The National Institute of Standards and Technology (NIST) issued a supplement on April 22 to its digital identity guidance that offers interim guidance to agencies looking to use “syncable authenticators” – such as passkeys – in both enterprise-facing and public-facing use cases.
In an April 22 blog post, NIST explains that just as extra vitamin C is helpful during flu season, extra cybersecurity guidance is helpful to meet a changing technology and risk environment.
NIST points out that “a lot has changed” since it first published its NIST SP 800-63B, Digital Identity Guidelines: Authentication and Lifecycle Management in 2017 and last updated it in 2020.
“The standards and specifications to support syncable authenticators had not been developed when the guidelines were initially developed and published,” Ryan Galluzzo, NIST’s digital identity program lead for the Applied Cybersecurity Division, wrote in the blog post.
“Since that time, the standards have matured and most major consumer platforms have put in place support for syncable authenticators,” Galluzzo added. “So far, FIDO Alliance estimates that over 8 billion user accounts now have the option to use passkeys for authentication. While not yet ubiquitous, they are becoming more common by the day.”
For those who are not cybersecurity experts, Galluzzo explains that a syncable authenticator is “any cryptographic authenticator that allows for the private key to be cloned and stored separate of the authenticator to support use of that key across different devices.”
Typically, these are what are called “passkeys” by the FIDO Alliance, an open industry association that aims to develop and promote authentication standards.
NIST said that such authenticators would have been considered “non-compliant” in the context of its original digital identity guidelines. The supplement provides additional requirements and considerations to allow for their use at Authentication Assurance Level 2 (AAL2).
The agency noted that there will not be a public comment period for this supplement, as it incorporated feedback from the initial public comment period on SP 800-63-4.
NIST is currently working on the fourth revision of its digital identity guidelines, and it plans to hold a second public comment period for Revision 4 later this year. “Additional comments on syncable authenticators and the overall content of the supplement can be submitted” during that time, Galluzzo said.
“Agencies strictly following the normative text of Digital Identity Guidelines would not be allowed to use syncable authenticators,” Galluzzo emphasized. “This supplement addresses an immediate need for many agencies by providing direction on how to use a new security technology that provides strong, usable, phishing-resistant authentication in support of the Federal Zero Trust strategy. Once Revision 4 is finalized, this supplement will be rescinded.”