Explore our blog for impactful resources, insightful articles, personal reflections and ideas that inspire action on the topics you care about.
One Kosmos Identifier newsletter graphic

NIST 800-63-3 and the Evolution of Digital Identification

January 2020 by 1Kosmos Editor

A spherical Earth. A heliocentric solar system. A DNA-based biology. Discoveries that changed our understanding of material reality and how we interact with it. We find it hard to imagine a time before we took these truths for granted but history shows us the consequences of our ignorance were many and often severe.

As we spend more and more of our time engaged in the digital realm, we are right to feel the same confusion and disorientation our ancestors felt hundreds of years ago as they tried to make sense of their world. What are the laws that govern our digital reality? What are the values around which we should organize ourselves? How do we protect ourselves from threats native to this environment … and the sometimes malicious human nature we bring into it?

We are the pioneers of the dawn of digital history and, if we are successful, our ancestors will remember our contributions to mapping this brave, new techno-social reality.

In that light, we kick-off the first issue of 2020 with consideration of a document whose insights and axioms reflect an evolved understanding of the categories of digital identification, the pathology of digital impersonation and intrusion as well as the ethical implications of security intervention.

The document, entitled “SP 800-63 Digital Identity Guidelines”, was published by the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) June 2017. Since that time, NIST 800-63-3 has become both map and a method IT leaders use to architect and administrate their organization’s digital domains.

The categories of digital identification

NIST 800-63-3 provides a more nuanced and necessary complex view of digital identity compared to its predecessor guidance NIST 800-62 (released 2013.) It then goes on to zoom in on what we used to consider a single level of assurance to reveal three distinct categories of digital identification:

1. Enrollment

This first stage addresses how applicants can prove their identities and become enrolled as valid subscribers within an identity system.

2. Authentication

This second phase relates to how the enrolled user (or subscriber) is validated during subsequent visits.

3. Federation

This third phase addresses how the subscriber’s identify is verified as she or he traverses across allied but distinct networks.

The pathology of digital impersonation and intrusion

We have learned a lot about how bad actors attempt to outsmart and overcome our attempts to keep them out. NIST 800-63-3 reflects that evolving understanding and it does so in a way that can help us achieve a precise balance between network security and user convenience.

This new precision is the result of the authors suggesting three risk levels (which the authors call “assurance levels”) for each of the categories we considered in the previous section. The document provides the following decision-making table (Table 1 below) to determine the appropriate risk level for the most common threats to our networks.

Table 1: Benefits of Increased Assurance (1, 2 and 3 = Assurance Levels)

Use cases123
Verification of userLowMediumHigh
Online identityLowMediumHigh
Financial transactionsNoneLowHigh
Protection of data and systemsNoneMediumHigh

Diagram 1 (below) illustrates how NIST 800-63-3 improves on 800-62 and illustrates the relationship of the risk levels with each of the digital identification categories.

Diagram 1: NIST 800-63-3’s Expanded Identification Assurance Categories

NIST 800-63-3 assurance levels

The result is that we have a broader range of options available to us in designing identification and access systems tailored to our organization’s specific needs.

The ethical implications of security intervention

Another new feature NIST 800-63-3 adds to help us balance the techno-social equation is an integrated value for user privacy. The authors encourage us to think carefully about what information we actually need from our subscribers in order to prove their identity. For example, if the risk related to access of a particular network resource is small, should be ask them for their birth date when a simple “yes” or “no” answer to the question, “Are you above the age of 18?” will do?

Another aspect of addressing user privacy is the way in which we store the identification factors we require our users to submit in order to identify and authenticate themselves. Blockchain-based tools like BlockID from One Kosmos offers a compelling solution that not only affords enterprise IT architects a wide range of identification and authentication factors from which to choose but also cryptographically secures user data making it impervious to theft and impersonation.


While NIST 800-63-3 is certainly not the last word on the dynamics of digital identification, it does represent a major advance in how we think about how we design systems that balance the need for security, convenience and privacy. Coupled with enabling technologies like blockchain (and products like BlockID), these insights point the way forward for those of us responsible for design and defending the digital domains in which our organizations engage the world.

Editorial questions, comments or suggestions?

Contact the 1Kosmos Editor

Learn more about 1Kosmos BlockID solutions?

Contact the1Kosmos Sales Team