How does the NIST SP 800-63B supplement enhance passkey adoption?

The NIST SP 800-63B supplement represents a major step toward mainstream passkey adoption, particularly in regulated industries like banking, healthcare, and government services. By recognizing synced passkeys as AAL2-compliant and device-bound passkeys as AAL3-compliant, NIST provides organizations with the confidence to integrate passkeys into their authentication flows.

• Synced passkeys (stored in cloud-backed ecosystems like Apple iCloud and Google Password Manager) are now officially categorized under AAL2, confirming their phishing resistance and usability.
• Device-bound passkeys (stored on a single device without cloud sync) qualify for AAL3, the highest security level, making them ideal for high-assurance authentication scenarios.

• Many enterprises hesitated to deploy passkeys due to unclear regulatory acceptance. NIST’s endorsement eliminates this uncertainty, encouraging banks, government agencies, and large corporations to adopt passkeys.
• The supplement confirms that passkeys meet U.S. federal security requirements, making them viable alternatives to passwords and legacy multi-factor authentication (MFA).

The WebAuthn and FIDO2 standards, which power passkeys, are now aligned with NIST authentication assurance levels, ensuring interoperability with existing security frameworks.

By positioning synced passkeys as a secure MFA alternative, the supplement accelerates the transition away from passwords and vulnerable authentication methods (e.g., SMS OTPs, passwords + OTPs).

Organizations that previously relied on password-based authentication or traditional MFA now have clear guidelines from NIST supporting passkeys as a secure, compliant, and scalable authentication method. This will lead to higher adoption rates across industries, particularly those requiring phishing-resistant authentication.