ETR-5: Implementing Passwordless Authentication with NIST 800-63-4
Learn how to implement passwordless authentication using Keycloak, WebAuthn, and FIDO2 while aligning identity assurance with NIST 800-63-4.
ETR-5: Implementing Passwordless Authentication with NIST 800-63-4
Learn how to implement passwordless authentication using Keycloak, WebAuthn, and FIDO2 while aligning identity assurance with NIST 800-63-4.
Implementing Passwordless Authentication with NIST 800-63-4
Overview
The new NIST 800-63-4 Digital Identity Guidelines introduce a modern approach to authentication that prioritizes usability, resilience, and assurance. Organizations are encouraged to use longer passphrases, verify passwords against breached lists, and adopt passwordless methods based on WebAuthn and FIDO2.
This project provides a hands-on experience implementing passwordless authentication using Keycloak, mapping the setup to NIST’s Authentication Assurance Levels (AAL2 and AAL3). Students will learn how modern identity systems support Zero Trust environments and reduce reliance on passwords entirely.
What You Will Learn
- How NIST 800-63-4 redefines authentication assurance
- The role of WebAuthn and FIDO2 in passwordless identity systems
- How to configure Keycloak for passwordless authentication
- How to register and verify platform authenticators (Windows Hello, Touch ID, YubiKey)
- How passwordless methods map to AAL2 and AAL3 requirements
Hands-On Learning
Students will gain experience using:
- Keycloak for identity and access management
- WebAuthn and FIDO2 authenticators
- Docker or local VM Keycloak deployments
- Windows Hello, Touch ID, or security keys as authenticators
- NIST assurance mapping tools to validate authentication strength
🔗 Continue to the hands-on lab for full instructions!
ETR-5: Passwordless Authentication with NIST 800-63-4 Lab
ETR-5: Passwordless Authentication with NIST 800-63-4 Lab Overview This lab introduces students to passwordless authentication by configuring Keycloak to use WebAuthn and FIDO2 authenticators. You will create a passwordless login flow, register platform or hardware security keys, and determine whether your implementation aligns with NIST AAL2 or AAL3. This demonstrates how passwordless authentication strengthens Zero Trust identity practices. Lab Instructions 1. Setting Up Your Environment You will need: A Windows, macOS, or Linux machine with a modern browser Docker or a Debian/Ubuntu VM A WebAuthn-capable authenticator such as Windows Hello, Touch ID, or a YubiKey Start Keycloak using Docker: ...