800-63-3
800-63-3 copied to clipboard
usnistgov
Home to public development of NIST Special Publication 800-63-3: Digital Authentication Guidelines
at end of -63B Section 5.1.4.1: "The OTP value associated with a given nonce SHALL be accepted only once." Of course, the same nonce might be applied to many subscribers...
-63B Section 5.1.9.1 says: > Each authentication operation using the authenticator SHOULD require the input of the additional factor. This seems somewhat at odds with a later statement in the...
**Organization Name (N/A, if individual):** State of New York **Organization Type (see below for codes)**: 5 **Document (63-3, 63A, 63B, or 63C)**: 63-3 **Reference (Include section and paragraph number)**: Appendix...
-63B Table 4-1 (which is informative, fortunately) says that replay resistance is not required at AAL2. This is incorrect; replay resistance for at least one authenticator used at AAL2 is...
At the end of -63B Section 5.1.3 (last paragraph before 5.1.3.1, it says, "When the response is via the primary communication channel, the secret also establishes the claimant's control of...
SP 800-63B Section 4.2.2 says: >Authenticators procured by government agencies SHALL be validated to meet the requirements of FIPS 140 Level 1. Need more precision on this requirement; the intent...
Reported to dig-comments: while reading https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63-3.pdf references "ESIG", _Use of Electronic Signatures in Federal Organization Transactions_ which links to: : https://cio.gov/wpcontent/uploads/downloads/2014/03/Use_of_ESignatures_in_Federal_Agency_Transactions_v1-0_20130125.pdf which, unsurprisingly, with WordPress, is no longer there. Just...
This is a flawed guidance. Your section on IAL1 states that MFA is required for any PII. In a public site that allows user to create an account for convenience...
Although the introductory text to section 5.1.3 says, "An out-of-band authenticator is a physical device that is uniquely addressable...," section 5.1.3.1 says, "The out-of-band device SHOULD be uniquely addressable..." In...