Platform
Platform
Drop-In Authentication
Passkeys
Phishing-resistant, FIDO2/WebAuthn
Biometric authentication
Face and device-native biometrics
WhatsApp OTP
Global reach, lower cost than SMS
Email OTP
Universal second factor
App push authentication
Native device push notifications
Palm biometrics
Contactless identity verification
All authentication methods
KEY FEATURES
No-code rules engine
Step-up auth, risk policies, alerts
User observability
Audit trails, dynamic linking
Risk-based authentication
Adaptive MFA by context
Session management
Persistent sessions across channels
Digital credentials API
Verify sovereign digital IDs
Pre-built UI
Fastest deployment path
Passkeys
Deploy phishing-resistant passkeys across web and mobile in days
Solutions
Solutions
USE CASE
Account Takeover Prevention
Stop ATO without adding friction
Go Passwordless
Replace passwords with passkeys
Account Recovery
Secure self-service recovery flows
Call Centre Authentication
Verify callers without KBA
SMS Cost Optimisation
Cut OTP costs up to 90%
Existing Apps (Drop-In)
Add auth without re-architecting
Palm biometric payments
Contactless in-store payments
INDUSTRY
Financial Services & Banking
Secure high-value transactions
Healthcare
Authentication for ePHI access
Loyalty Programs
Protect points and member accounts
ROLE
Engineering
Fast integration, flexible SDKs
Product
No-code flows, conversion insights
Cybersecurity
Risk policies, compliance, audit trails
PricingCustomers
Resources
Resources
LEARN
Blog
Guides
Regulatory
Templates
Docs
COMPANY
About Us
Why Authsignal
Partners
Careers
Security
Contact
INTEGRATIONS
Amazon Cognito
Auth0
Azure AD B2C
Custom identity provider
Duende IdentityServer
All integrations
Docs
Start a trial
Book a callLogin
AUS Flag

Authsignal secures millions of passkey transactions out of our hosted Sydney region.

AUS Flag

Authsignal secures millions of passkey transactions out of our hosted Sydney region.

Join us today!
Right icon
Blog
/
Current article
NIST

NIST's September 2024 Update to Password Guidelines: Improved User Experience.

Ben Rolfe
⬤
May 14, 2025
Share
NIST's September 2024 Update to Password Guidelines: Improved User Experience.

In September 2024, the National Institute of Standards and Technology (NIST) released updated guidance on password practices as part of the second public draft of its Digital Identity Guidelines (SP 800-63-4). Rather than focusing on complexity, the new guidelines emphasize usability, password length, and Password Blocklists, aiming to balance improved security and user-friendly practices. Below, we explore the core elements of NIST's updates.

These updates provide a modest enhancement in password security, but they only address a small part of the broader challenges with passwords. As organizations adapt to these changes, they should explore implementing modern multi-factor authentication (MFA) and passkeys.

‍

Key Changes in NIST's Updated Password Guidelines.

Focus on Password Length Over Complexity.

‍ Historically, security policies demanded passwords that mixed uppercase and lowercase letters, numbers, and special characters. However, NIST's updated guidance refocuses on password length as the most critical factor.

‍"Humans have a limited ability to memorize complex, arbitrary secrets, so they often choose passwords that can be easily guessed." - NIST SP 800-63B.

Studies show that longer passwords are much harder to crack and, more importantly, easier for users to remember. For example, a passphrase like "SeedsInTheBreezeFlowersByTrees" provides greater security than a short, complex password like "P@ssw0rd!".

‍"Password length is a primary factor in characterizing password strength. Passwords that are too short yield to brute-force attacks and dictionary attacks." - NIST SP 800-63B.

The 2024 NIST update requires Verifiers and CSPs to allow passwords of up to 64 characters and a minimum length of 15 characters, with support for ASCII and Unicode characters.‍

Remove Mandatory Password Resets.

Gone are the days of requiring password changes every 60 or 90 days. NIST's research shows that frequent password resets lead to weaker passwords as users tend to make minor alterations to existing passwords or resort to writing them down. The 2024 update recommends only requiring password resets after a confirmed credential breach, thereby minimizing user fatigue and reducing the likelihood of insecure password practices.‍

Implement Password Blocklists.

Another significant change is the introduction of password blocklists. This practice ensures that users cannot choose weak or commonly used passwords, especially those that have been compromised in previous data breaches.

‍

Though these updates provide a small enhancement for password security and user experience, they are only a small fix for the ongoing issue with passwords. Integrating Authsignal into your identity stack has made deploying modern and adaptive multi-factor authentication (MFA) and passkeys easier and faster. Thousands of organizations, including Google, Apple, Microsoft, and PayPal, now rely on passkeys for a more seamless and secure user experience.

For a deeper dive into NIST's guidance on syncable passkeys, check out Authsignal's two-part blog series:

  • Part 1: NIST Supplementary Guidelines for Passkeys - April 2024
  • Part 2: NIST Supplementary Guidelines for Passkeys - Implementation Considerations

For the fastest way to implement adaptive MFA and passkeys to secure your entire authentication workflow (chain), learn more about integrating Authsignal with Auth0, AWS Cognito, Azure AD B2C, Duende IdentityServer, and more.

Question icon
Have a question?
Talk to an expert
NewsletterDemo PasskeysView docs
NIST

You might also like

The passkey UX patterns that drive adoption in 2026
Passkeys
Passkeys implementation

The passkey UX patterns that drive adoption in 2026

July 2, 2026
What is silent network authentication, and how does it work?
Silent Network Authentication
SNA

What is silent network authentication, and how does it work?

June 26, 2026
HIPAA MFA requirements and what to do before the final rule lands
Passkeys
Step up authentication
Adaptive MFA
SMS Alternative

HIPAA MFA requirements and what to do before the final rule lands

July 4, 2026

Secure your customers’ accounts today with Authsignal

Passkey demoCreate free account
Authsignal Purple Logo

Authsignal is a drop-in authentication and orchestration layer for consumer-facing businesses. Passkeys, adaptive MFA, and omnichannel verification on top of your existing identity stack. Deployed in weeks, not quarters.

AICPA SOCFido Certified
LinkedInTwitter
Platform
Drop-In Authentication
PasskeysBiometric authenticationWhatsApp OTPEmail OTPApp push authenticationPalm biometricsSMS OTPEmail OTPMagic LinksAuthenticator apps (TOTP)
View all auth methods
KEY FEATURES
No-code rules engineUser observabilityRisk-based authenticationSession managementDigital credentials APIPre-built UI
All authentication methods
Pricing
Customers
Solutions
USE CASE
Account takeovers (ATO)
Go passwordless
Call center
SMS cost optimization
Existing apps
Palm biometric payments
View all use cases
industry
Financial services
Healthcare
Marketplace
View all use cases
ROLE
Engineering
ProductCybersecurityDocs
Compare
Twilio Verify vs AuthsignalAuth0 vs AuthsignalAWS Cognito vs Authsignal + AWS Cognito
Resources
LEARN
BlogGuidesRegulatoryTemplatesDocs
COMPANY
About usWhy AuthsignalPartnersCareersSecurityContact
Integrations
Amazon Cognito
Azure AD B2C
Duende IdentityServer
Keycloak
Auth0
NextAuth.js
Custom identity provider
All integrations
United States
+1 214 974-4877
Ireland
+353 12 676529
Australia
+61 387 715 810
New Zealand
+64 275 491 983
© 2026 Authsignal - All Rights Reserved
Terms of servicePrivacy policySecuritySystem statusCookies