Knowledge Center / NIST 800-63
NIST · Global

NIST SP 800-63 (Digital Identity)

Digital identity guidelines — identity proofing, authentication and federation.

Introduction to NIST SP 800-63 (Digital Identity Guidelines)

NIST Special Publication 800-63, the Digital Identity Guidelines, is the United States federal reference standard for how organisations prove who a person is online (identity proofing), how they authenticate that person on return visits (authentication), and how identity assertions are conveyed between systems in a federation. Although issued by the National Institute of Standards and Technology (NIST) for use by US federal agencies under OMB Circular A-130 and OMB Memorandum M-19-17, it has become the de facto global benchmark for digital identity assurance, cited by banks, healthcare providers, government service portals, and technology platforms far beyond the US public sector.

The publication is a suite, not a single document. The parent document SP 800-63 sets the overall model, while three volumes decompose the problem into orthogonal assurance dimensions: SP 800-63A (Enrolment and Identity Proofing), SP 800-63B (Authentication and Authenticator Management), and SP 800-63C (Federation and Assertions). A crucial break from earlier thinking is that these assurance levels are decoupled: an organisation selects an Identity Assurance Level (IAL), an Authenticator Assurance Level (AAL), and a Federation Assurance Level (FAL) independently, based on a risk assessment of each digital service, rather than lumping everything under one monolithic Level of Assurance (LOA) as the retired SP 800-63-2 did.

This guide is written for two audiences at once. For the auditor or assessor, it enumerates every requirement family, the assurance-level ladder, and the specific evidence that demonstrates conformance. For the implementer, product owner, and identity engineer, it explains the design consequences of each level so that IAL, AAL, and FAL choices can be baked into architecture rather than bolted on before an audit. This guide reflects the third revision, SP 800-63-3, as the widely deployed baseline while noting the material changes introduced by the fourth revision, SP 800-63-4.

Copyright and source note
NIST SP 800-63 and its constituent volumes (A/B/C) are publications of the US National Institute of Standards and Technology. As US Government works they are in the public domain in the United States; nevertheless, all normative text, requirement identifiers, and level definitions are the intellectual product of NIST. This CyberSigma guide is original explanatory and audit-oriented commentary. It paraphrases and interprets the standard for assessment purposes and does not reproduce NIST's normative text verbatim. Always work from the authoritative source at pages.nist.gov/800-63-3 (or the current -4 release) for the controlling requirements.

What is NIST SP 800-63

NIST SP 800-63 defines a risk-based framework for digital identity. Its core proposition is that an organisation should not simply demand the strongest possible identity checks and authentication for every service; instead it should assess the harm that would result from an identity error and then select the minimum assurance necessary to keep residual risk acceptable. Over-collecting identity data or forcing excessive authentication friction is treated as a real cost and, in the -4 revision, an explicit privacy and equity risk.

The standard separates identity into three lifecycle problems and gives each its own volume and its own assurance ladder:

  • Identity Assurance Level (IAL), governed by SP 800-63A: how confident are we that a real-world person is who they claim to be? Ranges from IAL1 (self-asserted, no proofing) to IAL2 (remote or in-person proofing of validated evidence) to IAL3 (in-person or supervised remote proofing with biometric binding).
  • Authenticator Assurance Level (AAL), governed by SP 800-63B: how confident are we that the person returning is the same person who enrolled? Ranges from AAL1 (single factor permitted) to AAL2 (two-factor, approved cryptography) to AAL3 (hardware-based, phishing-resistant, verifier impersonation resistant).
  • Federation Assurance Level (FAL), governed by SP 800-63C: how strong is the assertion protocol when a Credential Service Provider (CSP) or Identity Provider (IdP) passes an authenticated identity to a Relying Party (RP)? Ranges from FAL1 (bearer assertion, signed) to FAL2 (encrypted/injected assertion) to FAL3 (assertion bound to a holder-of-key authenticator).

The framework also introduces defined actors: the Applicant (person undergoing proofing), the Subscriber (enrolled person), the Credential Service Provider (CSP, which proofs, issues, and manages authenticators), the Verifier (which checks authenticators), the Identity Provider (IdP), and the Relying Party (RP, the service consuming the identity). Clear separation of these roles is itself an assessment concern because a poorly bounded CSP/RP split undermines federation assurance.

SP 800-63-4 (the fourth revision) extends this model with mandatory continuous evaluation of fraud, equity and usability; a stronger treatment of syncable authenticators (passkeys); explicit support for digital evidence and mobile driving licences; and a requirement for a documented Digital Identity Acceptance Statement. Where a control differs between -3 and -4 this guide flags it.

Who must comply with NIST SP 800-63

Compliance is mandatory for some organisations and strongly advisable for many others. The following table summarises applicability.

Organisation typeBasis of obligationPractical driver
US federal executive-branch agenciesOMB Circular A-130 and M-19-17 make SP 800-63 bindingAgency ATO (Authorisation to Operate) and FISMA compliance depend on it
Contractors and cloud providers serving US agenciesFlow-down via FedRAMP and FAR/DFARS clausesLogin.gov, ID.me and CSPs must map to IAL/AAL/FAL
State and local government digital servicesFrequently adopt 800-63 by policy or grant conditionBenefits portals, tax and licensing systems
Banks, fintechs and payment institutions (global)Voluntary best practice; regulators reference itKYC/CIP proofing and strong customer authentication design
Healthcare and health-IT organisationsReferenced by ONC and used to meet HIPAA identity controlsPatient portals, e-prescribing (EPCS) identity proofing
Enterprises deploying customer or workforce IAMDe facto industry benchmark for assuranceJustifying MFA strength and passwordless/passkey roadmaps
Identity providers and CSP vendorsKantara / NIST 63 conformance schemesCertification against IAL/AAL/FAL for procurement
  • Mandatory: any US federal agency system, and any system a federal agency relies on for identity, must be assessed against 800-63 and assigned explicit IAL/AAL/FAL values.
  • Contractual: FedRAMP authorisations, EPCS (DEA electronic prescribing of controlled substances requiring IAL2/AAL2), and many grant programmes embed 800-63 by reference.
  • Voluntary but recommended: financial services, healthcare, telecoms, and any organisation wanting a defensible, risk-based rationale for its proofing and authentication strength.

Structure of NIST SP 800-63

The suite is organised as a parent document plus three normative volumes, each addressing a distinct assurance dimension. Understanding this structure is essential because an assessment must produce a separate conformance conclusion for each volume that is in scope.

VolumeTitleAssurance dimensionLevel ladderKey concepts
SP 800-63-3Digital Identity Guidelines (parent)Overall model and risk selectionN/AActors, xAL selection, digital identity risk assessment
SP 800-63AEnrolment and Identity ProofingIdentity Assurance Level (IAL)IAL1, IAL2, IAL3Evidence strength, validation, verification, resolution, address confirmation
SP 800-63BAuthentication and Lifecycle ManagementAuthenticator Assurance Level (AAL)AAL1, AAL2, AAL3Authenticator types, verifier requirements, reauthentication, session management
SP 800-63CFederation and AssertionsFederation Assurance Level (FAL)FAL1, FAL2, FAL3Assertions, RP/IdP trust agreements, holder-of-key, assertion protection

Each level is cumulative: a higher level inherits the requirements of the level beneath it and adds constraints. The three ladders are independent so that a service can, for example, run at IAL1 (no proofing) but AAL2 (two-factor) — a common pattern for pseudonymous accounts that still need strong login security.

Assurance factorLevel 1Level 2Level 3
IAL (proofing)Self-asserted attributes; no proofing requiredIdentity evidence collected, validated and verified (remote or in person)Identity proofing performed in person or via supervised remote; biometric collected and bound
AAL (authentication)Single or multi-factor; approved cryptography for MFATwo distinct factors; approved cryptography; replay resistanceHardware authenticator; verifier-impersonation (phishing) resistance; both factors hardware/software cryptographic
FAL (federation)Bearer assertion, signed by IdPAssertion additionally encrypted to the RP or injected via back channelHolder-of-key: subscriber proves possession of a key bound to the assertion

Master assessment checklist for NIST SP 800-63

This is the core of the guide. It enumerates every requirement family across the parent document and the three volumes. For each family, the table states what an assessor must verify and the typical evidence an implementer should be ready to produce. No control area is omitted; work through each h3 group in turn.

63-3 Parent: Digital Identity Risk Management

What to verifyTypical evidence
A digital identity risk assessment has been performed for each in-scope serviceCompleted risk assessment worksheet identifying potential impacts across the six A-130 categories
Impact categories are assessed: inconvenience, financial loss, reputational harm, unauthorised release of sensitive info, personal safety, civil/criminal violationsImpact-category scoring matrix with rationale per category
Initial IAL, AAL and FAL are selected independently and justifiedDigital Identity Acceptance Statement (mandatory in -4) recording chosen xALs and residual risk
Compensating and supplemental controls are documented where a level is tailored downTailoring log with control rationale and approver
Assurance selections are periodically re-evaluatedReview cadence record and change history

63A Identity Proofing: General and Enrolment Requirements

What to verifyTypical evidence
The CSP has a documented, risk-informed identity proofing and enrolment processEnrolment procedure document mapped to the selected IAL
The proofing process performs Resolution (uniquely resolves to one identity), Validation (evidence is genuine), and Verification (evidence relates to the applicant)Process design showing all three phases and their controls
Collected PII is limited to the minimum necessary and retention is definedData-minimisation and retention schedule; privacy notice
Applicant is notified of the proofing, its purpose, and consequencesCopy of applicant notice / consent record
Enrolment records are protected and bound to the subscriber accountAccess controls and encryption over enrolment records

63A IAL1 Requirements

What to verifyTypical evidence
No identity proofing is required; attributes may be self-assertedConfiguration showing self-asserted account creation
If any attributes are validated, they are not asserted as proofed to a higher levelAttribute-provenance labelling
Any collected identity evidence is handled per privacy requirementsPrivacy assessment for optionally collected data

63A IAL2 Requirements

What to verifyTypical evidence
Evidence meeting the required strength is collected (e.g. one STRONG + one FAIR, or two STRONG, per the evidence-strength table)Evidence-strength policy and sample proofing records
Each piece of evidence is validated as genuine (document authentication, issuer checks)Document-verification vendor logs; authoritative/issuing-source query results
The applicant is verified as the rightful holder (e.g. liveness/biometric comparison or knowledge-based verification within limits)Liveness/selfie-match logs; verification method configuration
Address of record is confirmed and an enrolment code / notification sentEnrolment-code issuance and confirmation logs
Remote proofing sessions are protected against fraud (session integrity, anti-injection)Trusted-referee or remote-session controls; fraud-signal review
Biometrics, if used at IAL2, meet performance and presentation-attack requirementsPAD test results; false-match/false-non-match rates

63A IAL3 Requirements

What to verifyTypical evidence
Proofing is in person or supervised remote (real-time operator supervision with tamper controls)In-person station procedures or supervised-remote platform attestation
At least the IAL3 evidence strength is met (typically two SUPERIOR/STRONG pieces)Evidence inventory for IAL3 enrolments
A biometric is collected and bound to the identity record for future re-proofing and non-repudiationBiometric enrolment record with binding to account
Physical evidence is inspected for authenticity by a trained operatorOperator training records; inspection checklist
The supervised-remote environment integrity is continuously monitoredSession monitoring and tamper-evidence logs

63B Authenticator Types and Requirements (General)

What to verifyTypical evidence
Only approved authenticator types are used for the target AALAuthenticator inventory mapped to permitted types per AAL
Memorised secrets (passwords) meet composition rules: minimum 8 chars, checked against breach/blocklists, no arbitrary composition or forced periodic rotationPassword policy configuration; breached-password screening integration
Rate limiting / throttling on authentication attempts is enforcedLockout and throttling configuration and logs
Approved cryptography (FIPS-validated where required) underpins cryptographic authenticatorsFIPS 140 validation certificates for modules
Authenticator secrets are stored using salted, computationally hard one-way functionsCredential-storage design and code review evidence

63B AAL1 Requirements

What to verifyTypical evidence
At least one authenticator (single or multi-factor) is requiredAuthentication policy showing single-factor minimum
Replay resistance for the authentication event where applicableNonce/challenge or TLS-channel evidence
Reauthentication at least every 30 days of continuous session or on session endSession-timeout configuration
Approved cryptography used for any cryptographic authenticatorAlgorithm configuration

63B AAL2 Requirements

What to verifyTypical evidence
Two distinct authentication factors are required (something you know/have/are)MFA enforcement configuration
Approved cryptography is used and authenticators are replay resistantProtocol/cipher configuration and MFA vendor attestation
Reauthentication at least every 12 hours, or after 30 minutes inactivitySession and idle-timeout settings
Verifier is resistant to replay and, where feasible, to man-in-the-middleChannel-binding / TLS mutual controls
Biometric factors meet FMR (<=1/10,000) and presentation-attack detection where usedBiometric performance and PAD test reports

63B AAL3 Requirements

What to verifyTypical evidence
A hardware-based authenticator providing verifier impersonation (phishing) resistance is used (e.g. FIDO2/WebAuthn security key, PIV)Hardware authenticator inventory; WebAuthn attestation
Verifier-impersonation resistance and verifier-compromise resistance are demonstratedProtocol analysis showing channel binding to authenticated verifier
Both factors are provided via hardware or software cryptographic authenticatorsAuthenticator composition mapping
Reauthentication at least every 12 hours, or after 15 minutes inactivity, using both factorsSession policy configuration
Authenticator uses an approved cryptographic module (typically FIPS 140 Level 1 overall, Level 3 physical security)FIPS validation certificate and level breakdown

63B Authenticator Lifecycle Management

What to verifyTypical evidence
Authenticator binding at enrolment is controlled and traceableBinding records tying authenticator to subscriber
Account recovery and authenticator reset do not lower the assurance level (e.g. no email-only reset for AAL3)Recovery process design and step-up controls
Lost/stolen/compromised authenticators can be revoked and suspended promptlyRevocation logs and SLA
Subscribers are notified of binding, renewal and revocation eventsNotification templates and dispatch logs
Authenticator expiration, renewal and re-key procedures existLifecycle procedure document

63B Session Management

What to verifyTypical evidence
Session secrets are generated with sufficient entropy and protected in transit and at restSession-token design and TLS configuration
Absolute and idle session timeouts match the AAL requirementsTimeout configuration
Reauthentication events are enforced at session boundariesReauth trigger logs
Sessions can be terminated by the subscriber and on suspicious activityLogout and anomaly-driven termination controls

63C Federation: General and Trust Agreements

What to verifyTypical evidence
A trust agreement or established relationship exists between IdP and RPSigned trust agreement / federation metadata registration
The federation model (static, dynamic) and its registration are documentedFederation architecture description
Attribute disclosure to the RP is minimised and subject to subscriber runtime or configured consentAttribute-release policy and consent records
Assertions carry only the attributes the RP requiresAttribute-request scoping evidence
Pairwise pseudonymous identifiers are used where privacy requires unlinkabilityPPID configuration

63C FAL1 Requirements

What to verifyTypical evidence
Assertions are signed by the IdP and validated by the RPAssertion-signature verification configuration and keys
Bearer assertions are protected in transit (TLS) and time-limitedAssertion lifetime and transport settings
Assertion audience/RP is restricted to the intended partyAudience-restriction claim configuration

63C FAL2 Requirements

What to verifyTypical evidence
Assertion is encrypted to the RP or delivered via a protected back channel (injection)Encryption configuration or back-channel token exchange evidence
Assertion replay protection is enforced (single-use, jti/nonce, tight expiry)Replay-cache / nonce configuration
IdP and RP key management for signing/encryption is documentedKey rotation and storage evidence

63C FAL3 Requirements

What to verifyTypical evidence
The subscriber presents a holder-of-key authenticator bound to the assertionHolder-of-key / bound-token proof-of-possession evidence
The RP verifies proof of possession in addition to assertion validityRP verification logic and logs
The bound key meets the required authenticator assuranceAuthenticator attestation for the bound key

Cross-cutting: Privacy, Usability, Equity and Security

What to verifyTypical evidence
A privacy risk assessment covers identity data collection, use, retention and sharingPrivacy Impact Assessment (PIA) referencing 800-63 data flows
Usability of proofing and authentication is evaluated and friction is justifiedUsability test results; abandonment metrics
Equity assessment checks that proofing does not disproportionately exclude groups (mandatory in -4)Equity/accessibility assessment and remediation log
Security controls (encryption, logging, incident response) protect identity systemsSC/AU/IR control mapping (e.g. to SP 800-53)
Redress and appeal processes exist for proofing failuresDocumented redress / manual-review procedure

Scoping a NIST 800-63 assessment

Scoping determines which services, which volumes, and which assurance levels are under examination. Because the three assurance ladders are independent, scoping must be done per digital service rather than per organisation.

  • Enumerate every digital service or transaction that involves establishing or using an identity, and treat each as a scoping unit.
  • For each unit, decide which volumes apply: services with no proofing are out of scope for 63A at IAL2/3 but still in scope for 63B; non-federated services are out of scope for 63C.
  • Record the selected IAL, AAL and FAL for each unit — the pairing (e.g. IAL1/AAL2/FAL0 where no federation exists) is the scope statement.
  • Identify all actors in scope: internal CSP functions, outsourced proofing vendors, IdPs, and downstream RPs, since third-party CSPs inherit assessment obligations.
  • Include supporting infrastructure: credential stores, biometric subsystems, session managers, and logging that underpin the assurance claims.
  • Exclude, with rationale, systems that neither proof identity nor authenticate subscribers (e.g. purely anonymous public content).
Scoping pitfall
A common error is scoping only the login screen. The assurance claim depends on the whole chain — proofing vendor, credential storage, recovery flows, and session handling. Account recovery in particular is frequently the weakest link because a weak reset path silently downgrades a strong AAL. Scope recovery explicitly.

Implementation approach

A pragmatic 800-63 programme runs in phases. Each phase has defined activities and deliverables so that progress is auditable.

Phase 1 — Risk assessment and level selection

  • Activities: inventory digital services; run the digital identity risk assessment across the six impact categories; select initial IAL/AAL/FAL per service; identify tailoring and compensating controls.
  • Deliverables: service inventory, impact scoring matrix, and a Digital Identity Acceptance Statement per service recording the chosen levels and residual risk.

Phase 2 — Gap analysis

  • Activities: map current proofing, authentication and federation implementations against the requirements for the selected levels; document deltas.
  • Deliverables: gap register with severity, owner and target level for each finding; prioritised remediation backlog.

Phase 3 — Design and remediation

  • Activities: design or procure conformant proofing (evidence validation, liveness), authenticators (FIDO2/passkeys, PIV, OTP), and federation protocols (OIDC/SAML with correct FAL protections); harden recovery and session management.
  • Deliverables: target-state architecture, authenticator and proofing vendor selections, and updated recovery/session designs.

Phase 4 — Implementation and integration

  • Activities: build/configure the controls; integrate breached-password screening, MFA, PAD-tested biometrics, and assertion protection; enforce data minimisation.
  • Deliverables: configured environments, integration test results, and updated privacy/equity assessments.

Phase 5 — Validation, assessment and ATO

  • Activities: independent conformance assessment against each volume; penetration and PAD testing; remediate residual findings; obtain sign-off/ATO.
  • Deliverables: assessment report, evidence pack, and authorised Digital Identity Acceptance Statement.

Phase 6 — Continuous monitoring

  • Activities: monitor fraud, usability and equity metrics; re-evaluate assurance on change; maintain authenticator lifecycle and revocation.
  • Deliverables: monitoring dashboard, periodic re-assessment records, and change-driven risk re-evaluations.

Maturity and capability model

NIST 800-63 does not define a maturity model of its own, but assessors benefit from a capability ladder to describe how robustly an organisation operationalises the guidelines. The following model helps benchmark programmes beyond a pass/fail conformance snapshot.

LevelNameCharacteristicsTypical evidence
1Ad hocAssurance levels not formally selected; proofing and MFA inconsistent; no acceptance statementScattered configs, no risk assessment
2DefinedIAL/AAL/FAL selected per service; policies written; MFA broadly deployedAcceptance statements, documented policies
3ImplementedControls conform to selected levels; breached-password screening, PAD and assertion protection in placeAssessment report, test results
4ManagedFraud, usability and equity metrics tracked; recovery and session hardened; lifecycle managedMetrics dashboards, revocation logs
5OptimisedContinuous re-evaluation; passwordless/phishing-resistant by default; automated assurance monitoringTrend analysis, automated re-assessment

Assessment and audit approach

  1. Confirm scope: list in-scope services and their declared IAL/AAL/FAL from the Digital Identity Acceptance Statements.
  2. Validate the risk assessment: check that impact categories were assessed and that level selections are justified and independent.
  3. Assess 63A proofing: verify resolution, validation and verification meet the target IAL, including evidence strength, liveness/PAD, and address confirmation.
  4. Assess 63B authentication: verify authenticator types, password/breach controls, MFA strength, phishing resistance (for AAL3), and session/reauth timeouts.
  5. Assess 63B lifecycle and recovery: confirm binding, revocation, and that recovery does not downgrade assurance.
  6. Assess 63C federation: verify assertion signing/encryption, replay protection, holder-of-key (FAL3), audience restriction and attribute minimisation.
  7. Test privacy, usability and equity: review the PIA, usability data and equity assessment for exclusion risks.
  8. Perform technical testing: penetration testing, PAD testing, and assertion/session security tests.
  9. Consolidate findings: rate gaps by severity, map to the responsible owner and requirement identifier.
  10. Report and re-assess: issue the assessment report, agree remediation, and schedule re-evaluation on change or at defined intervals.

Evidence request list

  • Governance: digital identity risk assessments, impact scoring matrices, Digital Identity Acceptance Statements, tailoring logs.
  • Proofing (63A): enrolment procedures, evidence-strength policy, document-verification vendor logs, liveness/PAD test reports, address-confirmation/enrolment-code logs, biometric enrolment records.
  • Authentication (63B): authenticator inventory, password policy, breached-password screening evidence, MFA configuration, FIPS 140 certificates, credential-storage design, session/reauth timeout configs, rate-limiting logs.
  • Lifecycle and recovery: binding records, revocation/suspension logs, account-recovery process design, subscriber notification templates.
  • Federation (63C): trust agreements/metadata, assertion signing/encryption configs, replay-protection settings, holder-of-key evidence, attribute-release and consent records, PPID configuration.
  • Privacy, usability, equity: Privacy Impact Assessment, usability/abandonment data, equity and accessibility assessment, redress procedures.
  • Security and operations: encryption and key-management evidence, logging/audit records, incident-response plan, penetration-test reports, third-party (CSP/IdP) attestations.

Roles and responsibilities

RoleResponsibility under 800-63
Service/Business OwnerOwns the digital identity risk decision and signs the Digital Identity Acceptance Statement
Credential Service Provider (CSP)Performs proofing, issues and manages authenticators, maintains enrolment records
Identity Provider (IdP)Authenticates subscribers and issues assertions to relying parties
Relying Party (RP)Consumes assertions, applies FAL protections, requests minimal attributes
VerifierValidates authenticators and enforces AAL requirements at login
Privacy Officer / DPOOwns the PIA, data minimisation and consent for identity data
Security / IAM EngineeringImplements authenticators, session management, encryption and monitoring
Equity / Accessibility LeadAssesses proofing for disparate impact and drives remediation (esp. -4)
Independent Assessor / AuditorEvaluates conformance to each volume and issues the assessment report
Fraud OperationsMonitors proofing/authentication fraud signals and tunes controls

KPIs to track

  • Percentage of digital services with a current Digital Identity Acceptance Statement and assigned xALs.
  • MFA/phishing-resistant authenticator adoption rate (share of logins at AAL2 and AAL3).
  • Proofing pass rate and manual-review/redress rate at IAL2/IAL3.
  • Presentation-attack detection (PAD) effectiveness and biometric false-match / false-non-match rates.
  • Breached-password screening hit rate and password-related account-takeover incidents.
  • Account-recovery abuse rate and mean time to revoke a compromised authenticator.
  • Federation assertion replay/validation failure rate and attribute over-disclosure incidents.
  • Proofing abandonment rate and equity gap (variance in pass rates across demographic groups).
  • Number of open assessment findings by severity and mean time to remediate.

Readiness checklist

  • Digital identity risk assessment completed for every in-scope service across all six impact categories
  • IAL, AAL and FAL selected independently and recorded in a Digital Identity Acceptance Statement
  • Proofing implements resolution, validation and verification to the target IAL with liveness/PAD where required
  • Password policy enforces breach screening, 8+ character minimum and no forced periodic rotation or composition rules
  • MFA enforced to the target AAL; AAL3 services use phishing-resistant hardware authenticators (FIDO2/PIV)
  • Account recovery and reset paths do not downgrade the assurance level
  • Session and reauthentication timeouts match the required AAL
  • Federation assertions are signed, protected (encrypted/injected at FAL2) and, where required, holder-of-key at FAL3
  • Attribute disclosure minimised with consent and, where needed, pairwise pseudonymous identifiers
  • Privacy Impact Assessment, usability evaluation and equity assessment completed
  • FIPS-validated cryptographic modules used where mandated and certificates on file
  • Redress process exists for individuals who fail proofing
  • Third-party CSP/IdP conformance attestations obtained
  • Continuous monitoring of fraud, usability and equity metrics operating

Common gaps

  • Treating identity as one monolithic level instead of selecting IAL, AAL and FAL independently.
  • Weak account recovery (email or knowledge-only reset) that silently downgrades a strong AAL.
  • Persisting legacy password rules — forced periodic rotation, composition complexity — that 800-63B explicitly discourages.
  • No breached-password / blocklist screening on memorised secrets.
  • Claiming AAL3 without genuinely phishing-resistant, verifier-impersonation-resistant hardware authenticators.
  • Missing presentation-attack detection or unvalidated biometric performance in remote IAL2 proofing.
  • Bearer assertions without replay protection, audience restriction or (at FAL2) encryption.
  • Over-collection of PII during proofing and no retention/minimisation policy.
  • Absence of a Digital Identity Acceptance Statement or documented risk rationale.
  • No equity assessment, causing disparate proofing failure rates for some populations (a -4 gap).
  • Unassessed third-party CSPs whose controls are assumed rather than verified.
  • Reauthentication and session timeouts not aligned to the claimed AAL.

NIST SP 800-63 mapped to other frameworks

FrameworkRelationship to 800-63Mapping notes
NIST SP 800-53Provides the underlying security/privacy controls (IA, AC, AU, SC families)800-63 assurance is implemented atop 800-53 IA controls
NIST Cybersecurity Framework (CSF)Identity supports PR.AA (Identity Management and Access Control)800-63 operationalises the CSF Protect identity outcomes
ISO/IEC 29115International entity-authentication assurance framework with LoA 1-4Conceptually parallel; 800-63 splits LoA into IAL/AAL/FAL
eIDAS (EU)Assurance levels Low/Substantial/High for electronic identificationRough alignment: Substantial~IAL2/AAL2, High~IAL3/AAL3
FIDO2 / WebAuthnTechnical authenticator standardDelivers AAL2/AAL3 phishing-resistant authenticators
PCI DSSRequires strong authentication (MFA) for access to cardholder data800-63B AAL2 satisfies PCI MFA intent
Kantara Identity AssuranceAccreditation scheme certifying CSPs against 800-63Provides third-party conformance evidence
FedRAMPCloud authorisation programmeInherits 800-63 IAL/AAL/FAL for identity controls
DEA EPCSE-prescribing of controlled substancesRequires IAL2/AAL2-equivalent proofing and two-factor
How CyberSigma helps
CyberSigma runs end-to-end NIST 800-63 engagements: we perform the digital identity risk assessment, select and justify IAL/AAL/FAL per service, and author your Digital Identity Acceptance Statements. Our assessors gap-test your proofing (63A), authentication and lifecycle (63B) and federation (63C) implementations, including breached-password screening, FIDO2/passkey and PIV rollout, PAD/biometric validation, and assertion-protection reviews. We harden the recovery and session paths that most audits miss, deliver privacy, usability and equity assessments aligned to SP 800-63-4, and provide the evidence pack and remediation roadmap needed for ATO, FedRAMP, EPCS or your board. Talk to CyberSigma to move from ad hoc identity controls to a defensible, risk-based, phishing-resistant identity programme.

Frequently asked questions

What is AAL?
Authenticator Assurance Level (AAL 1–3) describes the strength of the authentication process, with AAL3 requiring phishing-resistant, hardware-based MFA.
Official documents

Need help with NIST 800-63?

CERT-In empanelled, PCI QSA senior auditors can take you from reading about it to compliant — with a scoped, guided programme.