Interesting they feel comfortable using WebAuthn for Authenticator Assurance Level 2. It does seem like the right middle-ground for an exportable private key.
This isn't the title (NIST Special Publication 800-63B.. yeah NIST docs aren't very accessibly named), nor the intent of this document.
> This document provides requirements to credential service providers (CSPs) for remote user authentication at each of three Authentication Assurance Levels (AALs).
Look for Appendix B. Syncable Authenticators: https://pages.nist.gov/800-63-4/sp800-63b.html#appB
Interesting they feel comfortable using WebAuthn for Authenticator Assurance Level 2. It does seem like the right middle-ground for an exportable private key.
They referenced WebAuthn quite a bit in Appendix B. I'm surprised the FIDO Alliance's Credential Exchange Format/Protocol was not mentioned: https://fidoalliance.org/specifications-credential-exchange-...
I haven't taken a deep dive on it, but I wonder if those FIDO Alliance specifications would meet/support NIST's AAL2 criteria for WebAuthn.
Thanks. I didn't notice that the anchor tag got stripped from the submission. Thanks for adding that link in the comment.
This isn't the title (NIST Special Publication 800-63B.. yeah NIST docs aren't very accessibly named), nor the intent of this document.
> This document provides requirements to credential service providers (CSPs) for remote user authentication at each of three Authentication Assurance Levels (AALs).