NIST Logo and ITL Banner Link to the NIST Homepage Link to the ITL Homepage Link to the NIST Homepage
Search CSRC:


Application developers are faced with a choice of electronic authentication mechanisms based on a wide variety of technologies, including passwords, biometrics, and physical tokens, to perform local or remote authentication. NIST SP 800-63-1: Electronic Authentication Guideline (December 2011) was an extensive revision and update of the original document, released in 2006. The original document was internationally recognized as the definitive reference for secret-based mechanisms for authentication of users over the Internet. The revision recognizes that times, and technologies, have changed and broadens the discussion of technologies available to agencies and gives a more detailed discussion of these technologies. A full press release for NIST SP 800-63-1 is available here. The current revision, NIST SP-800-63-2 (August 2013), is a limited update intended to take advantage of professional credentials for identity proofing and reduce the need to use postal mail for address of record verification. The guideline applies whether agencies choose to handle authentication directly or leverage services provided by other parties, including commercial companies.

Password Guidance
Passwords are still a very common mechanism for authenticating the identity of users. NIST SP 800-63-2: Electronic Authentication Guideline offers the most current NIST guidelines for passwords when they are used for remote authentication over the Internet. NIST SP 800-132: Recommendation for Password-Based Key Derivation Part 1: Storage Applications specifies techniques for the derivation of master keys from passwords or passphrases to protect stored electronic data or data protection keys. Users may not understand when they are entering a password for remote authentication and when the password is for key derivation, but there are different security requirements in each case and system administrators or application implementers should be aware which case applies to their system or application.

Relation to NSTIC
Note that NIST SP 800-63-2 may inform, but is not intended to constrict or constrain the development or use of standards for implementation of the National Strategy for Trusted Identities in Cyberspace (NSTIC). NIST SP 800-63 is specifically designated as a guideline for use by Federal agencies for electronic authentication. NSTIC, in contrast, has a broader charge: the creation of an Identity Ecosystem, “an online environment where individuals and organizations will be able to trust each other because they follow agreed upon standards to obtain and authenticate their digital identities.” While NIST SP 800-63 may be a starting point for discussion on NSTIC, decisions on approaches to e-authentication in the Identity Ecosystem will be developed through a separate path. For more information, please see