Application developers are faced with a choice of electronic authentication mechanisms based on a wide variety of technologies, including passwords, biometrics, and physical tokens, to perform local or remote authentication. NIST SP 800-63-1: Electronic Authentication Guideline (December 2011) was an extensive revision and update of the original document, released in 2006. The original document was internationally recognized as the definitive reference for secret-based mechanisms for authentication of users over the Internet. The revision recognizes that times, and technologies, have changed and broadens the discussion of technologies available to agencies and gives a more detailed discussion of these technologies. A full press release for NIST SP 800-63-1 is available here. The current revision, NIST SP 800-63-2 (August 2013), is a limited update intended to take advantage of professional credentials for identity proofing and reduce the need to use postal mail for address of record verification. The guideline applies whether agencies choose to handle authentication directly or leverage services provided by other parties, including commercial companies.
Relation to NSTIC
Note that NIST SP 800-63-2 may inform, but is not intended to constrict or constrain the development or use of standards for implementation of the National Strategy for Trusted Identities in Cyberspace (NSTIC). NIST SP 800-63 is specifically designated as a guideline for use by Federal agencies for electronic authentication. NSTIC, in contrast, has a broader charge: the creation of an Identity Ecosystem, "an online environment where individuals and organizations will be able to trust each other because they follow agreed upon standards to obtain and authenticate their digital identities." While NIST SP 800-63 may be a starting point for discussion on NSTIC, decisions on approaches to e-authentication in the Identity Ecosystem will be developed through a separate path. For more information, please see http://www.nist.gov/nstic/.