What is the difference between NIST SP 800-63 Revision 3 and Revision 4?

Revision 3, published in 2017, is the current normative version. Revision 4 is in initial public draft as of March 2026 and introduces several significant changes: it replaces the three discrete IAL levels with a more flexible proofing continuum, adds syncable passkeys as an approved authenticator type, expands privacy and equity requirements (particularly around biometric proofing), introduces continuous evaluation concepts, and adds wallet-based digital identity models. Organizations should implement against Rev. 3 today and prepare to adopt Rev. 4 changes once the final publication is released.

Does NIST SP 800-63 apply to private sector organizations?

SP 800-63 is mandatory for federal agencies, FedRAMP cloud service providers, and any organization required to implement NIST SP 800-53 IA controls. For private sector organizations, 800-63 is not directly mandatory but is widely adopted as the de facto standard for identity and authentication best practices. Many industry frameworks, including HIPAA, PCI DSS, and SOC 2, reference NIST guidance for authentication requirements. Any organization that implements MFA, manages user identities, or operates a federated identity system benefits from aligning with 800-63.

Can SMS-based two-factor authentication satisfy AAL 2?

Yes, but with caveats. SP 800-63B classifies SMS as a "restricted" out-of-band authenticator due to demonstrated vulnerabilities including SIM swapping, SS7 network interception, and SMS redirect attacks. SMS can still be used to achieve AAL 2, but NIST recommends organizations evaluate the risk and develop a migration plan to more secure authenticator types. PTG strongly recommends replacing SMS-based MFA with authenticator apps (TOTP) or FIDO2 hardware keys for any system processing sensitive data.

What authenticator types satisfy AAL 3?

AAL 3 requires a multi-factor cryptographic hardware authenticator that provides verifier impersonation resistance. In practice, two authenticator types satisfy this requirement: FIDO2/WebAuthn security keys configured with a PIN (such as YubiKey 5 series or Google Titan Security Keys), and PIV/CAC smart cards with a PIN. The authenticator must store the private key in tamper-resistant hardware, require two factors (the physical device plus a PIN or biometric), and cryptographically bind to the relying party's domain to prevent phishing.

How does SP 800-63 relate to the NIST Cybersecurity Framework (CSF) 2.0?

NIST CSF 2.0 includes the "Protect" function with the PR.AA (Identity Management, Authentication, and Access Control) category. The PR.AA outcomes reference SP 800-63 for the technical implementation of identity proofing, authentication, and federation. CSF 2.0 tells organizations that they need identity management; SP 800-63 tells them exactly how to implement it and to what assurance level.

What is verifier impersonation resistance and why does it matter?

Verifier impersonation resistance is the property that prevents an attacker from using a fake login page (phishing site) to capture authentication credentials. When a user authenticates with a FIDO2 security key, the key cryptographically verifies that the website's domain matches the domain registered during enrollment. If an attacker creates a phishing site at "login-bank-fake.com" instead of "login.bank.com," the security key refuses to authenticate because the domain does not match. This makes real-time phishing proxy attacks, which bypass traditional MFA by relaying OTP codes in real time, technically impossible.

How does 800-63 apply to organizations pursuing CMMC Level 2?

CMMC Level 2 is based on NIST SP 800-171, which includes 14 controls in the 3.5 (Identification and Authentication) family. These controls reference 800-63 for implementation guidance. CMMC Level 2 effectively requires AAL 2 for all users accessing CUI systems, with phishing-resistant authenticators strongly recommended for privileged accounts. PTG's CMMC assessment process evaluates identity and authentication controls against 800-63B requirements and identifies gaps before the C3PAO assessment.

What is the cost of deploying FIDO2/WebAuthn across an organization?

Hardware FIDO2 security keys cost between $25 and $70 per key depending on the model and features (USB-A, USB-C, NFC, Lightning). PTG recommends issuing two keys per user (primary and backup) to ensure continuity if a key is lost. For a 200-user organization, the hardware cost is approximately $10,000 to $28,000, plus enrollment labor. Authenticator apps (TOTP) are free but do not provide phishing resistance. Platform authenticators (Windows Hello, Apple Touch ID) are free on supported devices and provide phishing resistance, but may not satisfy AAL 3 if the device does not use hardware-backed key storage. PTG provides a complete cost analysis during our compliance assessment, comparing authenticator options based on your specific security requirements and budget.

NIST SP 800-63

Digital Identity Guidelines

NIST SP 800-63 defines assurance levels for identity proofing (IAL), authentication (AAL), and federation (FAL). PTG deploys phishing-resistant MFA, modernizes password policies, and aligns authentication systems with the assurance levels your compliance framework demands.

CMMC Registered Practitioner Org | BBB A+ Since 2003 | 23+ Years Experience

Deploy Phishing-Resistant MFA Call 919-601-1601

Document Suite

Four Interrelated Publications

SP 800-63 is a suite covering identity proofing, authentication, and federation, each with its own assurance levels.

800-63 Base Document

Establishes the identity model and risk-based framework for selecting IAL, AAL, and FAL levels.

800-63A: Identity Proofing

Covers evidence collection and verification before issuing credentials. Defines IAL 1, IAL 2, and IAL 3.

800-63B: Authentication

Defines authenticator types and AAL levels. Contains the modern password guidance: no forced rotation, no complexity rules.

800-63C: Federation

Governs identity assertion protocols (SAML 2.0, OIDC) and defines FAL 1, FAL 2, and FAL 3 for SSO implementations.

Key Changes

What 800-63 Changed About Passwords

Legacy Practices

Forced Complexity Rules

Requiring uppercase, lowercase, numbers, and symbols that users circumvent with predictable patterns.

Mandatory Rotation

Forcing password changes every 60-90 days, leading to weaker passwords and sticky notes.

NIST 800-63B Guidance

Length Over Complexity

Minimum 8 characters, support up to 64. No complexity rules. Screen against breached password lists.

Phishing-Resistant MFA

FIDO2/WebAuthn hardware keys and platform authenticators that eliminate credential phishing entirely.

Who This Is For

Built For

Federal Agencies Defense Contractors Healthcare Organizations Financial Services Zero Trust Adopters

FAQ

Frequently Asked Questions

Should we still enforce password rotation?

No. NIST 800-63B explicitly recommends against mandatory periodic rotation. Change passwords only when there is evidence of compromise. Combine long passwords with phishing-resistant MFA instead.

What is phishing-resistant MFA?

FIDO2/WebAuthn authenticators (hardware security keys or platform authenticators) that cryptographically bind authentication to the legitimate website, making credential phishing impossible.

How does 800-63 relate to Zero Trust?

SP 800-207 Zero Trust relies on strong identity as its foundation. The Enhanced Identity Governance deployment model is a natural extension of 800-63 assurance levels.

What AAL level does CMMC require?

CMMC Level 2 requires multi-factor authentication aligned with at least AAL 2. Federal mandates increasingly push toward AAL 3 with phishing-resistant authenticators.

Is Revision 4 available yet?

Rev. 4 is in initial public draft. It introduces continuous evaluation, expanded privacy requirements, and syncable passkeys. Implement against Rev. 3 today while monitoring Rev. 4 developments.

Related Resources

Ready to Modernize Your Identity Controls?

PTG deploys phishing-resistant MFA and aligns your authentication to NIST 800-63 assurance levels.

Schedule a Consultation Call 919-601-1601