Apr 9, 2018

NIST Special Publication 800-63B Digital Identity Guidelines

NIST Special Publication 800-63B Digital Identity Guidelines, Authentication and Lifecycle Management includes choices of authenticators that may be used at various Authenticator Assurance Levels (AALs) for use by the US Federal Government.  Authenticators are used to authenticate a user to a resource’s access control mechanism.  Examples of authenticators include credit cards with chips, US Federal Government Personal Identity Verification (PIV) cards and DoD Common Access Cards (CACs).  NIST Special Publication 800-63B Digital Identity Guidelines (NIST SP 800-63B) helps standardize AALs to enable organizations to authenticate each other and share resources.

There are three AALs from AAL1 to AAL3 for which NIST SP 800-63B provides criteria.  The higher the AAL, the harder it is to subvert the authentication process where an authenticator is used.  An AAL is determined based on an authenticator type and other criteria.  Table 1 shows permitted authenticator types identified in NIST SP 800-63B.

Table 1 Permitted Authenticator Types from NIST SP 800-63B

The reader is encouraged to consult NIST SP 800-63B for more detailed descriptions of the authenticator types and AALs.  Some of the authenticator types of Table 1 and their associated weaknesses are shown in Table 2. 

Authenticator Type


Memorized Secret (Something you know.)

Look-up Secret (Something you have.)

Bearer, Replay, Session takeover

Out-of-Band (Something you have.)


Single Factor (SF) Crypto Software (Something you have.)

SF Crypto Device (Something you have.)


SF One-Time-Password (OTP) Device (Something you have.)

Bearer, Session takeover

Multi-Factor (MF) Crypto Software (Something you have, and it SHALL be activated by either something you know or something you are.)

MF Crypto Device (Something you have, and it SHALL be activated by either something you know or something you are.)


MF OTP Device (Something you have, and it SHALL be activated by either something you know or something you are.)

Session takeover

 Table 2:  Authenticator Types and Some Respective Weaknesses

In Table 2, a “Bearer” weakness indicates that the authenticator can be used by anyone that possesses it.   A “Replay” weakness indicates that the authenticator or information from the authenticator can be legitimately used in an authentication transaction and again used by an attacker that intercepts and copies it.  A “Session takeover” weakness is where one can take over an active session after a user has initiated the session.  For example, when someone logs in and leaves their terminal without locking it and another takes their place at the terminal.  While Table 2 indicates this as a weakness, there are ways to help mitigate session takeover such as periodic re-authentication and continuous authentication methods.

The authenticator types in Table 2 alone or in combination help make up the different AALs in NIST SP 800-63B.  The combining of authenticator types helps overcome weaknesses that individual authenticator types have.

The standardization of the AALs and their respective permitted authenticator types helps organizations determine the type of authenticator to use based on risk.   For less valuable assets, an AAL1 capability might be sufficient.  For high value assets where harm due to compromise, destruction or inaccessibility is high, an AAL3 capability might be needed. 

As shown in Table 1, an organization that uses AAL1 permitted authenticators has several options from which to choose – as does an organization that uses AAL2 or AAL3 permitted authenticators.   This provides flexibility to organizations and enables them to make trust determinations based on AALs.  For example, an organization that uses AAL3 authenticators might be willing to let another organization access its resources if the other organization uses AAL3 authenticators.  This is the case with much of the US Government and its use of PIV cards among agencies; PIV cards are AAL3 authenticators.

Ron Sulpizio is an engineer and lawyer with 25 years of information technology experience, specializing in identity and access management, policy writing, cryptography systems, cybersecurity, information sharing, export regulation, privacy and patent prosecution. Ron has been part of the PKH Enterprises team since 2016.
Share on Twitter
Share on Facebook