Navigating the complex landscape of digital identity verification requires adherence to standards that balance security with user experience. NIST Special Publication 800-63b serves as a cornerstone document for this effort, providing federal agencies and private enterprises with a robust framework for authenticating individuals accessing online services. This publication moves beyond simple password rules to address the full lifecycle of identity proofing and authentication, establishing a clear taxonomy for verifying the strength of a user's claimed identity.
Understanding the Digital Identity Guidelines
At its core, SP 800-63b defines three distinct levels of assurance (IAL) for identity proofing, ranging from low to high. These levels correspond to the degree of confidence in the asserted identity of a subscriber, dictating the rigor of the verification process required. Concurrently, it outlines four levels of authentication assurance (AAL), which specify the cryptographic strength of the authentication methods used. This dual-axis model allows organizations to align their security protocols with the sensitivity of the data or transaction being accessed, ensuring that a simple blog comment does not require the same scrutiny as a banking transfer.
Identity Proofing and Verification Processes
The initial phase of the standard focuses on identity proofing, the process of checking a person claiming an identity—such as a username or email—with real-world evidence. For Level 2 assurance, this typically involves the remote capture of a government-issued ID, like a passport or driver's license, coupled with a selfie to perform a biometric match. Level 3 significantly raises the bar, requiring in-person appearance or the presentation of multiple documents to mitigate identity fraud risks. These procedures are designed to prevent synthetic identities and ensure that the entity on the other side of the screen is a real, living person.
Authentication and Multi-Factor Security
When it comes to the actual login process, the publication emphasizes the importance of multi-factor authentication (MFA) but moves away from the outdated "two-factor" label. It categorizes authenticators into three groups: something you know (a memorized secret), something you have (a device or token), and something you are (a biometric). The guidance strongly discourages knowledge-based authentication (KBA) questions, such as "What was your first pet's name?", due to their vulnerability to social engineering. Instead, it promotes the use of SMS or email one-time codes, authenticator apps, and hardware tokens to create a layered defense against credential stuffing and phishing attacks.
Password and Memorized Secret Management
Perhaps the most visible change introduced by SP 800-63b is the modernization of password policy. The document explicitly advises against forced periodic password expirations and complex character composition rules, recognizing that these measures lead to predictable patterns like "Password1" to "Password2. Instead, it recommends allowing long passwords (up to 64 characters) and screening new passwords against a list of known compromised credentials. This shift acknowledges that user frustration with complex rules often results in weaker security, prioritizing length and blacklists over arbitrary symbols to create stronger memorized secrets.
Session Management and Lifecycle Considerations
The standard also provides detailed guidance on session management to protect the period after a user has successfully logged in. It defines session timeouts based on the sensitivity of the application and the level of assurance required. For high-assurance applications, idle session timeouts should be short, and the system should terminate the session entirely after a period of inactivity. Furthermore, SP 800-63b addresses the revocation of credentials, ensuring that when a user leaves an organization or a device is lost, access is terminated immediately to prevent unauthorized residual access to sensitive systems.
