NIST SP 800-63 Digital Identity Guidelines

Background

In July 2025, NIST released the final version of SP 800-63, Revision 4. The culmination of an almost four-year process that included foundational research, two public drafts, and nearly 6,000 individual comments from the public, Revision 4 of SP 800-63, Digital Identity Guidelines, intends to respond to the changing digital landscape that has emerged since the last major revision of this suite was published in 2017. The guidelines present the process and technical requirements for meeting digital identity assurance levels for identity proofing, authentication, and federation, including requirements for security and privacy as well as considerations for improved customer experience of digital identity solutions and technology. This revision includes many substantial content changes, including the following:

  1. Updates text and context setting for risk management
  2. Adds recommended continuous evaluation metrics
  3. Expands fraud requirements and recommendations for identity proofing processes
  4. Restructures the identity proofing controls to better define roles and types of identity proofing
  5. Adds controls for addressing injection attacks and forged media (e.g., “deep fakes”)
  6. Integrates syncable authenticators (e.g., synced passkeys)
  7. Adds subscriber-controlled wallets to the federation model

Among many other changes, these represent a comprehensive update from Revision 3. As with previous revisions, implementation resources such as FAQs, conformance criteria, and more will be made available in the near future.

Available Online

The online versions of the four volumes of draft SP 800-63-4 are available at:

PDF versions of these documents are available on the NIST Computer Security Resource Center:

Implementation Resources