Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

NIST Releases Second Public Draft of Digital Identity Guidelines for Final Review

  • NIST is offering updated guidance on a wide range of methods people use to prove their identity, from digital wallets and passkeys to physical IDs.
  • The guidance aims to ensure security, privacy and accessibility during the identity-proofing process for people accessing government services.
  • NIST is seeking public comments on the draft guidelines through Oct. 7, 2024.
Icons for methods of establishing online identity, including a password and a physical ID card, are shown near a screen reading "ACCESS GRANTED."
Credit: N. Hanacek, B. Hayes/NIST

GAITHERSBURG, Md. — When we need to show proof of identity, we might reach for our driver’s license — or perhaps, sooner than many of us imagine, we may opt for a digital credential stored on a smartphone. To ensure we can use both novel and time-tested methods to prove our identities securely when accessing essential services, the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) has updated its draft digital identity guidance. 

The draft Digital Identity Guidelines (NIST Special Publication [SP] 800-63 Revision 4 and its companion publications SPs 800-63A, 800-63B and 800-63C) have been updated to reflect the robust feedback that NIST received in 2023 as part of a four-month-long comment period and yearlong period of external engagement. 

“Today’s draft revision from NIST highlights the Biden-Harris administration’s commitment to strengthening anti-fraud controls while ensuring broad and equitable access to digital services,” said Jason Miller, deputy director for management at the Office of Management and Budget. “By incorporating feedback from private industry, federal agencies, privacy and civil rights advocacy groups, and members of the public, NIST has developed strong and fair draft guidelines that, when finalized, will help federal agencies better defend against evolving threats while providing critical benefits and services to the American people, particularly those that need them most.”

“Everyone should be able to lawfully access government services, regardless of their chosen methods of identification,” said Under Secretary of Commerce for Standards and Technology and NIST Director Laurie E. Locascio. “These improved guidelines are intended to help organizations of all kinds manage risk and prevent fraud while ensuring that digital services are lawfully accessible to all.”  

The suite of documents is the second public draft of the updated guidelines, which NIST first announced in December 2022. NIST is seeking public comment on this new iteration, which is intended to make access to online services both secure and straightforward, regardless of the means by which a person chooses to prove their identity.

We are trying to make sure we maintain as many pathways as possible to enable secure online access to services,” said NIST Digital Identity Program Lead Ryan Galluzzo, one of the publication’s authors. “We want to open up the use of modern digital pathways while still allowing for physical and manual methods whenever they may be necessary.”

Proving one’s identity is often a necessary step in accessing services from federal agencies. Identity management is important to these agencies and other organizations, especially because fraudulent claims can be very costly to both organizations and individuals, but not everyone uses the same methods to demonstrate their identity either in person or online. Defending against fraud while maintaining accessibility for a multitude of potential users are two of the goals NIST is trying to balance with the update, Galluzzo said.

“We want to open up the use of modern digital pathways while still allowing for physical and manual methods whenever they may be necessary.” —Ryan Galluzzo, NIST Digital Identity Program Lead

NIST received nearly 4,000 comments from 140 organizations and individuals on the 2022 version of the draft. Many of these comments focused on expanding the guidance on two technologies that are rapidly growing in use: syncable authenticators and digital credentials presented through user-controlled wallets. Syncable authenticators, often called passkeys, offer greater security than passwords while allowing a user to save a single passkey on multiple devices. User-controlled wallets, which several major companies currently offer, can securely store payment information along with other items like plane tickets and digital versions of physical identification documents like driver’s licenses.

The expanded guidance around passkeys is found in volume SP 800-63B, Galluzzo said, while additions concerning digital wallets are in volume SP 800-63C. 

“In response to the comments we received on the first draft, we added more detail about wallets,” he said. “We added guidance on how to trust the wallet itself and on how to trust its contents. There is more about how to securely present the information stored on the wallet, as well as how the other party can trust it.”

Not everyone will feel comfortable or be able to use digital passkeys or wallets, however, and not everyone has a smartphone. The updated draft also expands guidance on how agencies can maintain access to services for people using more traditional forms of identification, Galluzzo said. This includes details on in-person identity proofing and mechanisms for handling exceptions. It also includes the concept of the “applicant reference”  meaning a trusted individual who can vouch for a person who doesn’t have access to identification documents, including a person who may not qualify for traditional forms of evidence or one whose evidence may have been lost or destroyed.  

The authors also sought input from NIST’s team of face recognition and analysis experts to refine the guidance on using biometrics to identify a person through a face image. Galluzzo said that biometric-based methods of identity verification have been maintained in the guidance, but that for this path to achieve NIST’s goal of balancing security and access, systems that use these technologies must perform accurately, adhere to the privacy requirements articulated in the guidance, and include manual processes to address errors or challenges that users may encounter.

“We continue to augment the guidance to emphasize the importance of providing alternatives to face recognition and biometrics, particularly for systems supporting public services,” he said. 

NIST is accepting public comments on the suite of publications at dig-comments [at] nist.gov (dig-comments[at]nist[dot]gov) until Oct. 7, 2024. Complete submission instructions are included in the Note to Reviewers found in each volume. NIST is also planning a webinar about the updates to the guidance for Aug. 28. Registration is required for the webinar.  

Released August 21, 2024, Updated November 6, 2024