AceSecurityDesk – Similarly, we are applying this same concept for the first time to our NIST SP 800-63B, Digital Identity Guidelines: Authentication and Lifecycle Management. Today, we published a supplement that provides interim guidance for agencies seeking to make use of ‘syncable authenticators’ (for example, passkeys) in both enterprise-facing and public-facing use cases. 

Ace Press News From Cutting Room Floor: Published:Apr.25: 2024: TELEGRAM Ace Daily News Link https://t.me/YouMeUs2 

What is a supplement? 

A supplement is a specific document type that is intended to enhance, augment, or elaborate on an existing NIST Special Publication (SP). They allow for targeted updates or modifications without having to go through the process of updating the entire SP. They provide a mechanism for NIST to more rapidly adapt to changes in the technology and risk environments (for example, providing requirements for new authenticator types like syncable authenticators). 

What is a syncable authenticator? 

A syncable authenticator is any cryptographic authenticator that allows for the private key to be cloned and stored separate from the authenticator to support the use of that key across different devices (for example, syncing). In practice, these are typically what are called ‘passkeys’ by the FIDO Alliance and make use of multiple standards and protocols such as the Client-to-Authenticator Protocol and World Wide Web Consortium’s (W3C) Web Authentication (WebAuthn). 

When implemented correctly, they provide a phishing-resistant authenticator with many benefits, such as simplified recovery, cross-device support, and consumer-friendly platform authentication support (for example, native biometrics). Such authenticators would have been considered non-compliant in the context of Digital Identity Guidelines, and the supplement provides additional requirements and considerations to allow for their use at Authentication Assurance Level 2 (AAL2). 

What has changed since the Digital Identity Guidelines were published? 

A lot has changed. The standards and specifications to support syncable authenticators had not been developed when the Guidelines were initially developed and published. Since that time, the standards have matured and most major consumer platforms have put in place support for syncable authenticators.  So far, FIDO Alliance estimates that over 8 billion* user accounts now have the option to use passkeys for authentication. While not yet ubiquitous, they are becoming more common by the day. 

Aren’t there risks to cloning keys? 

Yes, there are always risks. The requirements in the supplement are intended to address as many of these as possible, including methods for storing, transmitting, and protecting the keys. There are unique risks that come along with syncable authenticators, specifically the ability in some technical implementations for users to share their authentication key with other individuals. The ability to share authenticators is not unique to syncable keys – nearly any AAL2 authenticators can be shared. but contrary to years of security policies, some implementations promote syncable authenticator sharing as a secure alternative to password sharing in many consumer scenarios. 

As with all instances, organizations should evaluate every type of authenticator they offer and weigh the benefits and risks associated with them before implementing. Syncable authenticators are not going to be appropriate for every application or service, but they do represent an emerging AAL2 authenticator option with many benefits to both the end-user and the relying party.

Is there going to be a public comment period? 

Not for this supplement. Feedback from the initial public comment period on SP 800-63-4 was incorporated into this supplement.  Additional comments on syncable authenticators and the overall content of the supplement can be submitted through the upcoming second public comment period for Revision 4. This will occur later this year. 

Why not wait for Revision 4 to be completed?

As noted above, agencies strictly following the normative text of Digital Identity Guidelines would not be allowed to use syncable authenticators. This supplement addresses an immediate need for many agencies by providing direction on how to use a new security technology that provides strong, usable, phishing resistant authentication in support of the Federal Zero Trust strategy. Once Revision 4 is finalized, this supplement will be rescinded.

*This statistic was provided by Fido Alliance and does not imply that 8 billion users have opted to use the passkey feature. 

At Sterling Publishing & Media Service Agency, we value transparency and accountability. We want to inform you that we are not responsible for any external content, links, or posts. Nonetheless, we are dedicated to providing exceptional services and sincerely appreciate your support. Thank you.