NIST SP 800‑63B‑4 Authentication & Authenticator Management

Document Background

The full SP 800‑63 suite (Rev. 4) covers identity proofing (SP 800‑63A), authentication and authenticator management (SP 800‑63B), and federation and assertions (SP 800‑63C), with the parent document SP 800‑63 setting risk‑management context for all three. This page focuses on the B volume, which is where password and MFA requirements live.

The previous edition (Rev. 3, 2017) is famous in security circles for being the document that broke the long tradition of forced 90‑day rotations and mandatory composition rules. Rev. 4 keeps that direction and tightens the language: where Rev. 3 said verifiers should not impose composition rules, Rev. 4 says they shall not (NIST, 2025, Section 3.1.1.2). It also raises the minimum length for any password used as a single‑factor authenticator from 8 characters to 15.

The Philosophical Shift

Rev. 4 completes a transition that has been underway since 2017: away from prescriptive checklists and toward a risk‑based model anchored in three ideas (NIST, 2025).

First, length is the dominant strength factor for passwords. Decades of cracking research and breach corpora analysis converged on the same conclusion: a long passphrase is harder to guess than a short string of mixed characters, and it is far easier for users to remember.

Second, threat intelligence beats periodic rotation. Forcing every user to change a password every 90 days produces predictable transformations (Spring2024! becomes Summer2024!) without meaningfully raising the cost of attack. Screening proposed passwords against breach corpora at the moment they are chosen, and forcing a reset only when there is evidence of compromise, addresses the actual risk.

Third, not all multi‑factor authentication is equivalent. The guidelines now draw a hard line between phishing‑resistant authenticators (FIDO2/WebAuthn security keys, PIV smart cards, device‑bound passkeys) and authenticators that remain vulnerable to interception, SIM swap, or push‑bombing (SMS OTP, voice OTP, ordinary push notifications).

Top Recommendations

The following twelve items capture the substantive password and authentication requirements that most security teams will need to implement or audit against (NIST, 2025).

1. Enforce a 15‑character minimum for single‑factor passwords

   Verifiers shall require at least 15 characters for any password used on its own. The legacy 8‑character floor still applies when the password is one factor inside MFA, but the new 15‑character bar is the target for any system without a second factor (NIST, 2025, Section 3.1.1.2).

2. Accept long passwords and the full character set

   Verifiers must accept passwords up to at least 64 characters and permit all printable ASCII, Unicode characters, and spaces. Truncation and silent character stripping are out (NIST, 2025).

3. Prohibit composition rules

   Organizations shall not require specific character classes (one uppercase, one digit, one symbol, etc.). The research record shows these rules push users into predictable transformations that reduce real entropy (NIST, 2025, Section 3.1.1.2).

4. Drop scheduled rotation

   Forced periodic password changes are not required. Reset is triggered by evidence of compromise, by a user‑initiated reset, or by authenticator loss (NIST, 2025).

5. Screen new passwords against a breach and dictionary blocklist

   When a user picks a password, the verifier checks it against a blocklist of commonly used, expected, and compromised values. If it matches, the user is forced to pick something else. The blocklist should include breach corpora, dictionary words, repetitive or sequential strings, and context‑specific terms like the service name or the user's account name (NIST, 2025, Section 3.1.1.2).

6. Salt and hash with a memory‑hard scheme

   Passwords shall be stored in a form resistant to offline attack, salted and hashed with an approved password hashing scheme. Where feasible, a separately stored secret key (a pepper) held in an HSM or hardware‑protected area should be combined with the hash (NIST, 2025, Section 3.1.1.2).

7. Require an authenticated protected channel

   Passwords are only ever transmitted over encrypted, authenticated channels. No plaintext over the wire, ever (NIST, 2025).

8. Eliminate password hints and knowledge‑based questions

   Hints and security questions (mother's maiden name, first pet, high school mascot) are out. They are guessable, researchable, and frequently published on social media by the account holder (NIST, 2025).

9. Permit paste and a deliberate reveal control

   Password manager compatibility is endorsed. Hiding input by default is acceptable, but a reveal toggle reduces typos and lockouts, which are themselves a security cost (NIST, 2025).

10. Rate‑limit and throttle online guessing

    Verifiers shall implement attempt counters, exponential backoff, and challenge mechanisms (CAPTCHA or equivalent) per account and per source. The goal is to keep online brute force economically infeasible (NIST, 2025).

11. Move privileged and externally facing systems to phishing‑resistant MFA

    FIDO2/WebAuthn and PKI smart cards (PIV) are the strongest tier. SMS OTP, voice OTP, and push notifications remain better than passwords alone but should be deprecated for high‑value systems (NIST, 2025).

12. Match the authenticator type to the assurance level

    Syncable passkeys are formally recognized for AAL2. Device‑bound (non‑syncable) passkeys and hardware tokens meet AAL3. Build the access control architecture around the AAL the system actually requires rather than picking a vendor first (NIST, 2025).

Rev. 3 vs. Rev. 4 at a Glance

Citing This Document (APA 7)

Federal publications like SP 800‑63B‑4 are treated as group‑author reports in APA 7. The issuing agency is the author, the publication number is the report identifier, and the parent department is the publisher. Because the National Institute of Standards and Technology has a common abbreviation (NIST), APA 7 allows the abbreviation to be introduced on first in‑text use and reused thereafter.

Two notes that catch students out: APA 7 does not use page numbers for paraphrased material from a long technical document; cite the section or subsection number instead. Also, titles of standalone reports are italicized, but the report number in parentheses after the title is not.