Ten Reasons to Love Passwordless #2: NIST Compliance


This is the second post in the “Ten Reasons to Love Passwordless” blog series. Last time, we talked about the flexibility and multi-platform benefits of FIDO2 open standards based technology. The second reason to love passwordless is it brings the highest levels of security to your organization. Passwordless multifactor (MFA) eliminates the need to memorize passwords and as such makes it 99.9% harder to compromise an account. Using built-in crypto keys in your software or hardware from passwordless solutions, you get the security assurance that meets the highest standards. Helping our customers achieve these MFA goals is music to my ears!  

Security assurance with NIST (800-63) 

Let's start with the National Institute of Standards and Technology (NIST) which develops the technical requirements for US federal agencies implementing identity solutions. NIST's 800-63 Digital Identity Guidelines Authentication Assurance Levels (AAL) is a mature framework used by federal agencies, organizations working with federal agencies, healthcare, defense, finance, and other industry associations around the world as a baseline for a more secure identity and access management (IAM) approach. How does passwordless and multifactor authentication align with NIST's requirement? And how can the required AALs be met? 

Before diving into the details, let us align some terminology: 

  • Authentication – The process of verifying the identity of a subject. 
  • Authentication factor – Something you know, something you have, or something you are: Every authenticator has one or more authentication factors. 
  • Authenticator – Something the subject possesses and controls that is used to the subject's identity. 

 Multifactor Authentication 

Multifactor authentication can be achieved by either a multifactor authenticator or by a combination of multiple single factor authenticators. A multifactor authenticator requires two authentication factors to execute a single authentication transaction. 

Multifactor authentication using two single factor authenticators 

The illustration below shows how a multifactor authentication can be performed using a memorized secret (something you know) authenticator along with an out of band (something you have) authenticator. The user performs two independent authentication transactions with .


Multifactor authentication using a single multifactor authenticator 

The illustration below shows how a multifactor authentication is performed using a single multifactor cryptographic authenticator requiring one authentication factor (something you know or something you are) to unlock a second authentication factor (something you have). The user uses a single authentication transaction with .  


Microsoft Passwordless Authenticators mapped to NIST 800-63 AALs 

Microsoft passwordless authenticators allow multifactor authentication using a single authenticator and eliminate the dependency on memorized secret (password) authenticator and the associated password attacks (see Your Pa$$word doesn't matter).  

Authentication method  NIST Authenticator type  AAL 
Windows Hello for Business  Multi-factor cryptographic hardware (with TPM) 

Multi-factor cryptographic software (without ) 



Microsoft Authenticator app  Multi-factor cryptographic hardware (iOS) 

Multi-factor cryptographic software (Android) 



FIDO2 security keys*  Multi-factor cryptographic hardware  AAL3 

*FIDO2 Security Key partners such as Feitian, Thales (formerly Gemalto), TrustKey (formerly eWBM), and Yubico, are in the process of certifying their FIDO2 security keys with FIPS 140. 

Federal agencies, organizations working with federal agencies and organizations in regulated industries seeking Federal Information Processing Standards 140 (FIPS 140) verification are advised to reference Achieving National Institute of Standards and Technology Authenticator Assurance Levels with the Mic… and conduct risk assessment and evaluation before accepting these authenticators as AAL2/3.  

Check out the other posts in this series: 

Learn more about Microsoft identity: 

@Sue Bohn  This is a fantastic summary of standards going in to the passwordless solutions to assure the best security possible.

We have seen more factors like

  • How you Behave (Behavioural authentication)
  • How you sound &
  • Who knows you (authentication by reference like social authentication)

Are there any NIST standards for the above methods as well?

We have invented  Association-Based-Authentication, which uses PKI and complies with FIPS 140-2 L1.

Can you please share what level FIDO2 Security Key partners should certify with? This will be very valuable for us.

For AAL3 a single factor authenticator it needs to be FIPS140 general 1 phisical 3 Certified.  For a multi-factor authenticator it needs to be FIPS140 general 2 phisical 3 Certified.

There are aditional NIST standards for biometric authenticators around FAR and presentation stack resistance on biometric multi-factor authenticators.

Wow! I love that we're now going passwordless.

In the world of capability theory, we've also got terms for this authentication flow. We to our powerbox, which holds capabilities – that is, credentials unique to and associated with a resource – that we can then use. In this case, an authenticator is a powerbox, and you can get all the secure UI benefits of dealing with capabilities rather than passwords. Really looking forward to using this when dealing with microsoft services.

Awsome! :smile:


This article was originally published by Microsoft's Secure Blog. You can find the original article here.