How does the NIST SP 800-63B supplement enhance passkey adoption?

How Does the NIST SP 800-63B Supplement Enhance Passkey Adoption?#

The NIST SP 800-63B supplement represents a major step toward mainstream passkey adoption, particularly in regulated industries like banking, healthcare, and government services. By recognizing synced passkeys as AAL2-compliant and device-bound passkeys as AAL3-compliant, NIST provides organizations with the confidence to integrate passkeys into their authentication flows.

Key Ways the NIST Supplement Boosts Passkey Adoption#

1. Passkeys Gain Official Recognition as Secure Authentication Methods#

• Synced passkeys (stored in cloud-backed ecosystems like Apple iCloud and Google Password Manager) are now officially categorized under AAL2, confirming their phishing resistance and usability.
• Device-bound passkeys (stored on a single device without cloud sync) qualify for AAL3, the highest security level, making them ideal for high-assurance authentication scenarios.

2. Reduces Enterprise Adoption Barriers#

• Many enterprises hesitated to deploy passkeys due to unclear regulatory acceptance. NIST’s endorsement eliminates this uncertainty, encouraging banks, government agencies, and large corporations to adopt passkeys.
• The supplement confirms that passkeys meet U.S. federal security requirements, making them viable alternatives to passwords and legacy multi-factor authentication (MFA).

3. Aligns with Existing Identity and Access Management Standards#

The WebAuthn and FIDO2 standards, which power passkeys, are now aligned with NIST authentication assurance levels, ensuring interoperability with existing security frameworks.

4. Encourages Migration from Password-Based Authentication#

By positioning synced passkeys as a secure MFA alternative, the supplement accelerates the transition away from passwords and vulnerable authentication methods (e.g., SMS OTPs, passwords + OTPs).

What This Means for Organizations#

Organizations that previously relied on password-based authentication or traditional MFA now have clear guidelines from NIST supporting passkeys as a secure, compliant, and scalable authentication method. This will lead to higher adoption rates across industries, particularly those requiring phishing-resistant authentication.

Read the full article#

About Corbado

Corbado is the Passkey Intelligence Platform for CIAM teams running consumer authentication at scale. We help you see what IDP logs and generic analytics tools can't: which devices, OS versions, browsers and credential managers support passkeys, why enrollments don't turn into logins, where the WebAuthn flow fails and when an OS / browser update silently breaks login, all without replacing Okta, Auth0, Ping, Cognito or your in-house IDP. Two products: Corbado Observe layers observability for passkeys and any other login method. Corbado Connect adds managed passkeys with analytics built in (alongside your IDP). VicRoads runs passkeys for 5M+ users with Corbado (+80% passkey activation). Talk to a Passkey Expert →