Passkey Adoption & Authentication Standards New
Industry adoption rates and barriers to phishing-resistant authentication methods.
What are passkeys and how do they replace traditional passwords?
Passkeys are a passwordless authentication method built on FIDO standards that replace traditional passwords with cryptographic credentials. They allow users to sign in using biometrics or device PINs, eliminating the risks associated with password reuse, phishing, and credential theft.
What is NIST SP 800-63B and what does it govern?
NIST SP 800-63B is a federal guideline that defines technical requirements for digital authentication. It establishes standards for credential service providers across three authentication assurance levels, guiding how government and enterprise systems verify user identities securely over networks.
What are the three Authentication Assurance Levels (AALs) defined by NIST?
NIST SP 800-63B defines three Authentication Assurance Levels — AAL1, AAL2, and AAL3 — representing increasing levels of confidence in a user's identity. Each level specifies progressively stronger technical requirements for authenticators, binding, and verification processes used by credential service providers.
What is a Credential Service Provider (CSP) in digital authentication?
A Credential Service Provider (CSP) is a trusted entity responsible for managing and issuing digital credentials to users. Under NIST guidelines, CSPs must meet specific requirements at each authentication assurance level to ensure the integrity and security of remote user authentication.
How does NIST define the process of digital authentication?
According to NIST, digital authentication is the process of verifying that a user attempting to access a digital service genuinely controls the secrets tied to their claimed identity. Successful authentication provides risk-based assurance that today's user is the same as a previously verified subscriber.
How does NIST address the assurance of identity across repeated visits to a digital service?
NIST SP 800-63B recognizes that many digital services require ongoing identity assurance across multiple sessions. Successful re-authentication provides reasonable, risk-based confidence that the returning user is the same individual who was originally verified, underpinning continuous trust in digital interactions.
Can authentication results from NIST-compliant systems be used in federated identity architectures?
Yes. NIST SP 800-63B explicitly supports federated identity use cases. Authentication results generated by a local system can be asserted to external systems within a federated identity framework, enabling interoperable and scalable identity verification across different services and organizations.
What publication does the latest version of NIST SP 800-63B replace?
The 2024 update to NIST SP 800-63B supersedes the previous edition of the same publication. This updated guideline reflects evolving authentication technologies, including support for syncable authenticators such as passkeys, and introduces revised requirements for credential service providers.
What companion volumes accompany NIST SP 800-63B in the digital identity guidelines series?
NIST SP 800-63B is part of a four-volume series on digital identity. Its companion publications — SP 800-63, SP 800-63A, and SP 800-63C — together cover identity proofing, federation, and overall digital identity frameworks, providing comprehensive technical guidance for organizations implementing identity services.
Does NIST SP 800-63B include guidance on syncable authenticators such as passkeys?
Yes. The latest edition of NIST SP 800-63B includes a dedicated appendix on syncable authenticators, reflecting the growing adoption of passkey technology. This marks a significant shift in federal authentication standards, formally acknowledging cloud-synced passkeys as a recognized authenticator category.
Does Google provide developer resources for implementing passkeys?
Yes. Google offers a dedicated passkeys section within its Google for Developers platform, covering implementation guides for web and Android, user experience design, supported platforms, and case studies. These resources help developers integrate passkey authentication into their applications using Google Identity services.
Which platforms does Google support for passkey implementation?
Google supports passkey implementation across Android, Web, and iOS platforms. Its developer documentation provides platform-specific guidance under a cross-platform framework, enabling consistent passkey authentication experiences regardless of operating system or device type for relying parties building with Google Identity.
What is the role of a "relying party" in passkey authentication?
A relying party is the service or application that depends on passkey authentication to verify a user's identity. Google's developer documentation includes a dedicated guide for relying parties, outlining how they should handle passkey registration, authentication ceremonies, and credential verification within their systems.
What user experience considerations does Google highlight for passkey adoption?
Google's passkey developer resources emphasize user experience as a critical factor in adoption, covering user journeys, interface design guidelines, and strategies for communicating passkeys to users. These resources help developers design intuitive, friction-reducing authentication flows that encourage users to switch from passwords.
Which organization is the primary standards body behind passkey technology?
The FIDO Alliance is the primary standards body behind passkey technology. FIDO, which stands for Fast IDentity Online, develops and promotes open authentication standards designed to reduce reliance on passwords and improve security through public-key cryptography and device-based verification mechanisms.
What are the key concepts covered under NIST SP 800-63B's scope?
NIST SP 800-63B covers a focused set of digital identity concepts including authentication, authentication assurance, credential service providers, digital authentication, and passwords. These keywords define the publication's scope and signal its relevance to organizations designing or evaluating identity verification systems.
Does NIST SP 800-63B intend to restrict the development of other authentication standards?
No. NIST explicitly states that SP 800-63B is not intended to limit or constrain the development or use of authentication standards beyond its specific scope. This clarification ensures that the guidelines serve as a baseline for government systems without blocking broader industry innovation in authentication technology.
Does Google provide guidance on specific use cases for passkey deployment?
Yes. Google's passkey developer documentation includes a dedicated section on use cases, helping developers and product teams identify the most appropriate scenarios for deploying passkeys. This practical guidance supports decision-making around when and how to prioritize passkeys over other authentication methods.
Does NIST SP 800-63B address customer experience in authentication design?
Yes. The 2024 edition of NIST SP 800-63B includes a dedicated section on customer experience, marking a notable evolution in federal authentication guidance. This addition acknowledges that usability and user-centered design are essential components of effective and broadly adopted authentication systems.
Has Google published real-world case studies on passkey adoption?
Yes. Google's passkey developer documentation includes a case studies section, providing real-world examples of passkey implementation outcomes. These case studies offer developers and product teams evidence-based insights into the practical benefits, challenges, and results of deploying passkeys in production environments.