NIST publishes new authentication standards, FIDO U2F achieves AAL3

June 22, 2017 4 minute read

After a year of review, the National Institute for Science and Technology (NIST) today released version 3 of its latest digital identity guidelines, outlining a number of updates that play to the multi-protocol functionality of the YubiKey.

NIST Special Publication 800-63 Revision 3 covers guidelines on identity proofing and authentication of users (such as employees, contractors, private individuals, and commercial entities) working with government IT systems over open networks. These guidelines are used as part of the risk assessment and implementation of federal agencies’ digital services.

There are three notable changes outlined in the document: the separation of identity assurance from authenticator assurance, the deprecation of short message service (SMS) as one-time password (OTP) authentication, and the recognition of technologies like FIDO U2F within the highest level — Authenticator Assurance Level 3 (AAL3).

The first major change we want to highlight is the decoupling of user identity assurance from the strength of the authentication method used. This enables organizations to make quantifiable security improvements by offering alternative feature-compatible devices that act like a smart card, or providing FIDO authentication for all users. The previous model had the unintended consequence of lowering the authentication security for users where the identity proofing was not needed at Identity Assurance Level 3 (IAL3). In this new model (see table 6-2, Acceptable Combinations of IAL and AAL in section 6.4), a higher Authenticator Assurance Level can be paired with a lower Identity Assurance Level to meet an acceptable combination.

Another change worth noting is NIST’s update on the framework for quantifying authenticator security, particularly for guidance on using SMS as a form of OTP authentication. In July 2016, NIST put out a blog deprecating the process for delivering an OTP over SMS. This position is bolstered by the updated classification of authenticators allowing OTP to be used in lower-security systems. Additionally, the YubiKey’s OTP capabilities do not fall under NIST’s deprecation of SMS/OTP out-of-band authenticators.

Lastly, the guidelines recognize technologies like FIDO U2F at AAL3. This opens the door for FIDO U2F and classifies the protocol as a strong credential option, as it meets government guidelines for asymmetric, public-key (PK) cryptography for authentication. With FIDO U2F’s ease of use and quick deployments, the number of services implementing FIDO U2F integrations is steadily growing. Federal agencies now have more options to deploy strong authentication for cloud applications.

The YubiKey meets all these tenets in its versatility and flexibility as a multi-protocol authentication device that combines three of the permitted authenticator types in one physical device.

Single-factor OTP device = OTP

  • The YubiKey spans various OTP capabilities, including Yubico OTP, HOTP, TOTP, and communicates via the HID keyboard interface. This allows the OTP protocol to work across all OS/Environments that support USB keyboards.

Single-factor cryptographic device = FIDO U2F

  • Developed by Yubico and Google, FIDO U2F is the newest protocol supported by the YubiKey. This protocol allows the YubiKey to work securely and instantly with hundreds of applications, and with no secrets shared across separate services.

Multi-factor cryptographic device = Smart card / PIV-compatible / OpenPGP

  • The YubiKey identifies itself as a smart-card reader with a smart card plugged in, and will work with most common smart-card drivers.

“While the guidelines themselves are final, we strongly believe that work on this document isn’t truly complete until, like open standards, it has been implemented to tease out bugs and complexities,” said Paul Grassi, one of the 800-63 authors, in a blog post. “Our ability to predict and respond to changes in the market and technology needs to match the speed of innovation, as well as threats.” He added, “Over time, NIST wants the [guidelines] to be adaptive to innovations in the market so anyone, public or private, can better serve their users.”

We celebrate this historic release of NIST SP 800-63-3, as it ushers in a bright future for the YubiKey, FIDO U2F, and federal agencies here in the US and abroad. With this latest revision, the overwhelming response of over 1,400 contributor submissions from within and outside the US validates NIST SP 800-63-3 as a leading resource for global digital identity.

Share this article:

Recommended content


Introducing the Security Key C NFC by Yubico, with USB-C and NFC for modern, FIDO-based authentication

As more devices leverage USB-C, we’re happy to share that our Security Key Series is expanding to meet this need. Built with the trademark Yubico security and quality that you’ve grown to love, the blue Security Key C NFC is the latest key to join our Security Key Series.  Available for purchase today for $29 ...


Modern MFA for the Federal Government: How the YubiKey Meets U.S. Federal Government Requirements

Learn how the YubiKey, a DOD approved alternate authenticator meets federal PIV/CAC requirements and government compliance regulations.


Modern Authentication for the Federal Government: Enabling Mobile, Secure Authentication in Zero Trust Environments

Learn how DOD approved hardware security keys such as the YubiKey are ideal to fill PIV and CAC related authentication gaps across the federal government, and meet the MFA mandate in the Biden Executive Order 14028.


Strong Authentication for U.S. Government Employees

Learn how to attain PIV compliance and the recent U.S. Cybersecurity Executive Order mandates that federal government agencies adopt multi-factor authentication (MFA) within 180 days.