NIST e-authentication spec out for comment

The National Institute of Standards and Technology is seeking public comments on its draft recommendations for electronic authentication.

NIST Special Publication 800-63 follows up guidelines from the Office of Management and Budget defining four levels of authentication assurance for federal IT systems.

The levels indicate increasingly serious risks of authentication errors or misuse of electronic credentials. Making an online reservation for a national park campsite, for example, carries less risk than online filing of financial information.

The guidelines present technical requirements for identity proofing, tokens, remote authentication and assertion mechanisms at each level of assurance.

  • Level 1 requires no identity proofing and allows a wide range of authentication technologies and tokens, including a simple personal ID number. There is no requirement for Federal Information Processing Standard-approved cryptography.

  • Level 2 requires some identity proofing and at least a password as a token. FIPS-approved cryptography is required to thwart eavesdropping or hacker attacks.

  • Level 3 requires a high level of identity proofing and FIPS-approved cryptography to protect the authentication token as well prevent eavesdropping or attacks. Tokens can be either software or hardware.

  • Level 4 provides the highest practical remote network authentication assurance. It is similar to Level 3 but requires hardware tokens with cryptographic modules validated at FIPS 140-2 Level 2 or higher. 'By requiring a physical token, which cannot readily be copied and must be unlocked with a password or biometric, this level ensures good, two-factor remote authentication,' NIST said.

  • NIST will accept comments on the proposed recommendations until March 15 at [email protected]

    About the Author

    William Jackson is a Maryland-based freelance writer.


    • business meeting (Monkey Business Images/

      Civic tech volunteers help states with legacy systems

      As COVID-19 exposed vulnerabilities in state and local government IT systems, the newly formed U.S. Digital Response stepped in to help. Its successes offer insight into existing barriers and the future of the civic tech movement.

    • data analytics (

      More visible data helps drive DOD decision-making

      CDOs in the Defense Department are opening up their data to take advantage of artificial intelligence and machine learning tools that help surface insights and improve decision-making.

    Stay Connected