NIST SP 800-63-4: The Future of Digital Identity is Here — And Intercede is Ready

The digital security space just got a major upgrade. The US National Institute of Standards and Technology (NIST) has released SP 800-63-4, the latest evolution of the world’s most trusted Digital Identity Guidelines.

This isn’t just another technical update; it’s a blueprint for the future of authentication. From passkeys to digital identity wallets, the new guidelines embrace technologies that make security both stronger and simpler. The best part? Intercede’s solutions are already aligned with these cutting-edge standards.

What Makes NIST SP 800-63-4 Different?

NIST’s Digital Identity Guidelines (spanning documents 63A, 63B, and 63C) set the global standard for identity proofing, authentication, and federation. Government agencies and regulated industries worldwide rely on these guidelines to build secure, compliant systems.

The 2025 update reflects a fundamental shift: authentication is becoming more user-friendly without compromising security. Phishing-resistant technologies, mobile-first approaches, and user-controlled credentials are no longer “nice to have”. They’re the new baseline.

Six Game-Changing Updates (And How Intercede Delivers)

1. Passkeys Get Official Recognition

What’s New: Passkeys (FIDO2) are specifically referenced by NIST. In addition to Device Bound Passkeys (e.g. USB form factor), syncable passkeys (typically built into smartphones and can be backed up in password managers or cloud keychains) can now qualify as AAL2 authenticators.

The Intercede Advantage: Our solutions offer both device-bound and syncable passkeys, available as standalone credentials or PIV-derived. We provide the optimal balance by enabling the deployment of passkeys where they enhance user experience, while adhering to stringent controls required by regulations. Utilise smartphones as passkey authenticators or implement dedicated hardware passkey devices. The control over security policies remains entirely in your hands.

2. Digital Identity Wallets Join the Elite

What’s New: User-controlled digital identity wallets, such as mobile driver’s licences (mDLs), EUDI wallets, and other verifiable credentials, are now considered on par with passports and PIV cards for the highest assurance levels. Traditionally, federated identity involves a central server that disseminates identity data to a relying party. However, NIST views this scenario where the user’s wallet, rather than a centralised server, stores and then transmits the identity data to a relying party, as a distinct variant of federated identity.

The Intercede Advantage: Our solutions already support mobile driving licence credentials and allows any other types of identity credentials to be defined issued using ISO18013 and related standards.

3. Remote Identity Proofing Goes Mainstream

What’s New: Remote identity proofing is now a fully endorsed path to IAL2 compliance. Perfect for organisations where in-person verification isn’t practical or scalable.

The Intercede Advantage: Our identity proofing and onboarding solutions can do in person enrolment and identity proofing and can be used within a remote identity proofing solution. All while keeping the user experience smooth.

4. Smarter Password Protection

What’s New: The advice for checking passwords against common, expected, and compromised passwords has been updated.

The Intercede Advantage: While we encourage transitioning to more robust forms of authentication, we recognise that passwords remain necessary in certain scenarios. To address associated risks, we provide extensive password checking, password policy management, and password breach detection services.

5. AAL3 Authentication Gets More Accessible

What’s New: The hardware requirements for AAL3 (the highest authentication level) have been relaxed. FIPS 140 Level 1 is now sufficient, provided keys remain non-exportable. This opens the door for secure elements already in devices like Apple’s Secure Enclave or standard TPMs.

The Intercede Advantage: More devices, same security. We can now deliver enterprise-grade AAL3 authentication across a broader range of hardware, reducing costs while maintaining the highest security standards.

6. Phishing Resistance is Promoted

What’s New: NIST doubles down on phishing-resistant MFA, steering organisations away from OTP systems (where a user could be tricked into authenticating to a fake website) toward passkeys and hardware-bound credentials which have phishing resistance built in (where the authenticator protects against this type of phishing attack).

The Intercede Advantage: Our solutions already provide phishing-resistant authentication through FIDO2/WebAuthn credentials, PIV cards, and hardware tokens. We can help you migrate to stronger authentication.

Why This Matters Now

The new NIST SP 800-63-4 guidelines send a clear message:

• Mobile-first, phishing-resistant, and user-controlled authentication is the future.
• Passkeys and digital identity wallets have moved from emerging technology to recognised, high-assurance standards.
• Organisations that act now will stay ahead of both regulatory requirements and market expectations.

Intercede is already there, offering solutions that exceed the standard, with the flexibility to adapt to your security policies and regulatory needs.

Ready to align with the latest NIST standards?

Let’s talk about how Intercede can help you implement phishing-resistant, high-assurance authentication — request a demo today.