NIST SP 800-63

NIST SP 800-63 overview

The National Institute of Standards and Technology (NIST) SP 800-63 Digital Identity Guidelines provides technical requirements for federal agencies implementing digital identity services, including identity proofing and authentication of users interacting with government IT systems over open networks. Moreover, healthcare, financial services, and other industries often rely on the NIST SP 800-63 as a baseline for identity and access management requirements. For example, NIST SP 800-63 is referenced by:

• The US Drug Enforcement Administration (DEA) Electronic Prescriptions for Controlled Substances (EPCS)
• The Financial Industry Regulatory Authority (FINRA) notice on multi-factor authentication

NIST SP 800-63 guidelines are referenced in other standards, most notably the US Federal Risk and Authorization Management Program (FedRAMP) that is applicable to cloud service providers (CSPs). FedRAMP is based on the NIST SP 800-53 standard, augmented by FedRAMP controls and control enhancements. Several FedRAMP controls in the Identification and Authentication (IA) control family reference NIST SP 800-63, for example, IA-1, IA-5, and IA-8.

NIST SP 800-63 guidelines encompass three areas, and each area sets requirements to achieve a given level of assurance:

• SP 800-63A Enrollment and Identity Proofing sets requirements to achieve a given Identity Assurance Level (IAL): IAL1, IAL2, and IAL3.
• SP 800-63B Authentication and Lifecycle Management addresses how an individual can securely authenticate to credential service provider to access a digital service at a given Authenticator Assurance Level (AAL): AAL1, AAL2, and AAL3.
• SP 800-63C Federation and Assertions provides requirements when using federated identities and assertions to convey the result of authentication at a given Federation Assurance Level (FAL): FAL1, FAL2, and FAL3.

Azure support for NIST SP 800-63

Azure provides guidance for attaining the NIST SP 800-63B Authenticator Assurance Levels by using Azure Active Directory (Azure AD) and other Microsoft solutions. For more information, see Achieving NIST AALs.

The US Federal Risk and Authorization Management Program (FedRAMP) was established to provide a standardized approach for assessing, monitoring, and authorizing cloud computing products and services. Both Azure and Azure Government maintain a FedRAMP High Provisional Authorization to Operate (P-ATO) issued by the FedRAMP Joint Authorization Board (JAB). For federal systems hosted on Azure, the remote authentication of end users should follow NIST SP 800-63 guidelines. A cloud service provider (CSP) system owner is responsible for selecting the right authentication technology to meet the target assurance level. Azure and Azure Government FedRAMP High authorizations satisfy the security and privacy control requirements for all Authenticator Assurance Levels, including AAL1, AAL2, and AAL3.

Note

Extra resources:

• For a review of authenticator basics, including authentication factors and single-factor vs. multi-factor authentication, see Authenticator basics.
• For more information on authenticator types and Microsoft methods, see NIST authenticator types and aligned Azure AD methods.
• For detailed information about authentication methods, including Windows Hello for Business, Microsoft Authenticator App, and FIDO2 security key, see What authentication and verification methods are available in Azure AD?

According to NIST SP 800-63B Section 4.3, Authenticator Assurance Level 3 (AAL3) authentication shall use a hardware-based authenticator and an authenticator that provides verifier impersonation resistance – the same device may fulfill both requirements. Possible combinations of authenticators satisfying AAL3 requirements include:

• Multi-factor cryptographic device
• Single-factor cryptographic device used in conjunction with memorized secret
• Multi-factor one-time password (OTP) device (software or hardware) used in conjunction with a single-factor cryptographic device
• Multi-factor OTP device (hardware only) used in conjunction with a single-factor cryptographic software
• Single-factor OTP device (hardware only) used in conjunction with a multi-factor cryptographic software authenticator
• Single-factor OTP device (hardware only) used in conjunction with a single-factor cryptographic software authenticator and a memorized secret

We recommend using a multi-factor cryptographic hardware authenticator to achieve AAL3, as explained in Achieving NIST AAL3 with Azure AD. Password is the greatest attack surface that can be eliminated with Passwordless authentication, which offers users a streamlined method to authenticate.

According to NIST SP 800-63B Section 4.3, multi-factor authenticators used at AAL3 shall rely on hardware cryptographic modules validated at FIPS 140 Level 2 or higher overall level with at least FIPS 140 Level 3 for physical security. Verifiers at AAL3 shall be validated at FIPS 140 Level 1 or higher. For more information about Microsoft support for authenticator and verifier FIPS 140 validation requirements, see FIPS 140 validation.

FIDO2 security keys, smartcards, and Windows Hello for Business can help you meet AAL3 requirements, including the requisite FIPS 140 validation:

• FIDO2 security keys are well suited to organizations that are completely cloud based. You can choose FIPS 140 validated security keys that meet AAL3 requirements.
• Smartcards are an established technology with multiple vendors meeting FIPS 140 validation requirements.
• Windows Hello for Business relies on multiple components in the FIPS 140 cryptographic boundary. For more information on conducting a risk assessment when using Windows Hello for Business as an AAL3 authenticator, see Authenticator requirements.

Applicability

• Azure
• Azure Government

Guidance documents

Microsoft provides detailed guidance on:

• How to configure Azure AD to meet NIST SP 800-63B Authenticator Assurance Levels, including AAL1, AAL2, and AAL3. For more information, see Achieving NIST AALs.
• How to configure controls in the Access Control (AC) and Identification and Authentication (IA) control families to meet FedRAMP High requirements. For more information, see Configure Azure AD to meet FedRAMP High.

Frequently asked questions

Can Azure support my NIST AAL3 requirements?
Yes. Azure AD supports both authenticator and verifier NIST AAL3 requirements, including FIPS 140 validation at the right level mandated by NIST SP 800-63B. We recommend using a multi-factor cryptographic hardware authenticator to achieve AAL3. FIDO2 security keys, smartcards, and Windows Hello for Business can help you meet AAL3 requirements.

Does Microsoft provide guidance on achieving NIST AAL requirements?
Yes. For more information, see Guidance documents.

Resources

• Azure compliance documentation
• Azure enables a world of compliance
• Microsoft 365 compliance offerings
• Compliance on the Microsoft Trust Center
• What is Azure Government?
• Explore Azure Government
• Microsoft government solutions
• NIST SP 800-63 Digital Identity Guidelines
• NIST SP 800-63A Enrollment and Identity Proofing
• NIST SP 800-63B Authentication and Lifecycle Management
• NIST SP 800-63C Federation and Assertions
• NIST SP 800-53 Security and Privacy Controls for Information Systems and Organizations
• FedRAMP documents and templates
• Executive Order 14028: Improving the Nation's Cybersecurity