Security news that informs and inspires

Key Updates to NIST’s Digital Identity Guidelines: SP 800-63-3


Technology moves fast - the guidelines for securing “digital identities” is already four years old; old enough to be replaced by the National Institute of Science and Technology (NIST).

The new, final Special Publication (SP) 800-63-3 was released at the end of June. Last July, I wrote about how NIST deemed SMS-based two-factor authentication as no longer secure in their initial draft of the Digital Authentication Guideline.

Now, NIST has integrated those recommendations and more into a final suite of documents known as the Digital Identity Guidelines, widely referenced and used by a number of industries as a standard for how to properly secure digital identities - including government entities, such as federal agencies and contractors that provide services to the federal sector.

Levels of Assurance (LOAs) Replaced By IAL, AAL & FAL

One major update, according to the NIST, is the replacement of ‘levels of assurance’ (LOAs) with different areas of assurance, each with levels 1-3, including:

Identity Assurance Level (IAL)

This refers to the identity proofing process, or how an organization can vet a person’s real life identity against their digital identity.

  • IAL1 - No requirement to link the applicant to a specific real-life identity.
  • IAL2 - Introduces the need for either remote or physically-present identity proofing.
  • IAL3 - Physical presence is required for identity proofing.

Authenticator Assurance Level (AAL)

This refers to the authentication process, including how additional factors (multi-factor authentication) can impact risk mitigation.

  • AAL1 - Requires either single-factor or multi-factor authentication using a secure authentication protocol.
  • AAL2 - Proof of possession/control of two distinct authentication factors is required through secure authentication protocol(s), also known as some methods of two-factor authentication.
  • AAL3 - Proof of possession of a key through a cryptographic protocol. NIST recommends using a hardware-based authenticator (one example could be U2F) and one that protects against “verifier impersonation” - that is, resistant to phishing or man-in-the-middle (MitM) attacks. Users should use two distant authentication factors through secure authentication protocol(s).

Federation Assurance Level (FAL)

This refers to the assertion used in a federated environment to communicate authentication and attribute information to a relying party. Federation is what happens when identities cross from one identity domain to another.

  • FAL1 - Assertions need to be signed by the identity provider (IdP).
  • FAL2 - Assertions must be encrypted by the IdP (and the IdP is the only entity that can decrypt it).
  • FAL3 - The user must be able to prove possession of a cryptographic key bound to the assertion.

The different areas/levels of assurance above are meant to give agencies the ability to mix and match IAL, AAL and FAL and use federation where possible.

Other Authentication Updates in SP 800-63-3

NIST also lists out other changes in the final edition of SP 800-63-3 that affect authentication. Here’s just a few:

  • Using the term “authenticator” in place of “token”
  • Removing knowledge authenticators, recognizing they are special cases of weak passwords
  • Putting in requirements for account recovery in the event of loss or theft of an authenticator
  • Removing email as a valid channel for out-of-band authenticators

SMS (Officially) No Longer Recommended for MFA

Finally, as mentioned earlier, one of the documents within the suite of Digital Identity Guidelines, SP 800-63B - Authentication and Lifecycle Management (PDF) addresses the types of multi-factor authentication (MFA) methods that are recommended by NIST.

The document lists out the types of multi-factor authenticators that may be used, including:

  • OTP (one-time password) device
  • MFA cryptographic software
  • MFA cryptographic device

As they announced last year, SMS-based MFA is not considered as secure as these other methods, due to the fact it can be bypassed by attackers. Instead, organizations can use more secure methods, such as Universal 2nd Factor (U2F) and push notifications via authenticator apps to complete two-factor authentication.