NIST Finalizes Updated Digital Identity Guidelines with Enhanced Security M

Published Date : 8/4/2025 

The U.S. National Institute of Standards and Technology (NIST) has released the first full update to its Digital Identity Guidelines since 2017. The new guidelines incorporate modern technologies such as digital wallets and passkeys, along with enhanced risk management and identity proofing processes. 

The U.S. National Institute of Standards and Technology (NIST) has finalized the update of its digital identity guidelines, incorporating new technologies like digital wallets and passkeys. Revision 4 of NIST’s Digital Identity Guidelines, SP 800-63-4, is the first completed update since 2017. These guidelines are designed to assist agencies in managing risk within the context of digital identity programs.

In addition to advice on integrating digital wallets and passkeys, the guidelines provide new insights into setting context for risk management, measuring continuous evaluation and identity proofing processes, and adding controls to address identity fraud through the use of injection attacks to deliver deepfakes. They also more clearly define roles and types of identity proofing and emphasize the importance of providing alternatives to face biometrics in the process.

“And…for those of you looking for it, since we know you are out there, changes to the password composition and rotation expectations are also included in the document,” write NIST Digital Identity Program Lead for the Applied Cybersecurity Division Ryan Galluzzo, NIST IT Lab Senior Technology Policy Advisor Connie LaSalle, and NIST Computer Security Division Project Lead for Applied Cryptography Andrew Regenscheid in a blog post on the changes. “All these changes represent an extensive update from NIST SP 800-63 Revision 3 — drawing heavily from real-world lessons and innovations.”

Electrosoft supported the finalization of NIST’s digital identity guidelines under a contract awarded last October. A draft was published in August for review, and previous versions released since 2022 had already received 4,000 comments from 140 organizations. NIST is already developing implementation resources to accompany the Guidelines and is exploring setting criteria for machine-readable conformance and creating a Digital Identity Risk Management tool, according to the post.

The updated guidelines aim to provide a comprehensive framework for agencies to enhance their digital identity programs, ensuring better security and user experience. By incorporating the latest technologies and addressing emerging threats, NIST continues to play a crucial role in shaping the future of digital identity management. 

Frequently Asked Questions (FAQS): 

Q: What is the purpose of NIST's Digital Identity Guidelines?

A: The purpose of NIST's Digital Identity Guidelines is to assist agencies in managing risk within the context of digital identity programs, ensuring better security and user experience.

Q: What new technologies are included in the updated guidelines?

A: The updated guidelines include new technologies such as digital wallets and passkeys, along with enhanced risk management and identity proofing processes.

Q: How does the update address identity fraud?

A: The update adds controls to address identity fraud through the use of injection attacks to deliver deepfakes, and it more clearly defines roles and types of identity proofing.

Q: What changes were made to password requirements?

A: The updated guidelines include changes to password composition and rotation expectations, reflecting real-world lessons and innovations.

Q: What resources is NIST developing to support the new guidelines?

A: NIST is developing implementation resources to accompany the Guidelines and is exploring setting criteria for machine-readable conformance and creating a Digital Identity Risk Management tool. 

More Related Topics :