NIST recently published a supplement providing guidance on the use of FIDO2 Passkeys, particularly syncable passkeys. This is a welcomed contribution to the community, providing much-needed clarity on how syncable passkeys can meet NIST AAL standards.

The original NIST digital identity guidelines for authentication 800-63B were first published in 2017, and since then, there’s been rapid advancement in authentication factors, particularly FIDO2 passkeys. Organizations typically use 800-63B as a policy reference, and NIST recognized their role in ensuring that their guidelines keep up with advancements. NIST has opted for a supplement paper to build on the authoritative 800-63B guidelines.

NIST has just completed a public consultation on SP 800-63-4 the draft update to SP 800-63 but felt it was necessary to provide guidance in an expedient manner via the supplement, as opposed to waiting for SP 800-63-4 to be finalized

In the first part of our analysis, we focus on the key changes and clarifying statements made in the supplementary publication. In a subsequent post, we dive deeper into the implementation recommendations and summarize the threat model and challenges with syncable passkeys.

What is an AAL?

NIST AAL, or NIST Authentication Assurance Level, refers to the guidelines set by the National Institute of Standards and Technology (NIST) for the assurance levels related to authentication processes in identity systems. These levels are part of the NIST Special Publication 800-63, which covers digital identity guidelines.

Here's a brief overview of the three Authentication Assurance Levels:

  1. AAL1: Provides some assurance that the claimant controls an authenticator bound to the subscriber's identifier. This level allows for single-factor authentication, such as a password or a PIN.
  2. AAL2: Provides high confidence that the claimant controls an authenticator bound to the subscriber's identifier. This level requires two different factors, which could be a combination of something you know (password), something you have (security token), or something you are (biometrics).
  3. AAL3: Provides very high confidence that the claimant controls an authenticator bound to the subscriber's identifier. This level requires the use of a hardware-based cryptographic authenticator and another factor. It is suitable for applications requiring a high level of security and fraud risk mitigation.

Key Takeaways
1. Syncable Passkeys Achieve AAL2

The supplement concludes that correctly configured syncable passkeys can provide a high level of confidence in meeting AAL2 requirements.

3x6 Table with Roboto Font, Padding, and Bold First Row
Requirement AAL2 FIDO2 Syncable Passkeys
Man in the Middle resistance Required Achieved - Properly configured syncable authenticators exchange all authentication data through authorized and protected channels.
Verifier-impersonation resistance Not required Achieved - Properly configured syncable authenticators create a unique public or private key pair whose use is constrained to the domain in which it was created (i.e., the key can only be used with a specific website or relying party). This prevents a falsified web page from being able to capture and re-use an authenticator output.
Verifier-compromise resistance Not required Achieved - Properly configured syncable authenticators only store public keys on the verifier side. These keys cannot be used to authenticate as the user. Private keys stored by the syncing fabric are only stored in an encrypted form using approved cryptography. Access controls prevent anyone other than the authenticated user from accessing the stored keys.
Replay resistance Required Achieved - Syncable authenticators prevent replay resistance (i.e., prevention of reuse in future transactions) through the use of a random nonce incorporated into each authentication transaction.
Authentication intent Recommended Achieved - Syncable authenticators require the user to input an activation secret to initiate the cryptographic authentication protocol. This serves as an authentication intent as the event cannot proceed without the user’s active participation.

2. “Syncability” - Update on the Allowance of Cloning Authentication Keys

From the Supplement

In SP 800-63B, Section 5.1.8.1, Multi-Factor Cryptographic Software Authenticators, restricts the ability of an authenticator to “clone” a cryptographic authentication key from one device to another. Specifically, it states:

💡 Multi-factor cryptographic software authenticators SHOULD discourage and SHALL NOT facilitate the cloning of the secret key onto multiple devices.

The supplement now clarifies and recognizes that when configured and secured correctly, synchronization of cryptographic material across a “sync-fabric” is allowed, and the statement in 5.1.8.1  is superseded by the publication of the supplement (22nd April 2024). This requirement is also removed in the upcoming revised SP 800-63-4  document. It’s also recognized that sycnabiltiy is one of the key user experience traits of a synced passkey and should be viewed as a net positive when properly implemented.

The supplement further states the requirements to allow for “cloning/syncability” through the “General requirements for all uses of syncable authenticators.” Some of the key requirements include ensuring that the sync-fabric has an AAL2 assurance level on its own access controls and that the cryptographic operation is always performed locally on the device.

In addition to the general requirements, the supplement adds further requirements for the federal use of passkeys, with key requirements like ensuring end-point devices have mobile device management (MDM) and recommending enterprise attestation when it comes to the use of synced passkeys.

View the full list of requirements in the supplement “Incorporating Syncable Authenticators Into NIST SP 800-63B’

Button Example

What is a sync-fabric?

The supplement’s glossary states that a sync-fabric, is - Any on-premises, cloud-based, or hybrid service used to store, transmit, or manage authentication keys generated by syncable authenticators that are not local to the user’s device.

In the world of synced passkeys, consumers commonly refer to this as their credential manager, such as iCloud Keychain and Google Password Manager. Other non-OS credential managers, like Dashlane, LastPass and Bitwarden also now offer syncability across their credential manager offerings.

Sync Fabric or commonly known as Password/Credential Managers

Round-up

To round up the first part of our analysis, we at Authsignal feel it’s a great step forward in getting clarity on the syncable passkeys that fit into NIST’s digital identity guidelines. It’s also appreciated that NIST has provided risk-based general requirements and specific federal requirements.

In part 2 of our analysis, we touch on NIST’s implementation considerations, which further adds nuance and a risk-based lens to which FIDO2 Passkeys functionality is the most appropriate depending on context. We welcome such attention to detail.

Authsignal is a member of the FIDO alliance and is actively helping organizations uplift their customer account security and experience by adopting passkeys. We offer a range of drop-in solutions that have been tuned for the consumer and have seen incredible results on nationwide demographics and critical customer services.