Read NIST’s Digital Identity Guidelines!
More than a year in the making, and after a large, cross-industry effort, NIST is proud to announce the new SP 800-63.
The Special Publication (SP) 800-63 suite provides technical requirements for federal agencies implementing digital identity services. The publication includes: an overview of identity frameworks; using authenticators, credentials, and assertions in a digital system; and a risk-based process to select assurance levels. Organizations have the flexibility to choose the appropriate assurance level for their needs.
SP 800-63 comprises a suite of documents that can be used independently or in concert to meet identity needs.
Changes to 800-63 since the last version
For the new SP 800-63, NIST sought to simplify and clarify guidance, better align with commercial markets, promote international interoperability, and focus on outcomes (where possible) to promote innovation and deployment flexibility. Furthermore, the updates in this publication give relying parties latitude in designing, building, consuming, and procuring identity technology.
- Broke down level of assurance into its independent parts: identity proofing, authenticators, and federated assertions
- Created multiple volumes with clear distinctions between normative and informative language, so each volume is a one-stop shop for mandatory requirements and recommended approaches
- Gave identity proofing a major overhaul, with support from UK and Canadian peers; guidance supports in-person proofing over a virtual channel, though under a strict set of requirements
- Clarified that knowledge-based verification is limited to specific portions of the identity proofing process and never sufficient on its own
- Placed additional restrictions on the use of SMS for a one-time password (OTP) and removed OTP via email
- Addressed the security required for centralized biometric matching
- Updated terminology to clarify language across the identity space
Before NIST released SP 800-63 as final, community participation in drafting the publication resulted in 1,400+ comments—and the web version of the publication drew 74,000+ unique visitors between May 2016 and May 2017.
- FAQs | GitHub
- Public draft informational webinar | video | slides
Source information, current standards, and public comments received through May 2015 | more
Related blog posts
Return of the Great Zoltan! Our 800-63 FAQs answer life’s most perplexing questions (about digital identity, anyway). | July 2017 | more
Mic Drop — Announcing the New Special Publication 800-63 Suite! | June 2017 | more
A minor plot twist: comment period extended for part of SP 800-63-3 | March 2017 | more