NIST recently released an update to SP800-63B to provide guidance on syncable authenticators. As FIDO passkeys continue becoming more adopted and available at a large scale, NIST guidance helps organizations properly position and plan so they can successfully implement synced passkeys both internally and externally.
Within the guidance, it’s important to understand the nuance of the term authenticator. In the NIST context, it is referring to the components that perform the authentication process that allows access. This can include passwords, certificates, or passkeys.
From a FIDO passkey perspective, an authenticator is the component that generates and/or protects the passkey. A passkey can be synced, but the authenticator is not synced. When a passkey is synced to a new device, it is protected by a new authenticator with potentially different controls. From a multi-factor authentication perspective, the authenticator controls one factor, the biometric or PIN. The passkey credential is the other factor, something you have. NIST used the term “authenticator” to cover a wider set of authentication methods, but it is important to understand that the guidance is directed toward how passkeys are controlled as they move between different authenticators.
The key part of the guidance states, for the first time, that synced passkeys meet the Authentication Assurance Level 2 (AAL2) if properly implemented. The guidance also provides an updated definition of phishing-resistant multi-factor authentication (MFA): an authenticator is phishing-resistant if it binds its output to a communication channel or a verifier name. The update makes it clear that solutions like FIDO that bind the authentication ceremony to known registered web domains are phishing-resistant.
AAL2 designation for synced passkeys
AAL2 is a broad designation of base level MFA. There is a wide range of MFA solutions in this category, from legacy SMS to phishing-resistant FIDO synced passkeys. FIDO passkeys that are not synced – device-bound passkeys like YubiKeys – and are properly stored in dedicated hardware have an AAL3 rating.
Passkeys are a significant advancement over legacy MFA solutions that are phishable. Additionally, passkeys remove the need to have a password, which are known to be insecure.
Given that synced passkeys shift much of the responsibility to properly control where the passkey can be copied to the user, NIST lists a number of compensating controls to ensure they are properly managed for enterprise and federal implementation. Synced passkeys are a good solution for consumer and citizen deployments where a user’s risk level is moderate to low – however, it’s important to understand certain security tradeoffs of synced passkeys. Higher risk levels, which sometimes only the user can properly assess, should implement device-bound passkeys – which are based on the same standards and give users enhanced security and choice for little development effort.
Ensuring the private key is under user control
Passkeys are based on public/private key pairs. Whoever or whatever has access to the private key has access to whatever the passkey is protecting. When a passkey is synced, the private key is synced to the cloud, and then down to connected devices. NIST recognizes the importance of protecting the synced fabric (cloud storage).
As a result, NIST requires AAL2 MFA protections for sites that store the synced passkeys and that the private keys be stored in an encrypted form. To ensure you don’t downgrade your security, we highly recommend using phishing-resistant AAL2 or higher MFA to protect synced passkeys stored in the cloud.
Synced passkeys compensating controls for federal enterprise use cases
Federal enterprise use cases require a higher level of control and visibility to ensure government agencies are properly protected. If an agency is considering synced passkeys for their employees, contractors and mission partners, they must work through the various required controls beyond the scope of current synced passkey standards.
Mobile device management software or other device configuration controls must be used on all devices to ensure synced passkeys are not shared or synced to unauthorized devices. Additionally, the sync fabric needs to be controlled by agency-managed accounts. Attestation features should be used to verify the capabilities and source of the authenticator.
Synced passkeys provide a phishing-resistant authentication solution that helps reduce the need for passwords and provide a higher level of security than phishable MFA solutions like SMS, OTP, and push notifications. However, as mentioned previously, synced passkeys have security tradeoffs and adversaries are smart enough to pivot to where they can take advantage to gain access.
Managing and protecting the lifecycle of the passkey is critical – thus, NIST is focusing its guidance on ensuring the private key does not get stolen. Phishing-resistant authentication is based on public key cryptography and the private key is the crown jewel that needs to be protected to have verifiable user assurance.
Yubico appreciates NIST’s work to provide guidance on synced authenticators that can be helpful for organizations on where it can be used. For consumer and citizen facing systems, synced passkeys provide a much better option than older phishable MFA solutions. For enterprise use cases, a number of compensating controls need to be put in place to provide the protections needed. Leveraging device-bound passkeys do not require many of these controls as the passkey cannot move to the synced fabric or another device.The guidance also provides an updated definition of phishing-resistance that better aligns to FIDO solutions, including device-bound passkeys that are considered AAL3. Though this guidance is focused on syncable authenticators, it is important to understand the risk factors associated with your system and your user base, understanding that the user might be the best to comprehend their level of risk. The beauty of the FIDO standard is that you give user’s choice by easily implementing AAL2 synced passkeys and AAL3 device-bound passkeys.
For more information on how to get started using and implementing device-bound passkeys for your organization, read our whitepaper here. Considering synced passkeys for your enterprise? Learn about the security tradeoffs and avoiding common pitfalls of synced passkeys here.
