The rapid proliferation of online services over the past few years has heightened the need for reliable, equitable, secure, and privacy-protective digital identity solutions. Revision 4 of NIST’s Special Publication (SP) 800-63, Digital Identity Guidelines, responds to the changing digital landscape that has emerged since the last major revision of this suite was published in 2017—including the real-world implications of online risks. The guidelines present the process and technical requirements for meeting digital identity management assurance levels for identity proofing, authentication, and federation, including requirements for security and privacy as well as considerations for fostering equity and the usability of digital identity solutions and technology.
In December 2022, NIST released the Initial Public Draft (IPD) of SP 800-63, Revision 4. Over the course of a 119-day public comment period, NIST received close to 4000 comments that improved these Digital Identity Guidelines in a manner that supports NIST's critical goals of providing foundational risk management processes and requirements that enable secure, private, equitable, and accessible identity systems.
Based on this initial wave of feedback, several substantive changes have been made across all the volumes. These changes include but are not limited to: updated text and context setting for risk management; added recommended continuous evaluation metrics; expanded fraud requirements and recommendations; restructured identity proofing controls; integrated syncable authenticators; and added user-controlled wallets to the federation model.
Additionally, this draft seeks to:
These second public drafts (2PD) include:
Please submit your comments via email (dig-comments@nist.gov) by 11:59 PM ET on October 7, 2024. Comments are requested on all four drafts listed above.
The Note to Reviewers section highlights the specific topics NIST is hoping for feedback on and provides a template that can be used to submit comments; please note that NIST will review all comments and make them available to the public.
Security and Privacy: identity & access management