opposed to multi-factor encryption device or software-based as opposed to hardware-based authenticator) when proceeding with the binding.
Expiration of authenticators is permitted but not required by NIST 800-63B; the guidance is to balance the risk of the undetected loss of an authenticator and the cost and complexity of reissuing it.
NIST 800-63B Password Guidelines and Best Practices
The guidelines set forth in NIST 800-63B represent a shift from traditional password security protocols. The latest revision of the digital identity guidelines presents practices that maintain security while reducing the burden on users.
NIST 800-63B guidelines reflect an understanding of how onerous controls result in less security due to users’ finding workarounds that end up compromising security. The following are the key guidelines and best practices for passwords based on NIST 800-63B.
Blacklisting common passwords
NIST 800-63B requires the use of a blacklist to block the use of obvious, guessable passwords. Passwords deemed not acceptable for users include passwords from previous breaches and simple, easy-to-guess passwords.
Limit failed password attempts
To prevent brute force attacks, the number of failed login attempts should be limited.
Password expiration and resets
NIST 800-63B recommends enforcing password expiration and resets only when a known compromise has occurred or once a year. More frequent password changes are not recommended unless there is a user request or evidence of a security breach.
Password complexity
NIST 800-63B guidance on password complexity is another notable change in best practices, with NIST advising that longer passwords are typically more secure than complex ones. NIST advises against mandating specific character types (i.e., a mix of uppercase, lowercase, numbers, and special characters). The guidelines recommend that the focus should be on allowing a broad range of characters and encouraging users to create more memorable, user-friendly passwords.
Password hints and knowledge-based security questions
The use of password hints or knowledge-based questions (e.g., what is your mother’s maiden name?) is discouraged as they can be easily guessed or researched.
Password length
NIST 800-63B recommends using long passwords, with a minimum of eight characters for user-chosen passwords and at least six characters for system-generated passwords.
Rate limiting
Implement rate limiting for password attempts to prevent automated attacks such as brute force. Adjust rate limiting based on user context, such as location, device being used, or time of access.
Who must comply with NIST 800-63B?
NIST 800-63B is mandatory for all U.S. federal agencies. In addition, organizations and vendors that provide services to federal agencies or handle federal data may be required to comply with NIST 800-63B standards.
Optimizing security posture with NIST 800-63B
Like other NIST publications, the guidelines set forth in NIST 800-63B are broadly applicable to organizations outside of the federal government. Best of all, it is easily accessible and free.
All types of organizations leverage these guidelines and best practices to address complex challenges related to digital identity authentication and authenticator lifecycle management. These guidelines also serve as a baseline for other organizations’ directives related to digital identity.
Unleash the power of unified identity security
Mitigate cyber risk across the spectrum of access