Table of Contents
NIST SP 800-63 overview
The National Institute of Standards and Technology (NIST) SP 800-63 Digital Identity Guidelines provides technical requirements for federal agencies implementing digital identity services, including identity proofing and authentication of users interacting with government IT systems over open networks. Moreover, healthcare, financial services, and other industries often rely on the NIST SP 800-63 as a baseline for identity and access management requirements. For example, NIST SP 800-63 is referenced by:
NIST SP 800-63 guidelines are referenced in other standards, most notably the US Federal Risk and Authorization Management Program (FedRAMP) that is applicable to cloud service providers (CSPs). FedRAMP is based on the NIST SP 800-53 standard, augmented by FedRAMP controls and control enhancements. Several FedRAMP controls in the Identification and Authentication (IA) control family reference NIST SP 800-63, for example, IA-1, IA-5, and IA-8.
NIST SP 800-63 guidelines encompass three areas, and each area sets requirements to achieve a given level of assurance:
Azure support for NIST SP 800-63
Azure provides guidance for attaining the NIST SP 800-63B Authenticator Assurance Levels by using Azure Active Directory (Azure AD) and other Microsoft solutions. For more information, see Achieving NIST AALs.
The US Federal Risk and Authorization Management Program (FedRAMP) was established to provide a standardized approach for assessing, monitoring, and authorizing cloud computing products and services. Both Azure and Azure Government maintain a FedRAMP High Provisional Authorization to Operate (P-ATO) issued by the FedRAMP Joint Authorization Board (JAB). For federal systems hosted on Azure, the remote authentication of end users should follow NIST SP 800-63 guidelines. A cloud service provider (CSP) system owner is responsible for selecting the right authentication technology to meet the target assurance level. Azure and Azure Government FedRAMP High authorizations satisfy the security and privacy control requirements for all Authenticator Assurance Levels, including AAL1, AAL2, and AAL3.
According to NIST SP 800-63B Section 4.3, Authenticator Assurance Level 3 (AAL3) authentication shall use a hardware-based authenticator and an authenticator that provides verifier impersonation resistance – the same device may fulfill both requirements. Possible combinations of authenticators satisfying AAL3 requirements include:
- Multi-factor cryptographic device
- Single-factor cryptographic device used in conjunction with memorized secret
- Multi-factor one-time password (OTP) device (software or hardware) used in conjunction with a single-factor cryptographic device
- Multi-factor OTP device (hardware only) used in conjunction with a single-factor cryptographic software
- Single-factor OTP device (hardware only) used in conjunction with a multi-factor cryptographic software authenticator
- Single-factor OTP device (hardware only) used in conjunction with a single-factor cryptographic software authenticator and a memorized secret
We recommend using a multi-factor cryptographic hardware authenticator to achieve AAL3, as explained in Achieving NIST AAL3 with Azure AD. Password is the greatest attack surface that can be eliminated with Passwordless authentication, which offers users a streamlined method to authenticate.
According to NIST SP 800-63B Section 4.3, multi-factor authenticators used at AAL3 shall rely on hardware cryptographic modules validated at FIPS 140 Level 2 or higher overall level with at least FIPS 140 Level 3 for physical security. Verifiers at AAL3 shall be validated at FIPS 140 Level 1 or higher. For more information about Microsoft support for authenticator and verifier FIPS 140 validation requirements, see FIPS 140 validation.
FIDO2 security keys, smartcards, and Windows Hello for Business can help you meet AAL3 requirements, including the requisite FIPS 140 validation:
Microsoft provides detailed guidance on:
- How to configure Azure AD to meet NIST SP 800-63B Authenticator Assurance Levels, including AAL1, AAL2, and AAL3. For more information, see Achieving NIST AALs.
- How to configure controls in the Access Control (AC) and Identification and Authentication (IA) control families to meet FedRAMP High requirements. For more information, see Configure Azure AD to meet FedRAMP High.
Frequently asked questions
Can Azure support my NIST AAL3 requirements?
Yes. Azure AD supports both authenticator and verifier NIST AAL3 requirements, including FIPS 140 validation at the right level mandated by NIST SP 800-63B. We recommend using a multi-factor cryptographic hardware authenticator to achieve AAL3. FIDO2 security keys, smartcards, and Windows Hello for Business can help you meet AAL3 requirements.
Does Microsoft provide guidance on achieving NIST AAL requirements?
Yes. For more information, see Guidance documents.