Platform
Platform
Drop-In Authentication
Passkeys
Phishing-resistant, FIDO2/WebAuthn
Biometric authentication
Face and device-native biometrics
WhatsApp OTP
Global reach, lower cost than SMS
Email OTP
Universal second factor
App push authentication
Native device push notifications
Palm biometrics
Contactless identity verification
All authentication methods
KEY FEATURES
No-code rules engine
Step-up auth, risk policies, alerts
User observability
Audit trails, dynamic linking
Risk-based authentication
Adaptive MFA by context
Session management
Persistent sessions across channels
Digital credentials API
Verify sovereign digital IDs
Pre-built UI
Fastest deployment path
Passkeys
Deploy phishing-resistant passkeys across web and mobile in days
Solutions
Solutions
USE CASE
Account Takeover Prevention
Stop ATO without adding friction
Go Passwordless
Replace passwords with passkeys
Account Recovery
Secure self-service recovery flows
Call Centre Authentication
Verify callers without KBA
SMS Cost Optimisation
Cut OTP costs up to 90%
Existing Apps (Drop-In)
Add auth without re-architecting
Palm biometric payments
Contactless in-store payments
INDUSTRY
Financial Services & Banking
Secure high-value transactions
Healthcare
Authentication for ePHI access
Loyalty Programs
Protect points and member accounts
ROLE
Engineering
Fast integration, flexible SDKs
Product
No-code flows, conversion insights
Cybersecurity
Risk policies, compliance, audit trails
PricingCustomers
Resources
Resources
LEARN
Blog
Guides
Regulatory
Templates
Docs
COMPANY
About Us
Why Authsignal
Partners
Careers
Security
Contact
INTEGRATIONS
Amazon Cognito
Auth0
Azure AD B2C
Custom identity provider
Duende IdentityServer
All integrations
Docs
Start a trial
Book a callLogin
AUS Flag

Authsignal secures millions of passkey transactions out of our hosted Sydney region.

AUS Flag

Authsignal secures millions of passkey transactions out of our hosted Sydney region.

Join us today!
Right icon
Blog
/
Current article
Compliance
FIDO2
NIST
Passkeys
Passwordless authentication

NIST 800-63B Passkeys Supplementary Guidelines: 2024 Part 2 Implementation.

Justin Soong
⬤
May 14, 2025
Share
NIST supplementary guidelines for Passkeys - April 2024 - Part 2 - implementation considerations

This blog post is part 2 in a series of blog posts.

  • NIST Passkeys Supplementary Guidelines: 2024 Part 1.
  • NIST Passkeys Supplementary Guidelines: 2024 Part 2 Implementation.

‍

In the first part of our analysis, we introduced the newly published NIST supplement for passkeys. We broke down the changes and clarified positions regarding synced/syncable passkeys against NIST’s digital identity guidelines for authentication, commonly known as 800-63B. The supplement clarifies that synced passkeys across a “sync fabric” are allowed and can reach AAL2 assurance levels.

We continue analyzing the supplement in part 2, focusing on implementation considerations.

Passkey implementation considerations to meet AAL2

Passkeys are based on the W3C's WebAuthn specification, which establishes a standard for browsers and passkey managers/providers to handle the challenge-response cryptographic process during registration and verification (referred to as "sync fabric"). WebAuthn can be customized by a Relying Party (RP) using various flags. To meet AAL2 requirements, the RP must explicitly set certain flags.

To meet AAL2 standards the following flags will need to be set or interrogated

Passkeys - User Presence (UP)

The user presence flag during a WebAuthn ceremony is set when the user has interacted with the authenticator. With user presence, the intent is not to identify the user but to ensure that a user is physically present during authentication. The term authorization gesture is used in the official w3C WebAuthn specifications.

Implementation requirements for User Presence (UP)

💡 Federal agencies SHALL confirm that the User Present flag has been set. Supports Authentication Intent.

‍

An example of user presence using a passkey provider authentication mechanism, the user simply clicks on the Sign in button.

‍

An example of user presence using a Yubikey via the capacitive sensor.

‍

Passkeys - User Verification (UV)

The user verification flag on passkeys ensures that the user's identity is verified using an available “user verification” method. It seeks to ascertain that not only a user was present during authentication (User Presence) but also provides an assurance level that the same user who registered the passkey is initiating the verification. This is commonly implemented by authentication via biometrics, screen lock, or a PIN before the passkey is used. This adds an extra layer of security by requiring proof of the user's identity during the authentication process.

💡 Federal agencies SHALL indicate that UV is preferred, and all assertions SHALL be inspected to confirm the value of the UV flag. This indicates whether the authenticator can be treated as a multi-factor cryptographic authenticator. If the user is not verified, agencies may treat the authenticator as a single-factor cryptographic authenticator by adding an RP-specific memorized secret to the authentication event. A further extension to the WebAuthn Level 3 specification provides additional data on verification methods if agencies seek to gain context on the local authentication event.

‍

An Example of the macOS iCloud keychain User Verification prompt via touch ID.

‍

‍

Additional considerations

The above flags on user presence and user verification are prerequisites noted in the supplement for AAL2. Additionally, the following features of passkeys can be used to gain more insights during registration and verification ceremonies.

Backup eligibility

Indicates whether the authenticator can be synced to a different device

💡 Federal agencies MAY use this flag if they intend to establish policies restricting syncable authenticators. This flag is necessary to distinguish between authenticators that are device-bound or those that may be cloned to more than one device.

Backup state

Indicates whether an authenticator has been synced to a different device

💡 Federal agencies MAY use this flag if they intend to establish restrictions on authenticators that have been synced to other devices. However, due to user experience concerns, agencies SHOULD NOT change the acceptance of public-facing applications based on this flag. This flag MAY be used to support the restriction of syncable authenticators for specific enterprise decisions.

Enterprise attestation

Some authenticators support attestation features that can be used to determine the capabilities and manufacturer of a specific authenticator, for example, Yubikeys. It’s important to note that attestation data varies from authenticator to authenticator, and the use of attestation should be use case driven.

💡 For enterprise use cases, agencies SHOULD implement attestation capabilities based on the functionality offered by their platform providers. Preferably, this would be an enterprise attestation where the RP requests uniquely identifying information about the authenticator.

The NIST supplement adds further guidance for non-enterprise use cases, like large consumer-facing applications and websites. It calls out the regression back to weaker authenticator types like SMS OTP.

💡 Attestations SHOULD NOT be used for broad public-facing applications. Such a requirement (i.e., one that blocks some public users’ syncable authenticators if they do not support attestation) may divert users to less secure authentication options that are vulnerable to phishing, such as Short Message Service (SMS) one-time password (OTP).

Round up

The NIST supplement provides clarity on the implementation considerations when it comes to achieving AAL2 requirements. The key flags that are required are the user verification and user presence flags. It is refreshing to see that NIST considers it regressive when passkeys are configured to be too restrictive when used in broad public-facing applications.

Authsignal is a member of the FIDO alliance and is actively helping organizationsuplift their customer account security and experience by adopting passkeys. We offer a range of drop-in solutions that have been tuned for the consumer and have seen incredible results on nationwide demographics and critical customer services. Authsignal’s passkey implementations are tuned and can quickly assist in meeting assurance-level requirements.

Question icon
Have a question?
Talk to an expert
NewsletterDemo PasskeysView docs
Compliance
FIDO2
NIST
Passkeys
Passwordless authentication

You might also like

The passkey UX patterns that drive adoption in 2026
Passkeys
Passkeys implementation

The passkey UX patterns that drive adoption in 2026

July 2, 2026
What is silent network authentication, and how does it work?
Silent Network Authentication
SNA

What is silent network authentication, and how does it work?

June 26, 2026
HIPAA MFA requirements and what to do before the final rule lands
Passkeys
Step up authentication
Adaptive MFA
SMS Alternative

HIPAA MFA requirements and what to do before the final rule lands

July 4, 2026

Secure your customers’ accounts today with Authsignal

Passkey demoCreate free account
Authsignal Purple Logo

Authsignal is a drop-in authentication and orchestration layer for consumer-facing businesses. Passkeys, adaptive MFA, and omnichannel verification on top of your existing identity stack. Deployed in weeks, not quarters.

AICPA SOCFido Certified
LinkedInTwitter
Platform
Drop-In Authentication
PasskeysBiometric authenticationWhatsApp OTPEmail OTPApp push authenticationPalm biometricsSMS OTPEmail OTPMagic LinksAuthenticator apps (TOTP)
View all auth methods
KEY FEATURES
No-code rules engineUser observabilityRisk-based authenticationSession managementDigital credentials APIPre-built UI
All authentication methods
Pricing
Customers
Solutions
USE CASE
Account takeovers (ATO)
Go passwordless
Call center
SMS cost optimization
Existing apps
Palm biometric payments
View all use cases
industry
Financial services
Healthcare
Marketplace
View all use cases
ROLE
Engineering
ProductCybersecurityDocs
Compare
Twilio Verify vs AuthsignalAuth0 vs AuthsignalAWS Cognito vs Authsignal + AWS Cognito
Resources
LEARN
BlogGuidesRegulatoryTemplatesDocs
COMPANY
About usWhy AuthsignalPartnersCareersSecurityContact
Integrations
Amazon Cognito
Azure AD B2C
Duende IdentityServer
Keycloak
Auth0
NextAuth.js
Custom identity provider
All integrations
United States
+1 214 974-4877
Ireland
+353 12 676529
Australia
+61 387 715 810
New Zealand
+64 275 491 983
© 2026 Authsignal - All Rights Reserved
Terms of servicePrivacy policySecuritySystem statusCookies