Read NIST’s Digital Identity Guidelines!
More than a year in the making, and after a large, cross-industry effort, NIST is proud to announce the new SP 800-63.
The basics
The Special Publication (SP) 800-63 suite provides technical requirements for federal agencies implementing digital identity services. The publication includes: an overview of identity frameworks; using authenticators, credentials, and assertions in a digital system; and a risk-based process to select assurance levels. Organizations have the flexibility to choose the appropriate assurance level for their needs.
SP 800-63 comprises a suite of documents that can be used independently or in concert to meet identity needs.
The suite
Changes to 800-63 since the last version
For the new SP 800-63, NIST sought to simplify and clarify guidance, better align with commercial markets, promote international interoperability, and focus on outcomes (where possible) to promote innovation and deployment flexibility. Furthermore, the updates in this publication give relying parties latitude in designing, building, consuming, and procuring identity technology.
Highlights:
- Broke down level of assurance into its independent parts: identity proofing, authenticators, and federated assertions
- Created multiple volumes with clear distinctions between normative and informative language, so each volume is a one-stop shop for mandatory requirements and recommended approaches
- Gave identity proofing a major overhaul, with support from UK and Canadian peers; guidance supports in-person proofing over a virtual channel, though under a strict set of requirements
- Clarified that knowledge-based verification is limited to specific portions of the identity proofing process and never sufficient on its own
- Placed additional restrictions on the use of SMS for a one-time password (OTP) and removed OTP via email
- Addressed the security required for centralized biometric matching
- Updated terminology to clarify language across the identity space
Approach
Before NIST released SP 800-63 as final, community participation in drafting the publication resulted in 1,400+ comments—and the web version of the publication drew 74,000+ unique visitors between May 2016 and May 2017.
Looking forward
Implementation guidance
NIST will work with the community to prepare implementation guidance for the Digital Identity Guidelines. The goal is to give implementers easily deployable guidance and help them meet the requirements.
SP 800-63D
NIST is drafting SP 800-63D, a relatively simple additional volume detailing efforts to align with international technical specifications for interoperable identity in federations—including SAML profiles and an iGov OpenID Connect/OAuth profile developed in partnership with industry and other governments.
Timeline
June 2017 | SP 800-63-3 published | more
May 2017 | Draft SP 800-63-3 public comment closes
February 2017 | Draft SP 800-63-3 public draft webinar held | video | slides
January 2017 | Draft SP 800-63-3 released for public comment | more
September 2016 | Draft SP 800-63-3 public preview closes | more
May 2016 | Draft SP 800-63-3 released for public preview | more
May 2015 | Public comment on SP 800-63-2 closes | more
April 2015 | Public comment on SP 800-63-2 opens | more
August 2013 | SP 800-63-2 published | PDF
December 2011 | SP 800-63-1 published | PDF
April 2006 | SP 800-63 version 1.0.2 published | PDF
September 2004 | SP 800-63 version 1.0.1 published
June 2004 | SP 800-63 first published
Learn more
- FAQs | GitHub
- Public draft informational webinar | video | slides
-
Source information, current standards, and public comments received through May 2015 | more
Related blog posts
-
Return of the Great Zoltan! Our 800-63 FAQs answer life’s most perplexing questions (about digital identity, anyway). | July 2017 | more
-
Mic Drop — Announcing the New Special Publication 800-63 Suite! | June 2017 | more
-
A minor plot twist: comment period extended for part of SP 800-63-3 | March 2017 | more