NIST Recognizes Synced Passkeys as AAL2-Compliant

1. Introduction

As technology moves forward, policies often struggle to keep pace. In authentication, guidance has typically been password-centric, originating in a less complex digital era in the early days of the world wide web in the 1990s. That's why it's great to see NIST (National Institute of Standards and Technology), one of the most influential organizations in standards and technology, respond to the rising adoption of (recently Mastercard , Finom or Revolut ) and push passkeys them with a clear statement. The release of NIST Special Publication (SP) 800-63B's (Digital Identity Guidelines: Authentication and Lifecycle Management ) supplement officially confirms synced passkeys as meeting Authentication Assurance Level 2 (AAL2) standards.

This new supplement is released before the Revision 4, because the great adoption of passkeys outpaces the current documentation cycle. Synced passkeys (the most user-friendly way form of passkeys) are transforming how private keys are managed. They carry the promise of stronger security through phishing -resistant authentication, simplified recovery processes, and better convenience.

However, with this evolution, new challenges emerge, necessitating a thorough understanding of threats and a proper implementation strategy. This blog post will help to understand the meaning of this supplement and helps developers and product managers to leverage passkeys for better user authentication.

2. What is the NIST (National Institute of Standards and Technology)?

NIST, the National Institute of Standards and Technology, is a federal agency within the U.S. Department of Commerce. Tasked with promoting innovation and industrial competitiveness, NIST advances measurement science, standards, and technology in ways that enhance economic security and improve our quality of life.

At the heart of NIST's mandate is the development of technology, metrics, and standards to drive innovation and economic growth. When it comes to digital identity and cybersecurity, NIST's guidelines are the gold standard. They lay down the foundational principles for securing digital identities and provide comprehensive frameworks for authentication and lifecycle management, influencing both public and private sectors. NIST does not create laws, but some of its standards are binding for federal agencies in the USA. That is why their significance is so considerable.

By aligning with NIST guidelines, developers and product managers can ensure that their products meet high security and interoperability standards, which are critical for user trust and regulatory compliance.

3. What has NIST Decided in Regards to Synced and Device-Bound Passkeys?

NIST has provided a clear stance on the roles of passkeys in the context of modern authentication requirements. The new supplement shines a spotlight on passkeys, particularly synced passkeys, positioning them as meeting Authentication Assurance Levels AAL2 requirements, and in the case of device-bound passkeys, AAL3 (more on that below).

Synced passkeys are now recognized for their phishing -resistant attributes when deployed according to NIST guidelines, marking a significant endorsement of their security capabilities. Read this article to better understand the distinction between synced and device-bound passkeys .

4. Why is this decision by NIST important?

The significance of NIST's decision to endorse passkeys can't be overstated. It can be a real booster for the adoption of passkeys, especially in regulated industries like banking or healthcare.

Why does this matter so much?

1. NIST is one of the Most Trustworthy Authorities: NIST's guidelines are the benchmark for digital identity protocols worldwide. Its position influences not just the United States but also sets a precedent that international bodies often follow. Thus, the supplementary guidance, like other NIST guidelines, acts as a technical recommendation to adopt passkeys without hesitation It is not legally binding on its own as NIST does not have the force of law behind them. However, federal agencies and contractors working with the government may be required to comply with these guidelines due to specific regulatory or contractual obligations that incorporate NIST standards.
2. NIST’s Guidelines Have Global Impact: The ripple effect of this decision is global. Around the world, organizations have awaited NIST's seal of passkey approval. See also our series on passkeys and strong customer authentication (part 1, part 2, part 3 & part 4) that an official push for passkeys by authorities is often the last step for many organizations. Now, with this supplement, a crucial obstacle is cleared, paving the way for a surge in the adoption of passkeys.
3. Passkeys Improve Security, Not Just UX: The supplement details how synced passkeys align with AAL2 (before they would have been considered non-compliant in the context of digital identity guidelines), undermining that passkeys are not just a UX feature but also a step-up security measure.

This decision by NIST will help the passkey ecosystem overall. Passkeys are now officially aligning with the high standards of Authentication Assurance Levels. This can be seen as an indirect request for industries to move forward with adopting passkeys.

5. Analysis of the Supplement 1 NIST SP 800-63B

Let’s have a more in-depth analysis of the new Supplement 1 NIST SP 800-63B.

5.1 What are Authenticator Assurance Levels (AALs)?

First of all, we need to understand what Authenticator Assurance Levels are and what their impact is.

Authenticator Assurance Levels (AALs) are part of NIST's framework for digital identity guidelines, defining the robustness of authentication processes. These levels measure the confidence in a user’s identity by assessing the strength and assurance of the authentication process. See the following general definition to learn more about the three levels:

5.2 Why are Synced Passkeys AAL2-Compliant?

In the following, you’ll find an overview of AAL2 characteristics and how synced passkeys fulfill them.

Note that we left out “Records Retention Policy” and “Privacy Controls”, as they are required by all Authenticator Assurance Levels.

Another part of the supplement addresses further details concerning the configuration of synced passkeys. To fulfill AAL2 standards, synced passkeys must either initiate a local authentication event to access the locally stored private key or must be utilized alongside an additional authentication method (e.g. password or OTP) if a local authentication method is absent. Within the WebAuthn standard, this is denoted by the User Verification flag found in the authenticator data.

5.1.2 Why are Device-Bound Passkeys AAL3-Compliant?

After assessing synced passkeys as AAL2-compliant, we now take a look at device-bound passkeys to understand why they are AAL3-compliant.

From purely reading the special publication and the supplement, it’s not immediately obvious why synced passkeys are only AAL2-compliant, while device-bound passkeys are AAL3-compliant (according to an official statement by FIDO Alliance Executive Director & CEO Andrew Shikiar ). The main reason we have identified that supports this distinction is that AAL3 requires very high confidence (not just high) that the claimant controls authenticators bound to the subscriber's account. Additionally, AAL3 mandates the use of a hardware-based authenticator , which could be interpreted as being device-bound.

5.2 What are the New Requirements?

Before the supplement, the authenticator ’s ability to clone a cryptographic authentication key from one device to another was restricted. However, synced passkeys explicitly promote the sharing / cloning of passkeys throughout a passkey provider.

5.2.2 General Requirements

The following requirements are now applicable for synced passkeys that make them AAL2-compliant.

1. Proper Cryptography: All keys shall be created using recognized cryptographic methods.
2. Private Keys Only Encrypted: Private keys that are duplicated or transferred from a device shall be kept in a secure, encrypted state.
3. Authentication Only with Private Keys on the Local Device: Every authentication process shall carry out actions involving the private key on the local device. The private key is a cryptographic key that was either created on the device or retrieved from the synced cloud account.
4. Cloud Account Access only for Verified Users: Private keys synced in cloud accounts shall be safeguarded by access control systems, ensuring that only the verified user can access their own private keys in the cloud account.
5. Cloud Account Access only via MFA: Access by users to their private keys within the cloud account shall be safeguarded by MFA that is AAL2-compliant to keep the integrity of the authentication protocols that utilize these synced passkeys.
6. Document & Communicate to Users: These general requirements, along with any additional specific requirements for the deployment of synced passkeys, shall be formally documented and communicated. This includes publication on websites and in digital service policies where relevant.

5.2.3 Federal Enterprise Requirements

Moreover, in federal enterprise scenarios, some additional requirements are in place (e.g. government contractors, government employees or mission partners but not government-to-consumer or public-facing use cases)

1. Only Certified Devices: Private keys used by the federal enterprise shall be kept in synced devices that have been certified to at least FISMA Moderate levels of protection or the equivalent (Whether an iPhone or Android device is compatible with FISMA Moderate level of protection depends on its configuration and management within an organization. For example, implementing a mobile device management (MDM) solution is a key factor. See below for more details).
2. Use Mobile Device Management Software: Devices, such as mobile phones, laptops, and tablets, which create, store, and sync passkeys holding federal enterprise private keys, shall be secured with mobile device management software or equivalent device configuration measures. These protections ensure that passkey sync or sharing with unapproved devices is blocked.
3. Regulated Access to Synced Cloud: Access to the synced cloud shall be regulated through accounts managed by the agency, such as through a centralized identity and access management solution or platform-managed accounts, to ensure enterprise control over the private key lifecycle. As we have pointed out in previous articles , Apple and Google have gone to significant lengths to do so.
4. Support Device Attestation : Authenticators that create private keys should support attestation capabilities. These capabilities can be used to confirm the authenticity and origin of the authenticator , such as through enterprise attestation .

5.3 How Should WebAuthn Properties be Set?

In the following, we analyze WebAuthn server options and how they should be set if the relying party is a federal agency, so that AAL2 threats can be mitigated appropriately.

5.4 How is Attestation Affected by the NIST Supplement?

Agencies might find it beneficial to get more details about the origins and features of the synced passkeys. In WebAuthn, certain authenticators are equipped with attestation features that help identify the manufacturer and capabilities of the authenticator in question. For enterprise-level applications, it's advised that agencies should incorporate attestation that is supported by the passkey providers. Ideally, this should be in the form of an enterprise attestation wherein the Relying Party (RP) is able to request information that uniquely identifies the authenticator. However, attestation for widespread public applications should not be used. Insisting on attestation in these cases could potentially rejecting public users' synced passkeys that lack attestation support. This could lead them towards alternative authentication methods that are less secure and more susceptible to phishing , like SMS OTP.

5.5 New Threat Model and Mitigations

The following table provides an overview of the new threat model for synced passkeys and how these threats can be mitigated.

6. Why Does the Supplement Come Up Now?

When the SP 800-63B guidelines were initially released in 2017, critical technical specifications such as the CTAP and WebAuthn (collectively referred to as FIDO2 when combined) had not been established, nor was there a mature, well-defined range of implementations. At that time, due to the available types of authenticators, the guidelines limited the ability to sync a key across devices for MFA. However, there has been a significant evolution within the past two years. Presently, most leading platform providers (e.g. Apple, Google) have adopted advanced, synced passkeys, which provide several advantages, such as enhancing resistance to phishing attacks, the capacity to bind credentials to specific relying parties, removing the necessity to send passwords across networks, streamlining the process of account recovery, and allowing the use of various device-native biometrics and PINs as a second factor with the stored private key. Additionally, they provide a level of convenience that aligns with the growing trend of using multiple devices across different platforms.

7. What Does this Mean in Practice?

Take, for instance, scenarios where a combination of a password and OTP has been used so far. With the updated guidance from NIST, a synced passkey is not only adequate for fulfilling AAL2 criteria but is superior. In nearly every implementation scenario, the introduction of synced passkeys marks a considerable advancement in security and user experience over the authentication methods currently in use, which are predominantly vulnerable to phishing attacks – be it passwords, OTPs or TOTPs.

8. What Do Other Governmental Agencies Do in Regards to asskeys?

As we already mentioned above, NIST is the gold standard for providing guidance on new standards in the digital authentication space. Other regulatory bodies and organizations are yet to deliver clear statements but after this move by NIST it’s only a matter of time until others catch up (even the data-privacy- and -security-driven European and German bodies). Nevertheless, let’s have a brief look at the stance of the ENISA (EU), NCSC (UK) and BSI (Germany) on synced passkeys.

8.1 European Union: ENISA (European Union Agency for Cybersecurity)

No clear statement on passkeys (be it device-bound or synced) or WebAuthn in general yet by ENISA.

However, they cleared recognized FIDO as an authentication standard for eIDAS2 .

8.2 UK: NCSC (National Cyber Security Centre)

No clear statement on passkeys (be it device-bound or synced) or WebAuthn in general yet by NCSC.

However, the CTO Ollie Whitehouse predicts a great decline in passwords use within a decade . He also mentions that “passkeys could be the modern answer to passwords“.

8.3 Germany: BSI (Bundesamt für Sicherheit in der Informationstechnik)

In March 2024, the BSI pushed passkeys as the new standard for authentication via their social media channels. Besides, they published two major web pages explaining passkeys to the general public and also the cryptography behind it . This recent push can be seen as recognition of passkeys but more details are yet to be published.

9. Conclusion

The endorsement by NIST of synced passkeys as AAL2-compliant represents a major advancement in modern authentication. By recognizing synced passkeys, NIST not only enhances the security framework for digital identities but also paves the way for broader adoption across various sectors. Organizations across the globe, especially those in regulated industries, now have the confidence to integrate passkeys and roll them out to their users, thanks to the clear guidelines and standards set by NIST.

Even in higher risk scenarios, the AAL3-compliance of device-bound passkeys provides a viable option now that is backed by NIST. We expect other authorities like ENIS, NCSC and BSI to also come up soon with their own clear statements regarding the push for passkeys.

Other standard and regulatory will follow the lead, subscribe to our Passkeys Substack to always be update.