The National Institute of Standards and Technology (NIST) is seeking feedback on the draft document NIST SP-800-63B, which is a standard for identity verification that was last updated in 2017. This latest update focuses on enhancing the security standard of Passkey, which allows users to log in without the need for passwords and enables cross-device synchronization.
The document refers to this type of identity verification as a Syncable Authenticator, which outlines guidelines for development. It specifies that encrypted processes must be used, keys must be stored in encrypted form at all times, even when syncing via the cloud, values can only be read by users, access to keys must confirm the user’s identity at AAL2 level or higher, and the system must have non-exportable cross-device synchronization capabilities, necessary for AAL3 level identity verification.
An authenticator following this standard must feature user presence confirmation, such as pressing a button on a USB key, user verification, such as fingerprint scanning before confirming a message, backup eligibility status of keys, and whether keys have been backed up or not.
The document recommends that public-facing applications should not restrict cross-device key synchronization features, as this may lead users to opt for less secure options like phone-based OTP.
Feedback on this document is open until October 7th.
TLDR: NIST is seeking feedback on updates to the identity verification standard, emphasizing security improvements for Passkey and cross-device synchronization with the new Syncable Authenticator guidelines.
Leave a Comment