This appendix is informative. It provides an overview of the changes to SP 800-63B since its initial release.
Throughout: Removed Purpose and Definitions and Abbreviations numbered sections and renumbered sections accordingly. Section numbers referenced below are the new section numbers.
Throughout: Changed the name of memorized secrets to passwords.
Section 3.1.3: Disallowed the comparison of secrets from primary and secondary channel for out-of-band authentication.
Section 3.1.3.1: Removed the prohibition on the use of VoIP phone numbers for out-of-band authentication.
Section 3.1.3.4: Recognized multi-factor out-of-band authenticators that require an activation factor.
Section 3.1.4 and Sec. 3.1.5: Removed “devices” from the authenticator name to recognize OTP applications.
Section 3.1.6 and Sec. 3.1.7: Removed “software” and “device” distinction from the authenticator name; these are now authenticator characteristics.
Section 3.1.7.4 and Appendix B : Added requirements for syncable authenticators.
Section 3.2.3: Updated biometric performance requirements and metrics and included a discussion of equity impacts.
Section 3.2.5: Added a definition and updated requirements for phishing-resistant authenticators.
Section 3.2.10: Established separate requirements for locally verified memorized secrets known as activation secrets.
Section 3.2.11: Added requirements for authenticators that are connected via wireless technologies such as NFC and Bluetooth.
Section 3.2.12: Centralized the requirements for random values used throughout the document.
Section 3.2.13: Added a new section on requirements for the non-exportability of authenticator secrets.
Removed verifier compromise resistance as a distinct named requirement because it is generally a characteristic of the chosen authenticator type.
Section 4: Section renamed “Authenticator Event Management.”
Section 4.1.1: Moved binding at enrollment to SP 800-63A.
Section 4.1.2.1: Generalized binding an additional authenticator to all AALs.
Section 4.1.2.2: Added requirements for binding authenticators that are not connected to an endpoint.
Section 4.2: Revised the requirements and methods for account recovery.
Section 4.6: Revised the requirements for notifications sent to subscribers.
Section 5.1.1: Added requirements for browser cookies used for session maintenance.
Section 5.2: Revised reauthentication requirements to define the overall structure of reauthentication here and specify timeout values in the AAL requirements.
Section 5.3: Added guidelines for the use of session monitoring (continuous authentication).
Section 9: Added a section on equity considerations.