Every time a user clicks “Sign in with Google” or gets SSO access to a third-party app from a corporate IdP, identity crosses a trust boundary. Identity proofing happened somewhere, authentication happened somewhere else, and now another system needs to rely on that result.
NIST SP 800-63B-4 is the authentication volume of the 800-63-4 suite. It defines exactly what authenticator types qualify at each assurance level, what phishing resistance actually requires, and what your session and recovery policies need to look like.
NIST SP 800-63A-4 is the identity proofing volume of the 800-63-4 suite. It defines exactly what “verified identity” means at each assurance level, what evidence qualifies, how to handle the cases that break the happy path, and what your fraud program needs to look like.
Most engineers think about identity in two terms: the user is authenticated or they aren’t. If you’ve built a login system, you’ve probably made decisions like “we’ll require MFA for sensitive actions” or “we’ll use SSO”. Those are reasonable decisions, but they’re incomplete.
