Where is NIST SP 800–63–4 leading us to?

Now you have an opportunity to shape the answer of this question

The Information Technology Laboratory (ITL) at the National Institute of Standards and Technology (NIST) has just published the Special Publication 800–63–4 (draft), the Digital identity Guidelines for the United States Federal Government. This is the fourth revision of the initial SP 800–63, which has been updated every few years since 2004.

The overall framework of the SP 800–63 series hasn’t changed significantly in the past 20 years. What is notable in this new draft is that Verifiable Credentials are mentioned as a new technology that could be leveraged to deter fraud. This signals the emerging Decentralized Identity standard is getting attention from a fairly conservative part of the US Federal Government.

Why you should pay attention to the NIST Digital Identity Guidelines

Governments have been key influencers on the development of technology. They do this by funding research and development, testing and evaluating solutions, leading or participating in standard development and setting rules and regulations.

NIST has been one of the most influential standard development organizations worldwide as many countries that don’t have capacity to create/maintain an institution like NIST rely on what NIST defines to inform their own regulations. Therefore, for anyone in the digital identity space, you want to pay attention to the NIST SP 800–63 series, which are the mandatory digital identity process and technical requirements for all US federal agencies and widely adopted by commercial entities within and beyond the borders of the US.

In a broader sense, the Guidelines matter to us all because it is focused on the digital identity of natural persons (not organizations), including how people interact with an organization, e.g., a government agency or a private company contracted by a government agency.

The evolution of the NIST 800–63 Series

In 2004, NIST published the first version of its Special Publication 800–63, SP 800–63 (Version 1.0) — Electronic Authentication Guideline, to provide “technical guidance to Federal agencies implementing electronic authentication”. SP 800–63 Revision 1 (SP 800–63–1) was published in 2011 and SP 800–63–2 in 2013. All these earlier documents didn’t separate out levels of identity assurance from levels or strength of authentication. So if one had a strong authenticator (like a One Time Password generator) but were using a pseudonym (a low level of identity assurance) there was no place within the Guidelines to describe this situation.

In response to the earlier feedback and comments, NIST published SP 800–63–3 in 2017 in four volumes, separating the levels of identity assurance from the strength of authentication and the federation assurance levels:

  • The base document that covered the General Identity Framework and Risk Management
  • Section A that covered Identity Proofing and Enrollment
  • Section B that covered Authentication and Lifecycle Management
  • Section C that covered Federation and Assertions

Fast forward to today, NIST just published the SP 800–63–4 draft, which inherits the same four-volume structure. This new revision is aimed to address the rapidly evolving digital identity landscape we have seen in past five years.

The Core Identity Model and Process of the NIST 800–63 series

From the first SP 800–63 document to the most recent SP 800–63–4 draft, a provider-account-relying-party model remained essentially unchanged as the way individuals electronically engage with the US Federal agencies. The new draft illustrated both the federated and non-federated models that are reflective of the technologies and architectures currently available in the market.

NIST 800–63–4 Initial Public Draft Page 11 and 12

Both models include the key entities and functions of Subject (represented by one of the three roles — Applicant, Subscriber or Claimant), Credential Service Provider (CSP), Relying Party (RP) and Verifier, while in the Federated Model, Identity Provider (IdP) performs both the CSP and Verifier functions, authenticating the subscriber and issuing assertions to communicate with one or more RPs. Both models follow the general steps summarized below based on the information from the NIST 800–63–4 Initial Public Draft (Page 11–13):

  • Step 1: An applicant needs to apply to a CSP or an IdP through an enrollment process. The CSP or IdP identity proofs the applicant.
  • Step 2: Upon successful proofing, the applicant is enrolled in the identity service as a subscriber. A subscriber account and corresponding authenticators are established between the CSP or IdP and the subscriber. The CSP or IdP maintains the subscriber account, its status, and the enrollment data. The subscriber maintains their authenticators.
  • Step 3: The RP requests authentication from the claimant. In the Federated Model only, the IdP provides an assertion and optionally additional attributes to the RP through a federation protocol.
  • Step 4: The claimant proves possession and control of the authenticators to the verifier (in the Non-Federated Model) or the verifier function of the IdP through an authentication process.
  • Step 5 (Non-Federated Model): An authenticated session is established between the subscriber and the RP.
  • Step 5 and Step 6 (Federated Model): All communication, including assertions, between the RP and the IdP happens through federation protocols. The IdP provides the RP with the authentication status of the subscriber and relevant attributes and an authenticated session is established between the subscriber and the RP.

If you dive deeper into the first step where identity proofing takes place, you will uncover the assumption that once residents or citizens have gone through identity proofing with one agency and become a “subscriber”, they would have to go through the whole process of identity proofing and get an account again for other agencies who have different CSPs. Often companies referred to as Identity Verification [IDV] providers, such as ID.me, Jumio, Socure, LexusNexus, are contracted by the government to play the CSP roles. It was this model that the IRS implemented with ID.me which drew fire from many quarters because in effect a resident or citizen would have to create an account with a private company to communicate with the IRS via an online interaction.

The Guidelines fundamentally assume an account-based model where residents or citizens activate and keep accounts across multiple government agencies via multiple CSPs. They uphold the conventional identity management practices for account management with a user-name and password or in cases of higher authentication levels multi-factor authentication factors that are more sophisticated than just a password.

Noteworthy changes in the NIST 800–63–4 draft

Even though the core model and process of the NIST 800–63 series stays almost unchanged over the years, the new draft presented some important changes.

The introduction highlighted that the Guidelines have moved beyond the original stance of thinking about risks relative to enterprise:

“Risks associated with digital identity stretch beyond the potential impacts to enterprises and should be incorporated into enterprise decision-making…organizations should consider how decisions related to digital identity that prioritize organizational cybersecurity objectives might affect or need to accommodate other objectives, such as those related to privacy, equity, usability…By taking a human-centered and continuously informed approach to mission delivery, organizations have an opportunity to incrementally build trust with the variety of populations they serve, improve customer satisfaction, identify issues more quickly, and provide individuals with effective and culturally appropriate redress options. ”

Other noteworthy changes or highlights include advancing equity, emphasizing optionality and choice for consumers, and deterring fraud and advanced threats. The new draft has given tremendous amount of thoughts to how to conduct identity verification without requiring the use of facial recognition technologies. It also highlights the need for identity services to support different authenticator options and provide ways to do secure account recovery. The risk and threat models to account for new attacks have been updated, providing new options for phishing resistant authentication and requirements to prevent automated attacks against enrollment processes.

For those of us working in the Decentralized Identity community, the most exciting news is the mention (4.4.1. Identity Verification Methods — Control of a digital account, SP 800–63A-4) of Verifiable Credentials (VCs) and the authors’ intention to make sure emerging technology paradigms, such as VCs, are not precluded from the specification. The “Note to Reviewers” mentions VCs as a potential new technology to help deter fraud and asks questions about using VCs for identity proofing and authentication within its existing core model and process.

Time to contribute and help NIST get the emerging paradigms right

While we are excited to see the changes and questions related to our community, serious efforts are needed to figure out how to best leverage the emerging paradigms of VCs and more. For example, could we conceive a new model where we potentially don’t need CSPs in the account creation process but using a digitally native government issued digital identity document leveraging VCs or mDLs (the ISO Mobile Driving License standard)? Such a model will be much more aligned with the human-centered approach envisioned in the new draft.

Now is the time for you to contribute and share your thoughts with NIST, as they are soliciting feedback and comments on all four draft publications: 800–63–4, 800–63A-4, 800–63B-4, and 800–63C-4 . You can submit your comments to dig-comments@nist.gov by 11:59 pm Eastern Time on March 24, 2023.

In the meantime, the W3C Credentials Community Group is hosting a feedback session next Thursday March 2nd at 1pm Pacific Time / 4pm Eastern Time. Connie LaSalle, Andrew Regenscheid, David Temoshok, and Ryan Galluzzo the authors from NIST will present briefly and seek community input on the draft. We will be joining the session and looking forward to seeing you there too.



Prior to writing this article, Kaliya Young, our Founding Partner, attended an event in Washington DC in late January 2023, where most of the principal authors of SP 800–63–4 presented highlights and fielded questions from industry leaders from key organizations in the digital identity space, such as the OpenID Foundation, Kantara Initiative and FIDO Alliance.

This event complemented an earlier webinar which walked through the new draft. Here is a link to the webinar slide deck. There was a shorter presentation by Ryan Galluzzo at Authenticate 2022 before the release of the draft that provided a great overview of the changes.



We provide consulting and advisory services to organizations across the world to help them succeed in adopting, developing and investing in Decentralized ID.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Identity Woman in Business

We provide consulting and advisory services to organizations across the world to help them succeed in adopting, developing and investing in Decentralized ID.