How NIST and eIDAS revisions are shaping the future of e-identification

This blog is co-authored by John Fontana, Standards Analyst at Yubico. 

On both sides of the Atlantic, standards and regulations on electronic identification are being revised more or less simultaneously. In the United States, the National Institute of Standards and Technology (NIST) accepted public comments on its SP 800-63-3 Digital Identity Guidelines last month, which is on track for a scheduled revision in 2022. In the European Union, the eIDAS regulation is also up for review. 

As an active member in the FIDO Alliance, W3C, Better Identity Coalition, and OpenID Foundation, Yubico was invited to provide input on both the NIST and eIDAS revisions. While this takes place on a predetermined schedule, our feedback was heavily influenced by our learnings and observations from the COVID-19 pandemic and the influx of remote work. This shaped a majority of our recommendations, which were focused on improving guidance on strong authentication and remote identity proofing. 

NIST SP 800 63-3 

NIST last revised its Digital Identity Guidelines in June 2017 just as multi-factor authentication (MFA) entered a robust innovation cycle led by FIDO protocols. The latest revision intends to evaluate recent improvements to authentication standards and technologies (WebAuthn), and other new identity and access management innovations. 

Last month, Yubico submitted comments and suggestions that ensure stronger identity assurance and authentication, and address the need to eliminate persistent vulnerabilities in aging authentication technologies such as SMS and OTP. 

  • We asked that the updated guidelines address modern attack vectors, and re-classify grading systems to recognize credential phishing resistance as a distinct and important advancement in modern hardware authenticators that are needed to close security holes.
  • We also suggested NIST recognize and classify new identity proofing and binding techniques for strong remote identification systems. Additionally, we recommended guidance around a combination of technologies that support authenticated and protected communication channels for security techniques such as verifier impersonation resistance. 
  • Lastly, we pointed out that the previous NIST Digital Identity Guideline revisions showed an affinity for hardware-backed, web-based strong authentication as defined by FIDO and WebAuthn. We emphasized that this innovation must continue in the 800-63-4 revision. 

eIDAS

In Europe, eIDAS (EU regulation 910/2014), is subject for revision and open for feedback to a public consultation. The EU Commission proposed three new options for the revised eIDAS regulation, and Yubico submitted feedback accordingly:

  • Option 1 would revise and complement the existing eIDAS framework. In this scenario, our recommendation is that eIDAS should specify well-defined rules for remote identity proofing, be harmonized with the EU Cybersecurity Act, require phishing resistance, reuse pre-approved eID products for notification, allow for backup eID schemes during disasters, and make the ‘High’ level of assurance mandatory for access to Qualified Trust Service Providers.
  • Option 2 would extend the scope of eID schemes to the private sector. We are positive to this initiative, since existing identity providers would extend the reach of notified eID schemes, which could also be aligned with the PSD2 requirements on financial transactions. The eID approval process and the architecture of eIDAS-Nodes would however have to be adjusted for private identity providers.
  • Option 3 would introduce a European Digital Identity scheme (EUid). Instead of a pan-European EUid, we believe that federated solutions would allow for better international interoperability, higher scalability, and be based on modern technology.

Yubico’s complete response to the eIDAS inception impact assessment can be found at the EU Commission portal. In addition to our eIDAS contributions, Yubico also provided feedback to promote remote identity proofing for ETSI TS 119 461, the European Telecommunications Standards Institute’s (ETSI) new standard on identity proofing. 

Fortunately, the development of legislation and standards for electronic identification continues to progress in the US and EU with consistent input from leading security and identity experts across the globe. As we account for evolving threat landscapes and innovative technologies that offer the best combination of security and usability, we can collectively continue to serve and protect governmental agencies, the private sector, and citizens even better in the future.

To learn how the YubiKey can be used for national electronic ID-card projects and eIDAS-compliant eID schemes, such as the National Digitalisation Programme at the Faroe Islands, read more here

To learn how the YubiKey FIPS Series can enable government agencies and regulated industries to meet the highest authenticator assurance level 3 requirements from the NIST SP 800-63 guidance, read more here

Talk to our teamTalk to our team

Share this article:


  • Works with YubiKey Spotlight: Expanded partnerships redefining phishing-resistance in 20252024 was an exciting year for Yubico and our partners. Together, we achieved remarkable milestones, launching innovative solutions and forging stronger partnerships – all aimed at delivering the most impactful cybersecurity solutions and user experience for our customers and partners. At the heart of these efforts lies a shared commitment to phishing-resistance.  From registration to […]Read moreWorks with YubiKeywwyk
  • Cybersecurity in 2025 – part two: Insights and predictions from Yubico’s expertsIn part one of our 2025 cybersecurity predictions, we highlighted insights from our experts on the topic of passkeys, digital identity wallets and the threats of AI-driven phishing – areas that saw a lot of focus in 2024, and ones that we expect to continue being a major focus this year. If you missed our […]Read morecritical infrastructurefederal governmentfinancial servicespredictions
  • Cybersecurity in 2025: Insights and predictions from Yubico’s expertsWith 2024 behind us, we saw another challenging year in the world of cybersecurity – highlighted by new and evolving threats like Artificial Intelligence (AI)-driven phishing and increasingly sophisticated cyber attacks overall. Yubico’s September Global State of Authentication Survey confirmed the challenges, even underscoring the potential risks of these new threats. The report emphasized the […]Read moreAIdigital identity walletspasskeyspredictions
  • State of Global Authentic(age)ion: A look at cybersecurity habits by generationsNo generations were left untouched when it came to the threat of hackers in 2024: from the impact of political shakeups, to increasingly sophisticated cyber attacks targeting consumers, critical industries and infrastructures, the world was on high alert. Fueled by a dramatic increase in phishing attacks circumventing certain forms of legacy multi-factor authentication (MFA), as […]Read moreState of Global Authenticationsurvey