Are Device-Bound Passkeys AAL2- or AAL3-Compliant?

Introduction

Traditional password-based authentication methods are increasingly seen as outdated and insecure. The National Institute of Standards and Technology (NIST), a leading authority in standards and technology, has recently endorsed synced passkeys, confirming their compliance with Authentication Assurance Level 2 (AAL2). This endorsement marks a significant step forward in the adoption of passkeys, offering enhanced security and user convenience.

READ FULL ANALYSIS HERE

Understanding NIST and Its Role

NIST, part of the U.S. Department of Commerce, sets the gold standard for digital identity and cybersecurity guidelines. Its frameworks influence both public and private sectors globally, ensuring high security and interoperability standards. Although NIST guidelines are not legally binding, they are often adopted by federal agencies and contractors, impacting global cybersecurity practices.

NIST's Decision on Passkeys

NIST's recent supplement to its Special Publication 800–63B officially recognizes synced passkeys as AAL2-compliant. This endorsement highlights the phishing-resistant nature of synced passkeys and their suitability for secure authentication processes. Device-bound passkeys, on the other hand, meet the stricter AAL3 standards due to their higher security requirements.

Why This Decision Matters

NIST's endorsement is crucial for several reasons:
1. Global Trust and Influence: NIST's guidelines are trusted worldwide. Their endorsement of passkeys will likely accelerate global adoption, particularly in regulated industries such as banking and healthcare.
2. Enhanced Security: Synced passkeys offer a robust security alternative to traditional passwords, reducing the risk of phishing attacks and unauthorized access.
3. User Experience: Beyond security, passkeys improve the user experience by simplifying the authentication process and supporting easy recovery mechanisms.

Analysis of NIST SP 800–63B Supplement

The supplement outlines specific criteria for AAL2 and AAL3 compliance:

• Authenticator Assurance Levels (AALs): These levels measure the robustness of authentication processes. AAL2 involves two-factor or multi-factor authentication, while AAL3 requires multi-factor authentication with hard cryptographic proof of identity.
• Synced Passkeys: Recognized for their phishing resistance, synced passkeys meet AAL2 requirements by ensuring secure and encrypted transmission of authentication data.
• Device-Bound Passkeys: These meet AAL3 standards due to their hardware-based authentication, providing very high confidence in the control of authenticators.

Key Requirements for Synced Passkeys

To achieve AAL2 compliance, synced passkeys must:

1. Utilize Proper Cryptography: All keys must be created using recognized cryptographic methods.
2. Ensure Private Key Security: Private keys must be encrypted and securely stored.
3. Local Authentication: Authentication processes must involve actions using the private key on the local device.
4. Secure Cloud Access: Access to synced private keys in the cloud must be protected by multi-factor authentication.
5. Documentation: Deployment requirements for synced passkeys must be documented and communicated clearly.

Implications for Developers and Product Managers

For developers and product managers, NIST's guidelines provide a clear framework for implementing secure passkey authentication. Adopting synced passkeys can enhance security, meet regulatory requirements, and improve user experience. It is important to configure WebAuthn properties correctly to ensure compliance and mitigate potential threats.

Global Perspective on Passkeys

While NIST leads the way, other governmental agencies are also recognizing the importance of passkeys:

• European Union (ENISA): ENISA acknowledges FIDO as an authentication standard.
• UK (NCSC): The NCSC predicts a decline in password use, viewing passkeys as a modern solution.
• Germany (BSI): The BSI supports passkeys as a standard for authentication.

Conclusion

NIST's recognition of synced passkeys as AAL2-compliant is a milestone in digital authentication. This endorsement not only boosts the security framework but also paves the way for broader adoption of passkeys across various sectors. As other regulatory bodies follow suit, the future of passwordless authentication looks promising.

Find the detailed analysis on our blog.

By aligning with these guidelines, organizations can ensure high security standards and enhance user trust in their authentication systems.