NIST SP 800-63-4 is the current revision of the National Institute of Standards and Technology’s Digital Identity Guidelines. These guidelines establish the framework for how digital identity systems should handle identity proofing, authentication, and federation. They are the authoritative reference for U.S. federal agencies and are commonly used as a reference framework by state governments, financial institutions, and private-sector organizations.
What does the standard cover?
The SP 800-63 family comprises several volumes that address various aspects of digital identity. SP 800-63A covers enrollment and identity proofing, how an organization verifies that an applicant is who they claim to be before issuing a credential. SP 800-63B addresses authentication and lifecycle management, how systems verify that someone presenting a credential is the rightful holder. SP 800-63C covers federation and assertions, how identity information can be shared across systems and organizations.
What are assurance levels?
A core concept in NIST 800-63 is the assurance level, which measures the confidence in the identity claim being made. The guidelines define three dimensions: Identity Assurance Level (IAL), which measures the confidence in the person's identity, Authenticator Assurance Level (AAL), which assesses the strength of the authentication mechanism, and Federation Assurance Level (FAL), which evaluates the security of federated identity assertions.
Higher levels require stronger evidence and controls. The appropriate level depends on the risk associated with the transaction, for example, opening a bank account requires higher assurance than accessing a public website.
Why NIST 800-63 matters
U.S. federal agencies and organizations providing services to the federal government must comply with these guidelines. Beyond the public sector, they serve as best practices for private organizations seeking to implement robust identity systems.
For verifiable digital credentials, NIST 800-63-4 provides the foundation for determining what level of identity proofing an issuer should require, how credentials should reflect their assurance level, and what verifiers can trust about a presented credential. The latest revision reflects the shift toward verifiable digital credentials and modern assurance methods.
Want to keep learning?
Subscribe to our blog.
