NIST publishes new authentication standards, FIDO U2F achieves AAL3

After a year of review, the National Institute for Science and Technology (NIST) today released version 3 of its latest digital identity guidelines, outlining a number of updates that play to the multi-protocol functionality of the YubiKey.

NIST Special Publication 800-63 Revision 3 covers guidelines on identity proofing and authentication of users (such as employees, contractors, private individuals, and commercial entities) working with government IT systems over open networks. These guidelines are used as part of the risk assessment and implementation of federal agencies’ digital services.

There are three notable changes outlined in the document: the separation of identity assurance from authenticator assurance, the deprecation of short message service (SMS) as one-time password (OTP) authentication, and the recognition of technologies like FIDO U2F within the highest level — Authenticator Assurance Level 3 (AAL3).

The first major change we want to highlight is the decoupling of user identity assurance from the strength of the authentication method used. This enables organizations to make quantifiable security improvements by offering alternative feature-compatible devices that act like a smart card, or providing FIDO authentication for all users. The previous model had the unintended consequence of lowering the authentication security for users where the identity proofing was not needed at Identity Assurance Level 3 (IAL3). In this new model (see table 6-2, Acceptable Combinations of IAL and AAL in section 6.4), a higher Authenticator Assurance Level can be paired with a lower Identity Assurance Level to meet an acceptable combination.

Another change worth noting is NIST’s update on the framework for quantifying authenticator security, particularly for guidance on using SMS as a form of OTP authentication. In July 2016, NIST put out a blog deprecating the process for delivering an OTP over SMS. This position is bolstered by the updated classification of authenticators allowing OTP to be used in lower-security systems. Additionally, the YubiKey’s OTP capabilities do not fall under NIST’s deprecation of SMS/OTP out-of-band authenticators.

Lastly, the guidelines recognize technologies like FIDO U2F at AAL3. This opens the door for FIDO U2F and classifies the protocol as a strong credential option, as it meets government guidelines for asymmetric, public-key (PK) cryptography for authentication. With FIDO U2F’s ease of use and quick deployments, the number of services implementing FIDO U2F integrations is steadily growing. Federal agencies now have more options to deploy strong authentication for cloud applications.

The YubiKey meets all these tenets in its versatility and flexibility as a multi-protocol authentication device that combines three of the permitted authenticator types in one physical device.

Single-factor OTP device = OTP

  • The YubiKey spans various OTP capabilities, including Yubico OTP, HOTP, TOTP, and communicates via the HID keyboard interface. This allows the OTP protocol to work across all OS/Environments that support USB keyboards.

Single-factor cryptographic device = FIDO U2F

  • Developed by Yubico and Google, FIDO U2F is the newest protocol supported by the YubiKey. This protocol allows the YubiKey to work securely and instantly with hundreds of applications, and with no secrets shared across separate services.

Multi-factor cryptographic device = Smart card / PIV-compatible / OpenPGP

  • The YubiKey identifies itself as a smart-card reader with a smart card plugged in, and will work with most common smart-card drivers.

“While the guidelines themselves are final, we strongly believe that work on this document isn’t truly complete until, like open standards, it has been implemented to tease out bugs and complexities,” said Paul Grassi, one of the 800-63 authors, in a blog post. “Our ability to predict and respond to changes in the market and technology needs to match the speed of innovation, as well as threats.” He added, “Over time, NIST wants the [guidelines] to be adaptive to innovations in the market so anyone, public or private, can better serve their users.”

We celebrate this historic release of NIST SP 800-63-3, as it ushers in a bright future for the YubiKey, FIDO U2F, and federal agencies here in the US and abroad. With this latest revision, the overwhelming response of over 1,400 contributor submissions from within and outside the US validates NIST SP 800-63-3 as a leading resource for global digital identity.

Talk to our teamTalk to our team

Share this article:


  • Works with YubiKey Spotlight: Expanded partnerships redefining phishing-resistance in 20252024 was an exciting year for Yubico and our partners. Together, we achieved remarkable milestones, launching innovative solutions and forging stronger partnerships – all aimed at delivering the most impactful cybersecurity solutions and user experience for our customers and partners. At the heart of these efforts lies a shared commitment to phishing-resistance.  From registration to […]Read moreWorks with YubiKeywwyk
  • Cybersecurity in 2025 – part two: Insights and predictions from Yubico’s expertsIn part one of our 2025 cybersecurity predictions, we highlighted insights from our experts on the topic of passkeys, digital identity wallets and the threats of AI-driven phishing – areas that saw a lot of focus in 2024, and ones that we expect to continue being a major focus this year. If you missed our […]Read morecritical infrastructurefederal governmentfinancial servicespredictions
  • Cybersecurity in 2025: Insights and predictions from Yubico’s expertsWith 2024 behind us, we saw another challenging year in the world of cybersecurity – highlighted by new and evolving threats like Artificial Intelligence (AI)-driven phishing and increasingly sophisticated cyber attacks overall. Yubico’s September Global State of Authentication Survey confirmed the challenges, even underscoring the potential risks of these new threats. The report emphasized the […]Read moreAIdigital identity walletspasskeyspredictions
  • State of Global Authentic(age)ion: A look at cybersecurity habits by generationsNo generations were left untouched when it came to the threat of hackers in 2024: from the impact of political shakeups, to increasingly sophisticated cyber attacks targeting consumers, critical industries and infrastructures, the world was on high alert. Fueled by a dramatic increase in phishing attacks circumventing certain forms of legacy multi-factor authentication (MFA), as […]Read moreState of Global Authenticationsurvey