U.S. flag

An official website of the United States government

Dot gov

The .gov means it’s official.
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.

Https

The site is secure.
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

Information Technology Laboratory / Applied Cybersecurity Division

Trusted Identities Group

Special Publication 800-63

Share

Read NIST’s Digital Identity Guidelines!

More than a year in the making, and after a large, cross-industry effort, NIST is proud to announce the new SP 800-63.

GitHub

The basics

The Special Publication (SP) 800-63 suite provides technical requirements for federal agencies implementing digital identity services. The publication includes: an overview of identity frameworks; using authenticators, credentials, and assertions in a digital system; and a risk-based process to select assurance levels. Organizations have the flexibility to choose the appropriate assurance level for their needs.

SP 800-63 comprises a suite of documents that can be used independently or in concert to meet identity needs.

The suite

 

SP 800-63-3

SP 800-63-3: Digital Identity Guidelines
GitHubPDF

 

Special Publication 800-63A

SP 800-63A: Enrollment & Identity Proofing
GitHubPDF

Special Publication 800-63B

SP 800-63B: Authentication & Lifecycle Management
GitHubPDF

Special Publication 800-63C

SP 800-63C: Federation & Assertions
GitHubPDF

 

Changes to 800-63 since the last version

For the new SP 800-63, NIST sought to simplify and clarify guidance, better align with commercial markets, promote international interoperability, and focus on outcomes (where possible) to promote innovation and deployment flexibility. Furthermore, the updates in this publication give relying parties latitude in designing, building, consuming, and procuring identity technology.

Highlights:

  • Broke down level of assurance into its independent parts: identity proofing, authenticators, and federated assertions
  • Created multiple volumes with clear distinctions between normative and informative language, so each volume is a one-stop shop for mandatory requirements and recommended approaches
  • Gave identity proofing a major overhaul, with support from UK and Canadian peers; guidance supports in-person proofing over a virtual channel, though under a strict set of requirements
  • Clarified that knowledge-based verification is limited to specific portions of the identity proofing process and never sufficient on its own
  • Placed additional restrictions on the use of SMS for a one-time password (OTP) and removed OTP via email
  • Addressed the security required for centralized biometric matching
  • Updated terminology to clarify language across the identity space

Approach

comments and visitors SP 800-63-3
Comments on GitHub and unique visitors to the web version of the draft publication
NIST has co-developed SP 800-63-3 with the community (feedback was solicited via GitHub and email)  to ensure that it helps organizations implement effective digital identity services, reflects available technologies in the market, and makes room for innovations on the horizon. GitHub has enabled NIST to engage the community in near-real-time to more efficiently create a better product. The SP 800-63 update process included multiple iterations and opportunities for stakeholders to weigh in on the document.

Before NIST released SP 800-63 as final, community participation in drafting the publication resulted in 1,400+ comments—and the web version of the publication drew 74,000+ unique visitors between May 2016 and May 2017.

Looking forward

Implementation guidance

NIST will work with the community to prepare implementation guidance for the Digital Identity Guidelines. The goal is to give implementers easily deployable guidance and help them meet the requirements.

SP 800-63D

NIST is drafting SP 800-63D, a relatively simple additional volume detailing efforts to align with international technical specifications for interoperable identity in federations—including SAML profiles and an iGov OpenID Connect/OAuth profile developed in partnership with industry and other governments.

Timeline

June 2017 | SP 800-63-3 published | more

May 2017 | Draft SP 800-63-3 public comment closes

February 2017 | Draft SP 800-63-3 public draft webinar held | video | slides

January 2017 | Draft SP 800-63-3 released for public comment  | more

September 2016 | Draft SP 800-63-3 public preview closes | more

May 2016 | Draft SP 800-63-3 released for public preview | more

May 2015 | Public comment on SP 800-63-2 closes | more

April 2015 | Public comment on SP 800-63-2 opens  | more

August 2013 | SP 800-63-2 published | PDF

December 2011 | SP 800-63-1 published | PDF

April 2006 | SP 800-63 version 1.0.2 published | PDF

September 2004 | SP 800-63 version 1.0.1 published

June 2004 | SP 800-63 first published

Learn more

  • FAQs | GitHub
  • Public draft informational webinar | video | slides

  • Source information, current standards, and public comments received through May 2015 | more

Related blog posts

  • Return of the Great Zoltan! Our 800-63 FAQs answer life’s most perplexing questions (about digital identity, anyway). | July 2017 | more

  • Mic Drop — Announcing the New Special Publication 800-63 Suite! | June 2017 | more

  • A minor plot twist: comment period extended for part of SP 800-63-3 | March 2017 | more

  • Public comment period announcement | January 2017 | more
  • Thank you for a successful public preview | September 2016 | more
  • Public preview announcement | May 2016 | more
Created May 2, 2016, Updated November 9, 2017