Change Log

This appendix is informative.

This appendix provides an overview of the changes made to SP 800-63B since its initial release.

• Removes Purpose, Definitions, and Abbreviations numbered sections and renumbers sections accordingly. The section numbers referenced below are the new section numbers.
• Changes the name of memorized secrets to passwords
• Section 2: Describes the use of fraud indicators rather than pre-authentication checks
• Section 2.3.2: Reduces required FIPS 140 validation level for authenticators at AAL3
• Section 2.3.2: Requires a non-exportable cryptographic authenticator rather than a hardware-based authenticator at AAL3
• Section 3.1.1.2: Increases the minimum length of passwords used as a single authentication factor
• Section 3.1.3: Disallows the comparison of secrets from primary and secondary channel for out-of-band authentication
• Section 3.1.3.1: Removes the prohibition on the use of VoIP phone numbers for out-of-band authentication
• Section 3.1.3.4: Recognizes multi-factor out-of-band authenticators that require an activation factor
• Section 3.1.4 and Sec. 3.1.5: Removes “devices” from the authenticator name to recognize OTP applications
• Section 3.1.6 and Sec. 3.1.7: Removes “software” and “device” distinction from the authenticator name and refers to them as “authenticator characteristics”
• Section 3.1.7.3: Adds requirements for authentication using subscriber-controlled wallets
• Section 3.1.7.4 and Appendix B: Adds requirements for syncable authenticators
• Section 3.2.3: Updates biometric performance requirements and metrics
• Section 3.2.3.2: Requires PAD for facial recognition and prohibits biometric comparison based on voice
• Section 3.2.5: Adds a definition and updates requirements for phishing-resistant authenticators
• Section 3.2.10: Establishes separate requirements for locally verified memorized secrets known as activation secrets
• Section 3.2.11: Adds requirements for authenticators that are connected via wireless technologies, such as NFC and Bluetooth
• Section 3.2.11.3: Recognizes hybrid connections as a class of connected authenticators
• Section 3.2.12: Centralizes the requirements for random values used throughout the document
• Section 3.2.13: Adds a new section on requirements for the non-exportability of authenticator secrets
• Section deleted: Removes verifier compromise resistance as a distinctly named requirement because it is generally a characteristic of the chosen authenticator type
• Section 4: Renames section to “Authenticator Event Management”
• Section 4.1.1: Moves binding at enrollment to SP 800-63A
• Section 4.1.2.1: Generalizes binding an additional authenticator to all AALs
• Section 4.1.2.2: Adds requirements for binding authenticators that are not connected to an endpoint
• Section 4.2: Revises the requirements and methods for account recovery
• Section 4.6: Revises the requirements for notifications sent to subscribers
• Section 5.1: Recognizes the use of device-bound session credentials
• Section 5.1.1: Adds requirements for browser cookies used for session maintenance
• Section 5.2: Revises reauthentication requirements to define the overall structure of reauthentication here and specify timeout values in the AAL requirements
• Section 5.3: Adds guidelines for the use of session monitoring (continuous authentication)