The National Institute of Standards and Technology – NIST – has announced the release of a new supplement to the NIST SP 800-63B Digital Identity Guidelines, focusing on the use of ‘syncable authenticators’, commonly known as passkeys. This marks a significant update aimed at enhancing authentication and lifecycle management for both enterprise and public sectors.
A ‘supplement’, as defined by NIST, is a document designed to provide additional information or updates to existing Special Publications (SPs) without rewriting the entire publication. This approach allows NIST to swiftly respond to technological advancements and changes in risk landscapes. The current supplement introduces guidelines for implementing syncable authenticators or passkeys, which are phishing-resistant cryptographic authenticators that support cross-device use through private key cloning.
This development comes in response to significant progress in the underlying standards required for passkeys, which were not fully developed when the original Digital Identity Guidelines were published. With the adoption of these standards by major consumer platforms, the use of syncable authenticators has grown, offering simplified recovery processes, cross-device support, and user-friendly authentication options like native biometrics. The new supplement aims to clarify their use at Authentication Assurance Level 2, underscoring the evolving nature of digital identity security.
However, NIST acknowledges the risks associated with key cloning, including the potential for key sharing among users. The supplement outlines requirements and considerations to mitigate these risks, emphasising the importance of careful evaluation before implementation. Despite the benefits of syncable authenticators, NIST advises that they may not suit every application or service.
Unlike typical updates, this supplement will not undergo a public comment period, as it incorporates feedback from previous consultations. It aims to address immediate needs within agencies, aligning with the Federal Zero Trust strategy by providing guidance on a secure and user-friendly authentication technology. Once NIST finalises Revision 4 of the Digital Identity Guidelines, the supplement will be rescinded, further integrating these updates into the broader framework.
