nist passwordless

NIST and Passwordless Solutions: Meeting Compliance Needs

Categories: Thought Leadership

While passwordless authentication is a relatively new technology, we often hear concerns from potential customers that it is not NIST 800-63 compliant. 

The source of this incorrect assumption could be a few reasons. First, NIST 800-63 talks about passwords and how users should use them, but says nothing about passwordless authentication. Readers might misinterpret this as an endorsement of the password itself. There are even those that assume that since passwordless is so new, NIST doesn’t have recommendations for it. 

None of the above is true. The truth is that passwordless authentication is NIST 800-63 compliant and a much better solution than simply improving your password policies. This blog explains how a passwordless solution can help you meet your NIST compliance needs.

The basics of NIST 800-63

NIST 800-63 is an effort by the Federal Government to reduce identity theft and fraud by setting standards on the use of passwords. As a whole, NIST 800-63 aims to standardize the processes on how users are authenticated before gaining access to an application or network. NIST 800-63B, in particular, aims to standardize password use around four central tenets: 

  • All passwords must be eight characters or longer.
  • Hints and security questions are prohibited for unauthenticated users.
  • Organizations must check passwords against “values known to be commonly used, expected, or compromised.”
  • The elimination of periodic password resets.

With so much focus on the password throughout this section, it’s not surprising that some might think a completely passwordless authentication system wouldn’t be compliant, but it is.

Beyond Identity is NIST compliant and more

NIST 800-63 aims to prompt government agencies to adopt more robust password practices. However, a far better option is eliminating the password, the most common pain point for users and the most exploited security hole by cybercriminals. While NIST 800-63 does not explicitly mention passwordless, this doesn’t mean that it is non-compliant. Passwordless systems far exceed the NIST's standards set for complexity and security by nature.

The passwordless credentials used by Beyond Identity far exceed the standards set within NIST 800-63B. The secure, device-bound credentials exceed any character requirement and certainly isn’t a “commonly used, expected, or compromised” value. No hints, security questions, nor password resets are needed as the credential is tied to the device and user, and logging in is as simple as a click.

But simply removing the password isn’t enough. Organizations should look for solutions that not only meet NIST guidelines, but exceed them. Beyond Identity’s passwordless authentication platform is one way to make your organization’s network NIST 800-63 compliant.

NIST 800-63B uses a scaled system to describe the strength of digital identity authentication, called “authenticator assurance levels” (AALs). There are three levels, each requiring additional factors. The standard username and password for login would be AAL1 since there is a single factor of authentication, the password.

AAL1 compliance does little to keep your organization safe, and if better network security is your goal, NIST urges organizations to strive for AAL2 instead. Here, two authentication factors are required, either a physical authenticator and a memorized secret or a physical authenticator and a biometric associated with it. 

We believe that even AAL2 isn’t enough, because it can still use phishable factors. Beyond Identity's Authenticator can provide an authentication assurance level consistent with the Authentication Assurance Level 3 when deployed as a component within a larger AAL3 compliant ecosystem.

Beyond Identity provides unparalleled security and uses three unphishable factors to verify the identity of every user and device:

  1. Device biometrics and PINs 
  2. Cryptographic security keys stored in the Trusted Platform Module (TPM) of the device 
  3. Security checks of the user, device, and transaction at the time of login

Beyond Identity also incorporates risk-based authentication and continuous monitoring of the user session to ensure that authentication requests are legitimate, along with a frictionless user experience that is easy to scale.

The Beyond Identity platform not only meets but exceeds the standards set by NIST 800-63. It also eliminates the single biggest cause of security breaches: the password. The result is a much better user experience and a better security posture for your organization.

Meet NIST compliance needs with Beyond Identity

While it is possible to be NIST-compliant without eliminating the password, your organization will remain vulnerable to malicious hackers utilizing various different credential-based attacks at their disposal. Beyond Identity’s platform replaces the password with secure credentials based on X.509 certificates and public-private key pairs, while adhering to NIST compliance standards. 

Beyond Identity’s workforce solutions include:

Learn more about our advanced authentication and get a demo