NIST issues guidance to fit passkeys into digital identity recommendations

The U.S. National Institute and Standards Institute has published a supplement to its digital identity guidelines as interim advice for agencies to use authenticators like passkeys that work across different devices.

The “Incorporating syncable authenticators” supplement to NIST SP 800-63B Digital Identity Guidelines: Authentication and Lifecycle Management, provides guidance on using these authenticators, which are typically but not necessarily passkeys, in enterprise or public-facing applications.

It comes in recognition of the phishing-resistant security provided by passkeys, but also their non-compliance with the existing Digital Identity Guidelines. As such, the supplement sets out requirements and considerations for passkeys to meet Authentication Assurance Level 2 (AAL2).

The standards behind passkeys have matured since NIST published its initial guidelines, the agency says, and major consumer platforms have adopted them.

NIST notes that the FIDO Alliance estimates 8 billion user accounts support authentication with passkeys. “While not yet ubiquitous, they are becoming more common by the day,” writes NIST Digital Identity Program Lead for the Applied Cybersecurity Division Ryan Galluzzo in a blog post explaining the changes.

NIST notes the change in authenticator technology that prompted the publication of the 19-page supplement in its introduction:

“Typically, this authentication type protects a cryptographic key in hardware or software that requires activation through a second authentication factor, either a memorized secret or a biometric characteristic. Protecting the private key from unauthorized exposure is fundamental to the security model of a multi-factor cryptographic authenticator. This traditionally includes ensuring that private keys are not exportable or cloneable. However, this paradigm is starting to change. Notably, a new series of authentication protocols and specifications has led to the rapid adoption of syncable authenticators (commonly referred to as ‘passkeys’), which allow users to synchronize (i.e., duplicate) a private key between different devices.”

The FIDO Alliance has been explicitly seeking recognition of phishing resistance from NIST since 2020, and the agency included phishing resistance in its update to SP 800-63B last year. A blog post from NIST in December noted that this update specifically reflects the rise of passkeys and “emerging credential types.”

The supplement maps different attack types against AAL2, and sets out requirements for syncable authenticators. They must be generated using approved cryptographic methods and must be stored in encrypted form. Private keys stored in the cloud must be protected by “AAL2 equivalent MFA” access control mechanisms. Federal keys must be stored in FISMA Moderate environments. The document also covers implementation considerations, threats and challenges.

The second public comment period for SP-800-63-4 is expected later this year, at which point NIST will take comments on the supplement. The changes will be incorporated into Revision 4, and NIST will rescind the supplement as it will no longer be necessary.

Passkeys and FIDO protocol growth continues

The FIDO Alliance hailed NIST’s move as an important step away from passwords and towards robust phishing resistance.

“This new NIST guidance makes clear that passkeys – like other FIDO authenticators – can support both AAL2 and AAL3 requirements. Synced passkeys can be AAL2 and device-bound passkeys can be AAL3,” writes FIDO Alliance Executive Director and CEO Andrew Shikiar.

And passkeys continue to roll out.

Supply chain management provider apexanalytix is launching passkeys to enable suppliers to log into their accounts with native device fingerprint or face biometrics or a screen unlock code. The launch will protect against business email compromise, fraud and data breaches, the company says.

Enterprise credential management provider Versasec has not added passkeys, at least yet, but has added support for passwordless authenticators based on FIDO2 fingerprint biometrics. The new capability is included in version 6.11 of Versasec’s vSEC:CMS and vSEC:CLOUD credential management systems. The cryptography to implement passkeys could follow next.

Article Topics

AAL2  |  apexanalytix  |  biometric authentication  |  biometrics  |  digital identity  |  FIDO Alliance  |  NIST  |  passkeys  |  Ryan Galluzzo  |  Versasec