We all need supplements sometimes. Whether it’s a little extra vitamin C during flu season or some vitamin D during the dark days of Winter. When used correctly, supplements help our body adjust to the changing conditions around us. Similarly, we are applying this same concept for the first time to our NIST SP 800-63B, Digital Identity Guidelines: Authentication and Lifecycle Management. Today, we published a supplement that provides interim guidance for agencies seeking to make use of ‘syncable authenticators’ (for example, passkeys) in both enterprise-facing and public-facing use cases.
What is a supplement?
A supplement is a specific document type that is intended to enhance, augment, or elaborate on an existing NIST Special Publication (SP). They allow for targeted updates or modifications without having to go through the process of updating the entire SP. They provide a mechanism for NIST to more rapidly adapt to changes in the technology and risk environments (for example, providing requirements for new authenticator types like syncable authenticators).
What is a syncable authenticator?
A syncable authenticator is any cryptographic authenticator that allows for the private key to be cloned and stored separate of the authenticator to support use of that key across different devices (for example, syncing). In practice, these are typically what are called ‘passkeys’ by the FIDO Alliance and make use of multiple standards and protocols such as the Client-to-Authenticator Protocol and World Wide Web Consortium’s (W3C) Web Authentication (WebAuthn).
When implemented correctly, they provide a phishing-resistant authenticator with many benefits, such as simplified recovery, cross device support, and consumer friendly platform authentication support (for example, native biometrics). Such authenticators would have been considered non-compliant in the context of Digital Identity Guidelines, and the supplement provides additional requirements and considerations to allow for their use at Authentication Assurance Level 2 (AAL2).
What has changed since Digital Identity Guidelines were published?
A lot has changed. The standards and specifications to support syncable authenticators had not been developed when the Guidelines were initially developed and published. Since that time, the standards have matured and most major consumer platforms have put in place support for syncable authenticators. So far, FIDO Alliance estimates that over 8 billion* user accounts now have the option to use passkeys for authentication. While not yet ubiquitous, they are becoming more common by the day.
Aren’t there risks to cloning keys?
Yes, there are always risks. The requirements in the supplement are intended to address as many of these as possible, including methods for storing, transmitting, and protecting the keys. There are unique risks that come along with syncable authenticators, specifically the ability in some technical implementations for users to share their authentication key with other individuals. The ability to share authenticators is not unique to syncable keys – nearly any AAL2 authenticators can be shared. but contrary to years of security policies, some implementations promote syncable authenticator sharing as a secure alternative to password sharing in many consumer scenarios.
As with all instances, organizations should evaluate every type of authenticator they offer and weigh the benefits and risks associated with them before implementing. Syncable authenticators are not going to be appropriate for every application or service, but they do represent an emerging AAL2 authenticator option with many benefits to both the end-user and the relying party.
Is there going to be a public comment period?
Not for this supplement. Feedback from the initial public comment period on SP 800-63-4 was incorporated into this supplement. Additional comments on syncable authenticators and the overall content of the supplement can be submitted through the upcoming second public comment period for Revision 4. This will occur later this year.
Why not wait for Revision 4 to be completed?
As noted above, agencies strictly following the normative text of Digital Identity Guidelines would not be allowed to use syncable authenticators. This supplement addresses an immediate need for many agencies by providing direction on how to use a new security technology that provides strong, usable, phishing resistant authentication in support of the Federal Zero Trust strategy. Once Revision 4 is finalized, this supplement will be rescinded.
Questions?
Feel free to email us via dig_comments [at] nist.gov (dig_comments[at]nist[dot]gov).
*This statistic was provided by Fido Alliance and does not imply that 8 billion users have opted to use the passkey feature.